Inconsistent results from summary and all report on k8s workload

[pfrydids]

Description

For this workload

apiVersion: v1
kind: Pod
metadata:
  namespace: test
  name: postgres-pod
  labels:
    app: postgres
spec:
  containers:
  - name: postgres
    image: postgres:15-alpine3.19
    ports:
    - containerPort: 5432
    env:
    - name: POSTGRES_USER
      value: "admin"
    - name: POSTGRES_PASSWORD
      value: "password"
    - name: POSTGRES_DB
      value: "exampledb"

Running two different commands

trivy k8s --db-repository public.ecr.aws/aquasecurity/trivy-db --report all --include-namespaces test --timeout 15m

produces (including only the count section)

namespace: test, pod: postgres-pod

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


namespace: test, pod: postgres-pod (gobinary)

Total: 55 (UNKNOWN: 0, LOW: 1, MEDIUM: 20, HIGH: 31, CRITICAL: 3)

but

trivy k8s --db-repository public.ecr.aws/aquasecurity/trivy-db --report summary --include-namespaces test --timeout 15m

produces

Workload Assessment
┌───────────┬──────────────────┬───────────────────┬───────────────────┬───────────────────┐
│ Namespace │     Resource     │  Vulnerabilities  │ Misconfigurations │      Secrets      │
│           │                  ├───┬───┬───┬───┬───┼───┬───┬───┬───┬───┼───┬───┬───┬───┬───┤
│           │                  │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │
├───────────┼──────────────────┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┤
│ test      │ Pod/postgres-pod │   │   │   │   │   │   │ 1 │ 3 │ 9 │   │   │   │   │   │   │
└───────────┴──────────────────┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┘
Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN


Infra Assessment
┌───────────┬──────────┬───────────────────┬───────────────────┬───────────────────┐
│ Namespace │ Resource │  Vulnerabilities  │ Misconfigurations │      Secrets      │
│           │          ├───┬───┬───┬───┬───┼───┬───┬───┬───┬───┼───┬───┬───┬───┬───┤
│           │          │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │
└───────────┴──────────┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┘
Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN


RBAC Assessment
┌───────────┬──────────┬───────────────────┐
│ Namespace │ Resource │  RBAC Assessment  │
│           │          ├───┬───┬───┬───┬───┤
│           │          │ C │ H │ M │ L │ U │
└───────────┴──────────┴───┴───┴───┴───┴───┘
Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN

Desired Behavior

That as a user of trivy I have confidence in the summary report

Actual Behavior

The summary report is inconsistent with the all report

Reproduction Steps

As described above

Target

Kubernetes

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

Pretty much the same as what I included above

Though there was one error for the summary report

2024-11-15T13:18:49Z	ERROR	Falling back to embedded checks	err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 76.651µs, allowed: 44000/minute\n\n"

This error WAS NOT present for the all report

Operating System

ubuntu 20.04

Version

Version: 0.57.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-11-13 12:18:59.293858632 +0000 UTC
  NextUpdate: 2024-11-14 12:18:59.293858261 +0000 UTC
  DownloadedAt: 2024-11-15 13:15:19.456187038 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[pfrydids]

Have run the summary command again and nolonger getting ERROR Falling back to embedded checks

[afdesk]

@pfrydids thanks for the report
Can you see the inconsistent results again without error?

[pfrydids]

yes

[afdesk]

do you mean summary block doesn't contain information about found vulnerabilities? if so it looks like an issue

[simar7]

@pfrydids I tried to investigate and this is what I have

namespace: default, pod: postgres-pod (kubernetes)

Tests: 96 (SUCCESSES: 82, FAILURES: 14)
Failures: 14 (UNKNOWN: 0, LOW: 10, MEDIUM: 3, HIGH: 1, CRITICAL: 0)


namespace: default, pod: postgres-pod

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


namespace: default, pod: postgres-pod (gobinary)

Total: 55 (UNKNOWN: 0, LOW: 1, MEDIUM: 20, HIGH: 31, CRITICAL: 3)

And for the summary report:

Summary Report for docker-desktop


Workload Assessment
┌───────────┬──────────────────┬───────────────────┬────────────────────┬───────────────────┐
│ Namespace │     Resource     │  Vulnerabilities  │ Misconfigurations  │      Secrets      │
│           │                  ├───┬───┬───┬───┬───┼───┬───┬───┬────┬───┼───┬───┬───┬───┬───┤
│           │                  │ C │ H │ M │ L │ U │ C │ H │ M │ L  │ U │ C │ H │ M │ L │ U │
├───────────┼──────────────────┼───┼───┼───┼───┼───┼───┼───┼───┼────┼───┼───┼───┼───┼───┼───┤
│ default   │ Pod/postgres-pod │   │   │   │   │   │   │ 1 │ 3 │ 10 │   │   │   │   │   │   │
└───────────┴──────────────────┴───┴───┴───┴───┴───┴───┴───┴───┴────┴───┴───┴───┴───┴───┴───┘
Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN


Infra Assessment
┌───────────┬──────────┬───────────────────┬───────────────────┬───────────────────┐
│ Namespace │ Resource │  Vulnerabilities  │ Misconfigurations │      Secrets      │
│           │          ├───┬───┬───┬───┬───┼───┬───┬───┬───┬───┼───┬───┬───┬───┬───┤
│           │          │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │
└───────────┴──────────┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┘
Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN


RBAC Assessment
┌───────────┬──────────┬───────────────────┐
│ Namespace │ Resource │  RBAC Assessment  │
│           │          ├───┬───┬───┬───┬───┤
│           │          │ C │ H │ M │ L │ U │
└───────────┴──────────┴───┴───┴───┴───┴───┘
Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN

The workload assessment seems to match the table results. You might have missed the result in the output so I would doublecheck @pfrydids.

As for the Infra and RBAC assessment summary result, is it expected @afdesk?

[afdesk]

@simar7
I've tested this case on Trivy 0.54.1 and the output results are the same - without any vulns in summary report.
I'll debug it next week. maybe it's by design.

[afdesk]

Right now I'd expect information about vulns in Vulnerabilities columns.

[pfrydids]

@simar7 @afdesk it is the lack of information in the vulnerbilities columns.

I've used the trivy tool on and off and previously I am pretty sure that the vulnerabilities did show in the summary report.

Generally I will generate the summary report and then I will drill down for a particular workload based on how many critical, high etc. issues the workload has.

Getting extra vulnerabilities showing up in the detail for a workload is confusing (primarily) but also means that remediation work will be mis-prioritized.

[afdesk]

oh, I found out a reason.

[afdesk]

@pfrydids thanks for the report again
I've created an issue, you can track #7937