Just to have a simple refresher, let’s start with a bit of Wikipedia: a vulnerability (in computing) is:
Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be exploited by a threat actor, such as an attacker, to cross privilege boundaries (i.e. perform unauthorized actions) within a computer system.
There are a bunch of software vulnerabilities out there. Probably the most popular are the ones like Heartbleed, Meltdown, or Shellshock. These examples are what is called a known vulnerability. These vulnerabilities are the ones that are disclosed and have an ID (like CVE ID) assigned to them and which we can look up and track in databases like National Vulnerability Database. On the other hand, unknown vulnerabilities are vulnerabilities present in a computer system that have either not been discovered or discovered but have not been documented yet.
When it comes to the unknown vulnerabilities, typically they are bugs that we produce in our software and we should deal with them like bugs are dealt with – proper and continuous testing (tools like OWASP Zap can be helpful with these as well). But for the known ones, if there are ways with which we can spot them and eliminate them, it should be mandatory that we do it since it is crucial for the safety and reliability of our products. This is where vulnerability scanners come into play and, in our case here, Trivy.
What is Trivy
Trivy is an open source, reliable, fast, easy-to-use comprehensive security scanner. It has different scanners for different security issues (like known vulnerabilities – CVEs or IaC misconfigurations) and supports different targets (like container images, filesystem, or Kubernetes resources) where it can find these issues. Check the docs to learn more.
It satisfies our needs with, first of all, its reliability and correctness, but also for being dead simple to use. It is a one-command tool and, for example, to scan a docker image just call it like:
1 | trivy image [YOUR_IMAGE_NAME] |
As the result you will see:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | $ trivy image myimage:1.0.0 2022-05-16T13:25:17.826+0100 INFO Detected OS: alpine 2022-05-16T13:25:17.826+0100 INFO Detecting Alpine vulnerabilities... 2022-05-16T13:25:17.826+0100 INFO Number of language-specific files: 0 myimage:1.0.0 (alpine 3.15.3) Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2) ┌────────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ ├────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────┤ │ busybox │ CVE-2022-28391 │ CRITICAL │ 1.34.1-r4 │ 1.34.1-r5 │ busybox: remote attackers may execute arbitrary code if │ │ │ │ │ │ │ netstat is used │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-28391 │ ├────────────┤ │ │ │ │ │ │ ssl_client │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ └────────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────┘ app/deploy.sh (secrets) Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1) ┌──────────┬───────────────────┬──────────┬─────────┬────────────────────────────────┐ │ Category │ Description │ Severity │ Line No │ Match │ ├──────────┼───────────────────┼──────────┼─────────┼────────────────────────────────┤ │ AWS │ AWS Access Key ID │ CRITICAL │ 3 │ export AWS_ACCESS_KEY_ID=***** │ └──────────┴───────────────────┴──────────┴─────────┴────────────────────────────────┘ |
Scanning Percona Kubernetes Operators
With our Percona Kubernetes Operators, we focus on scanning our container images for known vulnerabilities. It is crucial for us that we prevent deploying containers with vulnerable packages to a running environment. CI/CD pipelines (GitHub actions in our case) are the best place to do it since we want to check everything as early as possible.
Using Trivy directly as a GitHub action can be smoothly implemented. To try it in your GitHub repository, just find it in the marketplace and add it to your workflow.
All of our Percona docker images are scanned with Trivy. This is a nice example of it finding a vulnerability in Percona Operator for MySQL after we upgraded our logger lib:
1 2 3 4 5 6 7 8 9 10 | usr/local/bin/percona-server-mysql-operator (gobinary) ====================================================== Total: 1 (HIGH: 0, CRITICAL: 1) ┌────────────────────────────────┬───────────────┬──────────┬─────────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ ├────────────────────────────────┼───────────────┼──────────┼─────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ github.com/emicklei/go-restful │ CVE-2022-1996 │ CRITICAL │ v2.9.5+incompatible │ v3.8.0 │ go-restful: Authorization Bypass Through User-Controlled Key │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-1996 │ └────────────────────────────────┴───────────────┴──────────┴─────────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘ |
There we can see that we had a vulnerability CVE-2022-1996 with go-restful lib and we clearly know what version we need to stop having (v3.8.0 in this case). This is a highly automated process and the level of effectiveness is really great.
Besides scanning just the operator image itself, we also scan every other image used by the operator and we check it on every commit. That’s how efficient the whole process is.
Conclusion
With proper and continuous testing we can avoid different unknown vulnerabilities, but for known vulnerabilities, it is critical for us to eliminate them and eliminate them as early as possible. Trivy is a tool that ticks our checkboxes, reliable, correct, efficient, and simple and we can highly recommend it for everyone to integrate it into their CI/CD workflow.
Want to report the security issue in one of the Percona products? Please send an email to [email protected]. For more information please read https://www.percona.com/security.
The Percona Kubernetes Operators automate the creation, alteration, or deletion of members in your Percona Distribution for MySQL, MongoDB, or PostgreSQL environment.
Learn More About Percona Kubernetes Operators
