vul

package

v0.0.1 Latest Latest Go to latest Published: Oct 31, 2023 License: Apache-2.0 Imports: 29 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/khulnasoft/vul-operator

Documentation ¶

Overview ¶

Package vul provides primitives for working with Vul.

Index ¶

Constants
func CheckAwsEcrPrivateRegistry(ImageUrl string) string
func ConfigWorkloadAnnotationEnvVars(workload client.Object, annotation string, envVarName string, ...) corev1.EnvVar
func GetCvssV3(findingCvss types.VendorCVSS) map[string]*CVSS
func GetMirroredImage(image string, mirrors map[string]string) (string, error)
func GetScoreFromCVSS(CVSSs map[string]*CVSS) *float64
func MultiSecretSupport(c Config) bool
func NewPlugin(clock ext.Clock, idGenerator ext.IDGenerator, ...) vulnerabilityreport.Plugin
func NewVulConfigAuditPlugin(clock ext.Clock, idGenerator ext.IDGenerator, ...) configauditreport.PluginInMemory
func Scanners(c Config) string
func SkipDBUpdate(c Config) string
func Slow(c Config) string
type AdditionalFields
type CVSS
type Command
type Config
type Mode

Constants ¶

View Source

const (
	AWSECR_Image_Regex        = "^\\d+\\.dkr\\.ecr\\.(\\w+-\\w+-\\d+)\\.amazonaws\\.com\\/"
	SupportedConfigAuditKinds = "Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota"
	// SkipDirsAnnotation annotation  example: vul-operator.khulnasoft.github.io/skip-dirs: "/tmp,/home"
	SkipDirsAnnotation = "vul-operator.khulnasoft.github.io/skip-dirs"
	// SkipFilesAnnotation example: vul-operator.khulnasoft.github.io/skip-files: "/src/Gemfile.lock,/examplebinary"
	SkipFilesAnnotation = "vul-operator.khulnasoft.github.io/skip-files"
)

View Source

const (
	DefaultImageRepository  = "ghcr.io/khulnasoft-lab/vul"
	DefaultDBRepository     = "ghcr.io/khulnasoft-lab/vul-db"
	DefaultJavaDBRepository = "ghcr.io/khulnasoft-lab/vul-java-db"
	DefaultSeverity         = "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
)

View Source

const (
	FsSharedVolumeName        = "vuloperator"
	SharedVolumeLocationOfVul = "/var/vuloperator/vul"
	SslCertDir                = "/var/ssl-cert"
)

View Source

const (
	KeyVulSeverity = "vul.severity"
)

View Source

const (
	// Plugin the name of this plugin.
	Plugin = "Vul"
)

Variables ¶

This section is empty.

Functions ¶

func CheckAwsEcrPrivateRegistry ¶

func CheckAwsEcrPrivateRegistry(ImageUrl string) string

func ConfigWorkloadAnnotationEnvVars ¶

func ConfigWorkloadAnnotationEnvVars(workload client.Object, annotation string, envVarName string, vulConfigName string, configKey string) corev1.EnvVar

func GetCvssV3 ¶

func GetCvssV3(findingCvss types.VendorCVSS) map[string]*CVSS

func GetMirroredImage ¶

func GetMirroredImage(image string, mirrors map[string]string) (string, error)

func GetScoreFromCVSS ¶

func GetScoreFromCVSS(CVSSs map[string]*CVSS) *float64

func MultiSecretSupport ¶

func MultiSecretSupport(c Config) bool

MultiSecretSupport validate if vul multi secret support

func NewPlugin ¶

func NewPlugin(clock ext.Clock, idGenerator ext.IDGenerator, objectResolver *kube.ObjectResolver) vulnerabilityreport.Plugin

NewPlugin constructs a new vulnerabilityreport.Plugin, which is using an upstream Vul container image to scan Kubernetes workloads.

The plugin supports Image and Filesystem commands. The Filesystem command may be used to scan workload images cached on cluster nodes by scheduling scan jobs on a particular node.

The Image command supports both Standalone and ClientServer modes depending on the settings returned by Config.GetMode. The ClientServer mode is usually more performant, however it requires a Vul server accessible at the configurable Config.GetServerURL.

func NewVulConfigAuditPlugin ¶

func NewVulConfigAuditPlugin(clock ext.Clock, idGenerator ext.IDGenerator, objectResolver *kube.ObjectResolver) configauditreport.PluginInMemory

NewVulConfigAuditPlugin constructs a new configAudit.Plugin, which is using an upstream Vul config audit scanner lib.

func Scanners ¶

func Scanners(c Config) string

Scanners use scanners flag

func SkipDBUpdate ¶

func SkipDBUpdate(c Config) string

SkipDBUpdate skip update flag

func Slow ¶

func Slow(c Config) string

Slow determine if to use the slow flag (improve memory footprint)

Types ¶

type AdditionalFields ¶

type AdditionalFields struct {
	Description bool
	Links       bool
	CVSS        bool
	Target      bool
	Class       bool
	PackageType bool
	PkgPath     bool
}

type CVSS ¶

type CVSS struct {
	V3Score *float64 `json:"V3Score,omitempty"`
}

type Command ¶

type Command string

Command to scan image or filesystem.

const (
	Filesystem Command = "filesystem"
	Image      Command = "image"
	Rootfs     Command = "rootfs"
)

type Config ¶

type Config struct {
	vuloperator.PluginConfig
}

Config defines configuration params for this plugin.

func (Config) FindIgnorePolicyKey ¶

func (c Config) FindIgnorePolicyKey(workload client.Object) string

func (Config) GenerateIgnoreFileVolumeIfAvailable ¶

func (c Config) GenerateIgnoreFileVolumeIfAvailable(vulConfigName string) (*corev1.Volume, *corev1.VolumeMount)

func (Config) GenerateIgnorePolicyVolumeIfAvailable ¶

func (c Config) GenerateIgnorePolicyVolumeIfAvailable(vulConfigName string, workload client.Object) (*corev1.Volume, *corev1.VolumeMount)

func (Config) GenerateSslCertDirVolumeIfAvailable ¶

func (c Config) GenerateSslCertDirVolumeIfAvailable(vulConfigName string) (*corev1.Volume, *corev1.VolumeMount)

func (Config) GetAdditionalVulnerabilityReportFields ¶

func (c Config) GetAdditionalVulnerabilityReportFields() AdditionalFields

func (Config) GetCommand ¶

func (c Config) GetCommand() (Command, error)

func (Config) GetDBRepository ¶

func (c Config) GetDBRepository() (string, error)

func (Config) GetDBRepositoryInsecure ¶

func (c Config) GetDBRepositoryInsecure() bool

func (Config) GetImagePullSecret ¶

func (c Config) GetImagePullSecret() []corev1.LocalObjectReference

func (Config) GetImageRef ¶

func (c Config) GetImageRef() (string, error)

GetImageRef returns upstream Vul container image reference.

func (Config) GetImageTag ¶

func (c Config) GetImageTag() (string, error)

GetImageTag returns upstream Vul container image tag.

func (Config) GetInsecureRegistries ¶

func (c Config) GetInsecureRegistries() map[string]bool

func (Config) GetMirrors ¶

func (c Config) GetMirrors() map[string]string

func (Config) GetMode ¶

func (c Config) GetMode() (Mode, error)

func (Config) GetNonSSLRegistries ¶

func (c Config) GetNonSSLRegistries() map[string]bool

func (Config) GetResourceRequirements ¶

func (c Config) GetResourceRequirements() (corev1.ResourceRequirements, error)

GetResourceRequirements creates ResourceRequirements from the Config.

func (Config) GetServerInsecure ¶

func (c Config) GetServerInsecure() bool

func (Config) GetServerURL ¶

func (c Config) GetServerURL() (string, error)

func (Config) GetSeverity ¶

func (c Config) GetSeverity() string

func (Config) GetSlow ¶

func (c Config) GetSlow() bool

func (Config) GetSslCertDir ¶

func (c Config) GetSslCertDir() string

func (Config) GetSupportedConfigAuditKinds ¶

func (c Config) GetSupportedConfigAuditKinds() []string

func (Config) GetUseBuiltinRegoPolicies ¶

func (c Config) GetUseBuiltinRegoPolicies() bool

func (Config) GetVulnType ¶

func (c Config) GetVulnType() string

func (Config) IgnoreFileExists ¶

func (c Config) IgnoreFileExists() bool

func (Config) IgnoreUnfixed ¶

func (c Config) IgnoreUnfixed() bool

func (Config) OfflineScan ¶

func (c Config) OfflineScan() bool

type Mode ¶

type Mode string

Mode in which Vul client operates.

const (
	Standalone   Mode = "Standalone"
	ClientServer Mode = "ClientServer"
)

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL