trivy k8s: Not able to ignore vulnerabilities for k8s core components

[torbenstruever]

Description

With release 0.47.0 a feature was introduced to "trivy k8s" command which scans k8s core components.
Since then I get the following CVEs reported for my kubernetes 1.26.6:

NodeComponents/aks-toolsv2mz-41823432-vmss000003 (kubernetes)

Total: 2 (HIGH: 2, CRITICAL: 0)

┌────────────────┬───────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│    Library     │ Vulnerability │ Severity │ Status │ Installed Version │              Fixed Version               │                            Title                             │
├────────────────┼───────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ k8s.io/kubelet │ CVE-2023-3676 │ HIGH     │ fixed  │ 1.26.6            │ 1.28.1, 1.27.5, 1.26.8, 1.25.13, 1.24.17 │ kubernetes: Insufficient input sanitization on Windows nodes │
│                │               │          │        │                   │                                          │ leads to privilege escalation                                │
│                │               │          │        │                   │                                          │ https://avd.aquasec.com/nvd/cve-2023-3676                    │
│                ├───────────────┤          │        │                   │                                          ├──────────────────────────────────────────────────────────────┤
│                │ CVE-2023-3955 │          │        │                   │                                          │ kubernetes: Insufficient input sanitization on Windows nodes │
│                │               │          │        │                   │                                          │ leads to privilege escalation                                │
│                │               │          │        │                   │                                          │ https://avd.aquasec.com/nvd/cve-2023-3955                    │

I would like to ignore these, as I only run linux nodes, but its not possible. I know my ignorefile gets read as I am able to ignore other vulnerabilities which do not come from core components

Content of ignorefile:

# Ignore the following vulnarability IDs
# <ID>
CVE-2023-3676
CVE-2023-3955

content of configfile:

timeout: 10m
quiet: false
debug: true
format: table
exit-code: 1
severity:
  - HIGH
  - CRITICAL
vulnerability:
  ignore-unfixed: true
scan:
  scanners:
    - vuln
report: all

Desired Behavior

Be able to ignore k8s core component vulnerabilities

Actual Behavior

Vulnerabilities are shown, even if they are in trivyignore file

Reproduction Steps

1. run `trivy k8s -n <namespace> --config <configfile> --ignorefile <ignorefile> all`

Target

None

Scanner

None

Output Format

None

Mode

None

Debug Output

➜  infrastructure git:(ts-securityv2) ✗ trivy k8s -n external-secrets --config ci-cd/trivy/trivy-image.conf --ignorefile ci-cd/trivy/trivyignoe-external-secrets-image.conf --kubeconfig /home/torben/repos/infrastructure/k8s-cluster/ansible/inventory/prod-europe-west/kubeconfig all     
2023-11-28T14:42:23.649+0100    INFO    Loaded ci-cd/trivy/trivy-image.conf
2023-11-28T14:42:23.653+0100    DEBUG   Severities: ["HIGH" "CRITICAL"]
2023-11-28T14:42:23.654+0100    DEBUG   Ignore statuses {"statuses": ["unknown","not_affected","affected","under_investigation","will_not_fix","fix_deferred","end_of_life"]}
2023-11-28T14:42:26.707+0100    DEBUG   cache dir:  /home/torben/.cache/trivy
2023-11-28T14:42:26.709+0100    DEBUG   DB update was skipped because the local DB is the latest
2023-11-28T14:42:26.709+0100    DEBUG   DB Schema: 2, UpdatedAt: 2023-11-28 12:13:10.475790436 +0000 UTC, NextUpdate: 2023-11-28 18:13:10.475789504 +0000 UTC, DownloadedAt: 2023-11-28 13:38:49.133167144 +0000 UTC
14 / 14 [----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 3 p/s

NodeComponents/aks-kubernetes-15995198-vmss000001 (kubernetes)

Total: 2 (HIGH: 2, CRITICAL: 0)

┌────────────────┬───────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│    Library     │ Vulnerability │ Severity │ Status │ Installed Version │              Fixed Version               │                            Title                             │
├────────────────┼───────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ k8s.io/kubelet │ CVE-2023-3676 │ HIGH     │ fixed  │ 1.26.6            │ 1.28.1, 1.27.5, 1.26.8, 1.25.13, 1.24.17 │ kubernetes: Insufficient input sanitization on Windows nodes │
│                │               │          │        │                   │                                          │ leads to privilege escalation                                │
│                │               │          │        │                   │                                          │ https://avd.aquasec.com/nvd/cve-2023-3676                    │
│                ├───────────────┤          │        │                   │                                          ├──────────────────────────────────────────────────────────────┤
│                │ CVE-2023-3955 │          │        │                   │                                          │ kubernetes: Insufficient input sanitization on Windows nodes │
│                │               │          │        │                   │                                          │ leads to privilege escalation                                │
│                │               │          │        │                   │                                          │ https://avd.aquasec.com/nvd/cve-2023-3955                    │
└────────────────┴───────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────────────┴──────────────────────────────────────────────────────────────┘

Operating System

Ubuntu 20.04.6 LTS

Version

➜  infrastructure git:(ts-securityv2) ✗ trivy --version
Version: 0.47.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-11-28 12:13:10.475790436 +0000 UTC
  NextUpdate: 2023-11-28 18:13:10.475789504 +0000 UTC
  DownloadedAt: 2023-11-28 13:38:49.133167144 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[chen-keinan]

@torbenstruever thank you for reporting this I have converted the discussion to issue #5675 for investigations

[torbenstruever]

Ok, thank you Chen. I will follow the other ticket then