Bumps github.com/containers/image/v5 from 5.19.1 to 5.20.0.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Bumps github.com/anchore/grype from 0.33.0 to 0.34.7.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Hi!

After running the scanner, I got some report.

However, it has no severity levels.

Did I something wrong?

I also have a lot of dead pods, created by kubernetes jobs

What happened:

Trying to scan a pod containing a private image and it fails, public images are scanned.

$ oc logs scanner-zap2docker-stable-b72cafcd-4ccc-47cd-8e79-1fb6--1-jpr67 -n sbu-dev

time="2022-04-26T16:21:19Z" level=debug msg="Credentials not found. image name=uk.icr.io/sbu-pipeline/zap2docker-stable@sha256:6c9d3f2cc80470bb4b54fb4b402ff982905e5cb2f13648b571da37e277540f00." \
func="github.com/cisco-open/kubei/shared/pkg/utils/creds.(*CredExtractor).GetCredentials" file="/build/shared/pkg/utils/creds/extractor.go:78"

What you expected to happen:

I expect the secret (which is available in the namespace being scanned) to be obtained and used.

How to reproduce it (as minimally and precisely as possible):

Deploy kubeclarify v2.1.2 to k8s and perform a namespace scan whereby images within namespace are in a private registry.

Are there any error messages in KubeClarity logs?

$ oc logs scanner-zap2docker-stable-b72cafcd-4ccc-47cd-8e79-1fb6--1-jpr67 -n sbu-dev

time="2022-04-26T16:21:19Z" level=debug msg="Credentials not found. image name=uk.icr.io/sbu-pipeline/zap2docker-stable@sha256:6c9d3f2cc80470bb4b54fb4b402ff982905e5cb2f13648b571da37e277540f00." \
func="github.com/cisco-open/kubei/shared/pkg/utils/creds.(*CredExtractor).GetCredentials" file="/build/shared/pkg/utils/creds/extractor.go:78"

Anything else we need to know?:

Environment:

• KubeClarity version: v2.1.2

hey folks!

irst time I encountered this status of pods on your product

after kubectl apply -f https://raw.githubusercontent.com/Portshift/kubei/master/deploy/kubei.yaml

i run kubectl -n kubei get pod -lapp=kubei

my output:

NAME READY STATUS RESTARTS AGE kubei-65d6577695-mzn6p 0/1 Init:0/1 0 18m

descirbe pod:

kubectl describe pod kubei-65d6577695-mzn6p -n kubei
Name:           kubei-65d6577695-mzn6p
Namespace:      kubei
Priority:       0
Node:           worker2/10.2.67.205
Start Time:     Thu, 06 Aug 2020 14:05:59 +0300
Labels:         app=kubei
                kubeiShouldScan=false
                pod-template-hash=65d6577695
Annotations:    <none>
Status:         Pending
IP:             10.233.103.17
Controlled By:  ReplicaSet/kubei-65d6577695
Init Containers:
  init-clairsvc:
    Container ID:  docker://2e689fc20c3b4b3cacaab228a0f49b33f9b7075d426481655804bf256550f5b3
    Image:         yauritux/busybox-curl
    Image ID:      docker-pullable://yauritux/busybox-curl@sha256:e67b94a5abb6468169218a0940e757ebdfd8ee370cf6901823ecbf4098f2bb65
    Port:          <none>
    Host Port:     <none>
    Args:
      /bin/sh
      -c
      set -x; while [ $(curl -sw '%{http_code}' "http://clair.kubei:6060/v1/namespaces" -o /dev/null) -ne 200 ]; do
        echo "waiting for clair to be ready";
        sleep 15;
      done

    State:          Running
      Started:      Thu, 06 Aug 2020 14:06:04 +0300
    Ready:          False
    Restart Count:  0
    Environment:    <none>
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from kubei-token-jkw6r (ro)
Containers:
  kubei:
    Container ID:
    Image:          gcr.io/development-infra-208909/kubei:1.0.6
    Image ID:
    Ports:          8080/TCP, 8081/TCP
    Host Ports:     0/TCP, 0/TCP
    State:          Waiting
      Reason:       PodInitializing
    Ready:          False
    Restart Count:  0
    Limits:
      cpu:     100m
      memory:  100Mi
    Requests:
      cpu:     10m
      memory:  20Mi
    Environment:
      KLAR_IMAGE_NAME:     gcr.io/development-infra-208909/klar:1.0.3
      MAX_PARALLELISM:     10
      TARGET_NAMESPACE:
      SEVERITY_THRESHOLD:  MEDIUM
      IGNORE_NAMESPACES:   istio-system,kube-system
      DELETE_JOB_POLICY:   Successful
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from kubei-token-jkw6r (ro)
Conditions:
  Type              Status
  Initialized       False
  Ready             False
  ContainersReady   False
  PodScheduled      True
Volumes:
  kubei-token-jkw6r:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  kubei-token-jkw6r
    Optional:    false
QoS Class:       Burstable
Node-Selectors:  <none>
Tolerations:     node.kubernetes.io/not-ready:NoExecute for 300s
                 node.kubernetes.io/unreachable:NoExecute for 300s
Events:
  Type    Reason     Age   From               Message
  ----    ------     ----  ----               -------
  Normal  Scheduled  19m   default-scheduler  Successfully assigned kubei/kubei-65d6577695-mzn6p to worker2
  Normal  Pulling    18m   kubelet, worker2   Pulling image "yauritux/busybox-curl"
  Normal  Pulled     18m   kubelet, worker2   Successfully pulled image "yauritux/busybox-curl"
  Normal  Created    18m   kubelet, worker2   Created container init-clairsvc
  Normal  Started    18m   kubelet, worker2   Started container init-clairsvc
```


![1](https://user-images.githubusercontent.com/38696837/89526820-02114d80-d7f1-11ea-9579-538043bd7493.png)

As initially reported there: https://github.com/Portshift/Kubei/issues/20 And partially fixed here: https://github.com/Portshift/kubei/pull/25/files

Note that every container created by Kubei is also subject to broken securityContexts, leading to Jobs being created while their Pods are stuck:

  Normal   Scheduled  4m42s                  default-scheduler  Successfully assigned registry/scanner-docker-registry-exporter-1042b89a-080d-4dad-b84d-1lwpq8 to compute2
  Normal   Pulling    4m42s                  kubelet            Pulling image "gcr.io/eticloud/k8sec/klar:1.0.16"
  Normal   Pulled     4m16s                  kubelet            Successfully pulled image "gcr.io/eticloud/k8sec/klar:1.0.16" in 26.151366977s
  Normal   Pulling    4m16s                  kubelet            Pulling image "gcr.io/eticloud/k8sec/dockle:1.0.3"
  Normal   Pulled     3m54s                  kubelet            Successfully pulled image "gcr.io/eticloud/k8sec/dockle:1.0.3" in 21.426950017s
  Warning  Failed     3m10s (x5 over 3m54s)  kubelet            Error: container has runAsNonRoot and image will run as root
  Warning  Failed     2m56s (x6 over 4m16s)  kubelet            Error: container has runAsNonRoot and image will run as root

Vulnerability scanners that can't run on secured clusters may miss its target audience.

https://github.com/Portshift/kubei/blob/master/pkg/scanner/job-manager.go#L386 may need some fix, inserting proper SecurityContext while generating jobs pod template. Sadly, I'm no Go expert, ... Anyone here that would both understand the issue and how to best fix it?

I access the kubeclarity api address that I set up in the kubernetes environment through the 8888 port and I am getting 404 when trying to access the paths according to the swagger directive.

Hi, we would like to exclude reported CVEs caused by upstream binaries that don't have a fix for that yet.

Trivy allows to specify this with the --ignore-unfixed flag.

Or is there a flag for this already, but not yet documented?

Bumps github.com/anchore/grype from 0.32.0 to 0.33.0.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Based on the docs authentication with private registries is doable. However, nothing explains how or where to set a configmap, or environment variables for registry authentication. The only notation describes AWS secret auth. How is this configured?

I can scan harbor public project，However the private project will prompt unauthenticated Below is my command and output：

BACKEND_HOST=${KUBECLARITY_HOST} BACKEND_DISABLE_TLS=true kubeclarity-cli scan $IMAGE --application-id $application_id -e

time="2022-08-18T03:10:17Z" level=info msg="DependencyTrack config: {"host":"dependency-track-apiserver.dependency-track","project-name":"","project-version":"","should-delete-project":true,"disable-tls":false,"insecure-skip-verify":true,"fetch-vulnerabilities-retry-count":5,"fetch-vulnerabilities-retry-sleep":30000000000}" app=kubeclarity time="2022-08-18T03:10:17Z" level=info msg="Ignoring non SBOM input. type=image" app=kubeclarity scanner=dependency-track time="2022-08-18T03:10:17Z" level=info msg="Got result for job "dependency-track"" app=kubeclarity time="2022-08-18T03:10:17Z" level=info msg="Loading DB. update=true" app=kubeclarity mode=local scanner=grype time="2022-08-18T03:10:41Z" level=info msg="Gathering packages for source registry:harbor.xxxxxxxxxx.com/ci-cd/xxxxxxxxxx-ci:V0.0.9" app=kubeclarity mode=local scanner=grype time="2022-08-18T03:10:41Z" level=error msg="failed to analyze packages: could not fetch image 'harbor.xxxxxxxxxx.com/ci-cd/xxxxxxxxxx-ci:V0.0.9': unable determine image source" app=kubeclarity mode=local scanner=grype time="2022-08-18T03:10:41Z" level=warning msg=""grype" job failed: failed to analyze packages: could not fetch image 'harbor.xxxxxxxxxx.com/ci-cd/xxxxxxxxxx-ci:V0.0.9': unable determine image source" app=kubeclarity time="2022-08-18T03:10:41Z" level=info msg="Merging result from "dependency-track"" app=kubeclarity No vulnerabilities found time="2022-08-18T03:10:41Z" level=fatal msg="Failed get layer commands. failed to get layer commands: failed to get v1.image=harbor.xxxxxxxxxx.com/ci-cd/xxxxxxxxxx-ci:V0.0.9: failed to get image from registry: GET https://harbor.xxxxxxxxxx.com/v2/ci-cd/xxxxxxxxxx-ci/manifests/V0.0.9: UNAUTHORIZED: unauthorized to access repository: ci-cd/xxxxxxxxxx-ci, action: pull: unauthorized to access repository: ci-cd/xxxxxxxxxx-ci, action: pull" app=kubeclarity

#kubeclarity-cli --version kubeclarity version 2.5.0

How to solve the harbor authentication problem when executing the kubeclarity-cli command? Doing docker login harbor doesn't work even before the above steps

Is there a way to scan only local images when executing kubeclarity-cli command？ For example, download the image from harbor to the local first , and then execute the kubeclarity-cli command

Bumps actions/setup-python from 4.3.1 to 4.4.0.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

What happened:

I install KubeClarity on Rancher desktop, and it runs without error. I can scan existing namespaces without error. However, when I try to scan a namespace that does not exist, all future start scan attempts fail. The kubeclarity deployment needs to be restarted in order to give reasonable responses again.

What you expected to happen:

I expect the scan query for the non-existing namespace to fail gracefully, and subsequent scan attempts on valid namespace to work.

How to reproduce it (as minimally and precisely as possible):

One erroneous put will make all subsequents puts fail.

kubectl port-forward -n kubeclarity svc/kubeclarity-kubeclarity 9999:8080

curl -i 'http://localhost:9999/api/runtime/scan/start' \
  -X 'PUT' \
  -H 'Accept: */*' \
  -H 'content-type: application/json' \
  --data-raw '{"namespaces":["does-not-exist"]}'

The following request normally completes correctly, but not if an erroneous namespace has been given:

curl -i 'http://localhost:9999/api/runtime/scan/start' \
  -X 'PUT' \
  -H 'Accept: */*' \
  -H 'content-type: application/json' \
  --data-raw {"namespaces":["kubeclarity"]}

To make the server respond normally again, it needs to be restarted.

Are there any error messages in KubeClarity logs?

2022/12/23 08:42:08 /build/backend/pkg/database/scheduler.go:58 record not found
[3.047ms] [rows:0] SELECT * FROM "scheduler" ORDER BY "scheduler"."id" LIMIT 1
2022/12/23 08:42:08 Serving kube clarity runtime scan a p is at http://[::]:8888
2022/12/23 08:42:08 Serving kube clarity a p is at http://[::]:8080
time="2022-12-23T08:46:15Z" level=error msg="Failed to send scan config to channel" func="github.com/openclarity/kubeclarity/backend/pkg/rest.(*Server).PutRuntimeScanStart" file="/build/backend/pkg/rest/runtime_scan_controller.go:53"
time="2022-12-23T08:49:20Z" level=error msg="Failed to send scan config to channel" func="github.com/openclarity/kubeclarity/backend/pkg/rest.(*Server).PutRuntimeScanStart" file="/build/backend/pkg/rest/runtime_scan_controller.go:53"

Anything else we need to know?:

I have also noticed the same behaviour on empty namespaces (such as "default"), but report for non-existing namespace to make the issue easier to reproduce.

Environment:

• Kubernetes version: Server Version: v1.24.3+k3s1
• KubeClarity version: v2.9.0 Commit: cf188c2a1e4846d9cbf707c7a217a7642bbe7fe3
• KubeClarity Helm Chart: Installed via helm template ... --version v2.9.0 ...
• Cloud provider or hardware configuration: Rancher Desktop 1.7.0
• Others: N/A

Scenario:

• I have a CI/CD pipeline for an app
• I would like as a final pipeline step, to analyze it and export results to kubeclarity backend

Right now the required steps are the following:

• Application needs to exist on Kubeclarity side, so you ever have to create it from UI, or scan a cluster which would "import" the app in the backend
• Push the results using the UUID that was generated

Does this mean I would need to do this manual action and then import the application-id as variable in my CI ? It doesn't seem really scalable.

What I would suggest is being able to:

• Create an app from kubeclarity-cli
• Get an app id (from name) from kubeclarity-cli (PK is application-id but seems like it's impossible to have two apps with the same name (code 409)), so we could retrieve app id from a name

Being able to do those two actions from kubeclarity-cli would make CI/CD pipelines way simpler.

Current workaround without modifying kubeclarity:

• Create an app via a POST request on /api/applications
• Getting application id from PostgreSQL applications table, or by doing a POST on /api/applications and taking ID from response if app already exists

I would be happy to create a PR with such changes if you think it seems like a nice addition.

Bumps goreleaser/goreleaser-action from 3 to 4.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Hello everyone. I wanted to use an external PostgreSQL database rather than the one used in dependencies, so I can decorrelate Kubeclarity storage from my Kubernetes cluster.

The goal of this PR is to use an external PostgreSQL database whereas currently, only using the one deployed in dependencies is possible.

I tried to make retrocompatible changes.