feat: Add first proposal for semi-automatic CVEs reports

sighupio · Aug 23, 2024 · 5846be9 · 5846be9
1 parent 47456d9
commit 5846be9
Show file tree

Hide file tree

Showing 8 changed files with 330 additions and 1 deletion.
diff --git a/.gitignore b/.gitignore
@@ -1 +1,5 @@
-login
+login
+.furyctl
+built.yaml
+scan.tmp
+scan_results.txt
diff --git a/CVEs/reports/v1.29.2/HOW_TO.md b/CVEs/reports/v1.29.2/HOW_TO.md
@@ -0,0 +1,19 @@
+# How to generate CVE reports for a distro version
+
+This guide explains how to generate a new report (in MarkDown) from a distribution version.
+
+Requirements:
+
+* `trivy` command line installed
+* `jq` command line installed
+* `grep` (GNU variation), if on MacOS, install it with `brew install grep`, and the Makefile will use `ggrep`
+
+Steps
+
+1) Create a new `furyctl.yaml` file with the correct distribution version (everything can be disabled, we only need to download dependencies)
+2) Execute `make download-deps` 
+3) Create a kustomization.yaml file with all the katalog bases that are used in the defined distribution version
+4) Execute `make gen-image-list`, this command will output an images.txt file with all the images found in the build kustomize manifest.
+5) Fix the images.txt file and fill tags that are note present (all the images inside CRs have tags under different keys, so grep is not able to get the versions)
+6) Execute `make scan-vulns`, this script will output a `README.md` file in the current directory with a table with all the CRITICAL CVEs
+7) Check the `README.md` and commit the directory
diff --git a/CVEs/reports/v1.29.2/Makefile b/CVEs/reports/v1.29.2/Makefile
@@ -0,0 +1,19 @@
+.PHONY: download-deps gen-image-list scan-vulns
+
+GGREP := $(shell command -v ggrep)
+
+ifeq ($(GGREP),)
+  GREP := grep
+else
+  GREP := ggrep
+endif
+
+download-deps:
+	furyctl -o $$PWD download dependencies
+
+gen-image-list:
+	kustomize build . > built.yaml 
+	cat built.yaml | $(GREP) -oP 'registry\.sighup\.io[^\s]+' | sort | uniq > images.txt
+
+scan-vulns:
+	../../scripts/scan_vuln.sh
diff --git a/CVEs/reports/v1.29.2/README.md b/CVEs/reports/v1.29.2/README.md
diff --git a/CVEs/reports/v1.29.2/furyctl.yaml b/CVEs/reports/v1.29.2/furyctl.yaml
@@ -0,0 +1,43 @@
+# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+---
+apiVersion: kfd.sighup.io/v1alpha2
+kind: KFDDistribution
+metadata:
+  name: sighup
+spec:
+  distributionVersion: v1.29.2
+  distribution:
+    kubeconfig: "/path/to/kubeconfig"
+    common: {}
+    modules:
+      networking: 
+        type: none
+      ingress:
+        baseDomain: example.com
+        nginx:
+          type: none
+          tls:
+            provider: certManager
+        certManager:
+          clusterIssuer:
+            name: letsencrypt-fury
+            email: sighup@example.com
+            type: http01
+      logging:
+        type: none
+      monitoring:
+        type: none
+      tracing:
+        type: none
+      policy:
+        type: none
+      dr:
+        type: none
+        velero: {}
+      auth:
+        provider:
+          type: none
+
diff --git a/CVEs/reports/v1.29.2/images.txt b/CVEs/reports/v1.29.2/images.txt
@@ -0,0 +1,68 @@
+registry.sighup.io/fury/alpine:3
+registry.sighup.io/fury/alpine:3.14
+registry.sighup.io/fury/amazon/aws-alb-ingress-controller:v2.7.0
+registry.sighup.io/fury/autoscaling/cluster-autoscaler:v1.29.0
+registry.sighup.io/fury/aws-ec2/aws-node-termination-handler:v1.20.0
+registry.sighup.io/fury/banzaicloud/config-reloader:v0.0.5
+registry.sighup.io/fury/banzaicloud/fluentd:v1.16-full
+registry.sighup.io/fury/banzaicloud/logging-operator:4.5.6
+registry.sighup.io/fury/bitnami/kubectl:1.28.5
+registry.sighup.io/fury/brancz/kube-rbac-proxy:v0.14.0
+registry.sighup.io/fury/brancz/kube-rbac-proxy:v0.14.2
+registry.sighup.io/fury/busybox:latest
+registry.sighup.io/fury/cilium/cilium:v1.15.2
+registry.sighup.io/fury/cilium/hubble-relay:v1.15.2
+registry.sighup.io/fury/cilium/hubble-ui-backend:v0.13.0
+registry.sighup.io/fury/cilium/hubble-ui:v0.13.0
+registry.sighup.io/fury/cilium/operator-generic:v1.15.2
+registry.sighup.io/fury/dexidp/dex:v2.38.0
+registry.sighup.io/fury/enix/x509-certificate-exporter:3.12.0
+registry.sighup.io/fury/external-dns/external-dns:v0.14.0
+registry.sighup.io/fury/fluent/fluent-bit:2.1.8
+registry.sighup.io/fury/gangplank:1.1.0
+registry.sighup.io/fury/gatekeeper-policy-manager:v1.0.10
+registry.sighup.io/fury/grafana/grafana:9.5.5
+registry.sighup.io/fury/grafana/loki:2.9.2
+registry.sighup.io/fury/grafana/mimir-continuous-test:2.11.0
+registry.sighup.io/fury/grafana/mimir:2.11.0
+registry.sighup.io/fury/grafana/tempo:2.3.1
+registry.sighup.io/fury/groundnuty/k8s-wait-for:v1.6
+registry.sighup.io/fury/groundnuty/k8s-wait-for:v2.0
+registry.sighup.io/fury/ingress-nginx/controller:v1.9.6
+registry.sighup.io/fury/jetstack/cert-manager-acmesolver:v1.14.2
+registry.sighup.io/fury/jetstack/cert-manager-cainjector:v1.14.2
+registry.sighup.io/fury/jetstack/cert-manager-controller:v1.14.2
+registry.sighup.io/fury/jetstack/cert-manager-webhook:v1.14.2
+registry.sighup.io/fury/jimmidyson/configmap-reload:v0.5.0
+registry.sighup.io/fury/justwatch/elasticsearch_exporter:1.1.0
+registry.sighup.io/fury/kiwigrid/k8s-sidecar:1.19.2
+registry.sighup.io/fury/kube-state-metrics/kube-state-metrics:v2.9.2
+registry.sighup.io/fury/kyverno/background-controller:v1.11.4
+registry.sighup.io/fury/kyverno/cleanup-controller:v1.11.4
+registry.sighup.io/fury/kyverno/kyverno:v1.11.4
+registry.sighup.io/fury/kyverno/kyvernopre:v1.11.4
+registry.sighup.io/fury/kyverno/reports-controller:v1.11.4
+registry.sighup.io/fury/memcached:1.5.17-alpine
+registry.sighup.io/fury/minio/mc:RELEASE.2023-01-28T20-29-38Z
+registry.sighup.io/fury/minio/mc:RELEASE.2024-02-09T22-18-24Z
+registry.sighup.io/fury/minio:RELEASE.2023-01-12T02-06-16Z
+registry.sighup.io/fury/minio:RELEASE.2024-02-09T21-25-16Z
+registry.sighup.io/fury/nginxinc/nginx-unprivileged:1.20.2-alpine
+registry.sighup.io/fury/nginxinc/nginx-unprivileged:1.25-alpine
+registry.sighup.io/fury/openpolicyagent/gatekeeper:v3.15.1
+registry.sighup.io/fury/opensearchproject/opensearch-dashboards:2.12.0
+registry.sighup.io/fury/opensearchproject/opensearch:2.12.0
+registry.sighup.io/fury/pomerium/pomerium:nonroot-v0.25.0
+registry.sighup.io/fury/prometheus-adapter/prometheus-adapter:v0.11.1
+registry.sighup.io/fury/prometheus-operator/prometheus-config-reloader:v0.67.1
+registry.sighup.io/fury/prometheus-operator/prometheus-operator:v0.67.1
+registry.sighup.io/fury/prometheus/alertmanager:v0.26.0
+registry.sighup.io/fury/prometheus/blackbox-exporter:v0.24.0
+registry.sighup.io/fury/prometheus/node-exporter:v1.6.1
+registry.sighup.io/fury/prometheus/prometheus:v2.46.0
+registry.sighup.io/fury/prymitive/karma/karma:v0.113
+registry.sighup.io/fury/sig-storage/snapshot-controller:v6.3.1
+registry.sighup.io/fury/stakater/forecastle:v1.0.136
+registry.sighup.io/fury/tigera/operator:v1.32.7
+registry.sighup.io/fury/velero/velero-plugin-for-aws:v1.9.0
+registry.sighup.io/fury/velero/velero:v1.13.0
diff --git a/CVEs/reports/v1.29.2/kustomization.yaml b/CVEs/reports/v1.29.2/kustomization.yaml
@@ -0,0 +1,66 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+# NB: This is not a kustomization file used to install components, it's used only to check for CVEs on images
+
+resources:
+  # auth
+  - ./.furyctl/sighup/vendor/modules/auth/katalog/dex
+  - ./.furyctl/sighup/vendor/modules/auth/katalog/gangplank
+  - ./.furyctl/sighup/vendor/modules/auth/katalog/pomerium
+
+  # aws
+  - ./.furyctl/sighup/vendor/modules/aws/katalog/cluster-autoscaler/v1.29.x
+  - ./.furyctl/sighup/vendor/modules/aws/katalog/load-balancer-controller
+  - ./.furyctl/sighup/vendor/modules/aws/katalog/node-termination-handler
+  - ./.furyctl/sighup/vendor/modules/aws/katalog/snapshot-controller
+
+  # dr
+  - ./.furyctl/sighup/vendor/modules/dr/katalog/velero/velero-aws
+  - ./.furyctl/sighup/vendor/modules/dr/katalog/velero/velero-node-agent
+
+  # ingress
+  - ./.furyctl/sighup/vendor/modules/ingress/katalog/cert-manager
+  - ./.furyctl/sighup/vendor/modules/ingress/katalog/dual-nginx
+  - ./.furyctl/sighup/vendor/modules/ingress/katalog/external-dns/base
+  - ./.furyctl/sighup/vendor/modules/ingress/katalog/forecastle
+
+  # logging
+  - ./.furyctl/sighup/vendor/modules/logging/katalog/logging-operated
+  - ./.furyctl/sighup/vendor/modules/logging/katalog/logging-operator
+  - ./.furyctl/sighup/vendor/modules/logging/katalog/loki-distributed
+  - ./.furyctl/sighup/vendor/modules/logging/katalog/minio-ha
+  - ./.furyctl/sighup/vendor/modules/logging/katalog/opensearch-dashboards
+  - ./.furyctl/sighup/vendor/modules/logging/katalog/opensearch-single
+
+  # monitoring
+  - ./.furyctl/sighup/vendor/modules/monitoring/katalog/alertmanager-operated
+  - ./.furyctl/sighup/vendor/modules/monitoring/katalog/blackbox-exporter
+  - ./.furyctl/sighup/vendor/modules/monitoring/katalog/grafana
+  - ./.furyctl/sighup/vendor/modules/monitoring/katalog/karma
+  - ./.furyctl/sighup/vendor/modules/monitoring/katalog/kube-proxy-metrics
+  - ./.furyctl/sighup/vendor/modules/monitoring/katalog/kube-state-metrics
+  - ./.furyctl/sighup/vendor/modules/monitoring/katalog/mimir
+  - ./.furyctl/sighup/vendor/modules/monitoring/katalog/minio-ha
+  - ./.furyctl/sighup/vendor/modules/monitoring/katalog/node-exporter
+  - ./.furyctl/sighup/vendor/modules/monitoring/katalog/prometheus-adapter
+  # - ./.furyctl/sighup/vendor/modules/monitoring/katalog/prometheus-operated already included in mimir package
+  - ./.furyctl/sighup/vendor/modules/monitoring/katalog/prometheus-operator
+  - ./.furyctl/sighup/vendor/modules/monitoring/katalog/x509-exporter
+  # - ./.furyctl/sighup/vendor/modules/monitoring/katalog/thanos # not used in the distro in any configurations
+
+  # networking
+  - ./.furyctl/sighup/vendor/modules/networking/katalog/tigera/on-prem
+  - ./.furyctl/sighup/vendor/modules/networking/katalog/cilium
+  # - ./.furyctl/sighup/vendor/modules/networking/katalog/ip-masq # not used in the distro in any configurations
+
+  # policy
+  - ./.furyctl/sighup/vendor/modules/opa/katalog/gatekeeper
+  - ./.furyctl/sighup/vendor/modules/opa/katalog/kyverno
+
+  # tracing
+  - ./.furyctl/sighup/vendor/modules/tracing/katalog/minio-ha
+  - ./.furyctl/sighup/vendor/modules/tracing/katalog/tempo-distributed
+
+
diff --git a/CVEs/scripts/scan_vuln.sh b/CVEs/scripts/scan_vuln.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+images_with_tags=$(cat images.txt)
+
+echo "" > scan_results.txt
+
+for line in $images_with_tags; do
+  trivy image --platform=linux/amd64  --no-progress --output scan.tmp --format json --severity CRITICAL "$line"
+  if [ $? -ne 0 ]; then
+    echo "$line | ERROR PROCESSING! " >> scan_results.txt
+  else
+    cat scan.tmp | jq -r --arg line $line 'try .Results[].Vulnerabilities[] |  $line + " | " + .Severity + " " + .VulnerabilityID + " | " + .Title + " | " + .PkgName + " " + .InstalledVersion + " | " + .Status + " | " + .FixedVersion ' >> scan_results.txt
+  fi
+
+done
+
+
+echo "" > README.md
+
+echo "| Image | CVE | Reason | Package Affected | Status | Fixed in versions |" >> README.md
+echo "| --- | --- | --- | --- | --- | --- |" >> README.md
+
+file="scan_results.txt"
+
+while IFS= read -r line; do
+    echo "| $line |" >> README.md
+done < "$file"