Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

scan-images report missing from json output format #1601

Closed
agarcia-oss opened this issue Feb 8, 2024 · 6 comments
Closed

scan-images report missing from json output format #1601

agarcia-oss opened this issue Feb 8, 2024 · 6 comments
Labels
bug Something isn't working

Comments

@agarcia-oss
Copy link
Contributor

Description

When running a kubescape scan --scan-images --format json -o result.json we get the same json report as without the --scan-images flag, even though the pretty printer output is different. As it is, the report is not consistent with the pretty-printer output and it's missing some very valuable information.

Environment

OS: Darwin Kernel Version 23.3.0 x86_64
Version: v3.0.3

Steps To Reproduce

  1. Execute Kubescape without scanning images kubescape scan https://github.com/mongodb/helm-charts --format json -o result_no_scan.json
  2. Now execute it with the scan-images flag kubescape scan https://github.com/mongodb/helm-charts --scan-images --format json -o result_scan.json
  3. With this later option, kubescape output includes a Vulnerability summary like this:
4247 vulnerabilities found
──────────────────────────

* 130 Critical
* 1015 High
* 1436 Medium
* 1666 Other

However, this information is missing from the result_scan.json file, which is essentially the same as result_no_scan.json

Expected behavior

Reports should be consistent with the CLI output and contain all the information requested.

Actual Behavior

We observe an inconsistency between the report and the displayed output.

Additional context

N/A
@agarcia-oss agarcia-oss added the bug Something isn't working label Feb 8, 2024
@dwertent
Copy link
Contributor

dwertent commented Feb 8, 2024

Hi @agarcia-oss

Indeed, we haven't finalized our approach for integrating the vulnerability scanning report with the compliance report. From my perspective, this is of lesser priority as the preferred method for scanning images for vulnerabilities is via the kubescape helm chart rather than the CLI. The CLI is primarily intended for providing an overview of capabilities and for gating in CI/CD pipelines. If you intend to continuously scan your cluster, I strongly advise installing the helm chart.

This being said, if adding the report to the CLI is needed we are more than open to suggestions and contributions.

Thoughts?

@agarcia-oss
Copy link
Contributor Author

Hi @dwertent thanks for the answer, your suggestion of using the helm chart for image scanning makes perfect sense.

We're considering alternatives, but sure, updating the report with the scan-image information is something we'll be happy to contribute from our side! Just to understand where it could fit, it should be added somewhere in the summaryDetails section, with a new vulnerabilityCounters section?

Thanks in advance!

@dwertent
Copy link
Contributor

Hi @agarcia-oss, I appreciate your willingness to contribute.

The JSON report is divided into several sections:

  1. summaryDetails: This section provides a summary of the report, including counters.
  2. resources: It consists of a list of all scanned resources.
  3. results: This section contains a combination of resource IDs and the corresponding results for each resource.

We have two options for adding the report:

  1. We can include a section in the base report specifically for the image vulnerabilities report.
  2. Alternatively, we can add a section to the results section. This means that for each resource, we'll include the scanning results.

My suggestion is to add the vulnerability report to the results section. This way, for each resource, we'll have the following structure:

"results": [
        {
            "resourceID": "/kube-system/ServiceAccount/attachdetach-controller/rbac.authorization.k8s.io/v1//ClusterRole/system:controller:attachdetach-controller/rbac.authorization.k8s.io/v1//ClusterRoleBinding/system:controller:attachdetach-controller",
            "controls": [
                   ...
            ],
            "vulnerabilities": [
                   ...
            ]
        }
]

Now, let's focus on a couple of remaining points:

  1. It would be helpful to add counters to the summaryDetails section.
  2. Do we want to support only JSON format, or should we consider other formats as well?

Just something to consider.

@matthyx
Copy link
Contributor

matthyx commented Feb 21, 2024

@agarcia-oss can you help us giving your thoughts on David's questions?

@agarcia-oss
Copy link
Contributor Author

Hi @dwertent and @matthyx thanks for the feedback and apologies for not answering earlier.

I think the proposed approach of adding the image scanning results to the results section is great and we'll look into it in the following days. No timeline for this, though.

As for adding the scan results to the rest of the report format, this seems a bit out of scope for us.

Regards!

This was referenced Feb 26, 2024
Merged
Merged
@dwertent
Copy link
Contributor

dwertent commented Mar 1, 2024

Resolved in release v3.0.4

@dwertent dwertent closed this as completed Mar 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@agarcia-oss @matthyx @dwertent