diff --git a/internal/sarif/fixtures/valid.sarif b/internal/sarif/fixtures/valid.sarif index 6ead9064..2328dd73 100644 --- a/internal/sarif/fixtures/valid.sarif +++ b/internal/sarif/fixtures/valid.sarif @@ -5,351 +5,61 @@ { "tool": { "driver": { - "fullName": "Trivy Vulnerability Scanner", - "informationUri": "https://github.com/aquasecurity/trivy", - "name": "Trivy", + "informationUri": "https://github.com/Shopify/kubeaudit", + "name": "kubeaudit", "rules": [ { - "id": "KSV008", - "name": "Misconfiguration", + "id": "AppArmorInvalidAnnotation", + "name": "apparmor", "shortDescription": { - "text": "KSV008" + "text": "AppArmorInvalidAnnotation" }, - "fullDescription": { - "text": "Sharing the host’s IPC namespace allows container processes to communicate with processes on the host." - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://avd.aquasec.com/appshield/ksv008", - "help": { - "text": "Misconfiguration KSV008\nType: Kubernetes Security Check\nSeverity: HIGH\nCheck: Access to host IPC namespace\nMessage: StatefulSet 'statefulset' should not set 'spec.template.spec.hostIPC' to true\nLink: [KSV008](https://avd.aquasec.com/appshield/ksv008)\nSharing the host’s IPC namespace allows container processes to communicate with processes on the host.", - "markdown": "**Misconfiguration KSV008**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Kubernetes Security Check|HIGH|Access to host IPC namespace|StatefulSet 'statefulset' should not set 'spec.template.spec.hostIPC' to true|[KSV008](https://avd.aquasec.com/appshield/ksv008)|\n\nSharing the host’s IPC namespace allows container processes to communicate with processes on the host." - }, - "properties": { - "precision": "very-high", - "security-severity": "8.0", - "tags": [ - "misconfiguration", - "security", - "HIGH" - ] - } - }, - { - "id": "KSV009", - "name": "Misconfiguration", - "shortDescription": { - "text": "KSV009" - }, - "fullDescription": { - "text": "Sharing the host’s network namespace permits processes in the pod to communicate with processes bound to the host’s loopback adapter." - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://avd.aquasec.com/appshield/ksv009", - "help": { - "text": "Misconfiguration KSV009\nType: Kubernetes Security Check\nSeverity: HIGH\nCheck: Access to host network\nMessage: StatefulSet 'statefulset' should not set 'spec.template.spec.hostNetwork' to true\nLink: [KSV009](https://avd.aquasec.com/appshield/ksv009)\nSharing the host’s network namespace permits processes in the pod to communicate with processes bound to the host’s loopback adapter.", - "markdown": "**Misconfiguration KSV009**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Kubernetes Security Check|HIGH|Access to host network|StatefulSet 'statefulset' should not set 'spec.template.spec.hostNetwork' to true|[KSV009](https://avd.aquasec.com/appshield/ksv009)|\n\nSharing the host’s network namespace permits processes in the pod to communicate with processes bound to the host’s loopback adapter." - }, - "properties": { - "precision": "very-high", - "security-severity": "8.0", - "tags": [ - "misconfiguration", - "security", - "HIGH" - ] - } - }, - { - "id": "KSV010", - "name": "Misconfiguration", - "shortDescription": { - "text": "KSV010" - }, - "fullDescription": { - "text": "Sharing the host’s PID namespace allows visibility on host processes, potentially leaking information such as environment variables and configuration." - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://avd.aquasec.com/appshield/ksv010", - "help": { - "text": "Misconfiguration KSV010\nType: Kubernetes Security Check\nSeverity: HIGH\nCheck: Access to host PID\nMessage: StatefulSet 'statefulset' should not set 'spec.template.spec.hostPID' to true\nLink: [KSV010](https://avd.aquasec.com/appshield/ksv010)\nSharing the host’s PID namespace allows visibility on host processes, potentially leaking information such as environment variables and configuration.", - "markdown": "**Misconfiguration KSV010**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Kubernetes Security Check|HIGH|Access to host PID|StatefulSet 'statefulset' should not set 'spec.template.spec.hostPID' to true|[KSV010](https://avd.aquasec.com/appshield/ksv010)|\n\nSharing the host’s PID namespace allows visibility on host processes, potentially leaking information such as environment variables and configuration." - }, - "properties": { - "precision": "very-high", - "security-severity": "8.0", - "tags": [ - "misconfiguration", - "security", - "HIGH" - ] - } - }, - { - "id": "KSV006", - "name": "Misconfiguration", - "shortDescription": { - "text": "KSV006" - }, - "fullDescription": { - "text": "Mounting docker.sock from the host can give the container full root access to the host." - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://avd.aquasec.com/appshield/ksv006", "help": { - "text": "Misconfiguration KSV006\nType: Kubernetes Security Check\nSeverity: HIGH\nCheck: hostPath volume mounted with docker.sock\nMessage: Pod 'pod' should not specify '/var/run/docker.socker' in 'spec.template.volumes.hostPath.path'\nLink: [KSV006](https://avd.aquasec.com/appshield/ksv006)\nMounting docker.sock from the host can give the container full root access to the host.", - "markdown": "**Misconfiguration KSV006**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Kubernetes Security Check|HIGH|hostPath volume mounted with docker.sock|Pod 'pod' should not specify '/var/run/docker.socker' in 'spec.template.volumes.hostPath.path'|[KSV006](https://avd.aquasec.com/appshield/ksv006)|\n\nMounting docker.sock from the host can give the container full root access to the host." + "text": "**Type**: kubernetes\n**Auditor Docs**: To find out more about the issue and how to fix it, follow [this link](https://github.com/Shopify/kubeaudit/blob/main/docs/auditors/apparmor.md)\n**Description:** Finds containers that do not have AppArmor enabled\n\n *Note*: These audit results are generated with `kubeaudit`, a command line tool and a Go package that checks for potential security concerns in kubernetes manifest specs. You can read more about it at https://github.com/Shopify/kubeaudit " }, "properties": { "precision": "very-high", - "security-severity": "8.0", "tags": [ - "misconfiguration", "security", - "HIGH" + "kubernetes", + "infrastructure" ] } }, { - "id": "KSV017", - "name": "Misconfiguration", + "id": "AutomountServiceAccountTokenTrueAndDefaultSA", + "name": "asat", "shortDescription": { - "text": "KSV017" + "text": "AutomountServiceAccountTokenTrueAndDefaultSA" }, - "fullDescription": { - "text": "Privileged containers share namespaces with the host system and do not offer any security. They should be used exclusively for system containers that require high privileges." - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://avd.aquasec.com/appshield/ksv017", "help": { - "text": "Misconfiguration KSV017\nType: Kubernetes Security Check\nSeverity: HIGH\nCheck: Privileged container\nMessage: Container 'container' of DaemonSet 'daemonset' should set 'securityContext.privileged' to false\nLink: [KSV017](https://avd.aquasec.com/appshield/ksv017)\nPrivileged containers share namespaces with the host system and do not offer any security. They should be used exclusively for system containers that require high privileges.", - "markdown": "**Misconfiguration KSV017**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Kubernetes Security Check|HIGH|Privileged container|Container 'container' of DaemonSet 'daemonset' should set 'securityContext.privileged' to false|[KSV017](https://avd.aquasec.com/appshield/ksv017)|\n\nPrivileged containers share namespaces with the host system and do not offer any security. They should be used exclusively for system containers that require high privileges." + "text": "**Type**: kubernetes\n**Auditor Docs**: To find out more about the issue and how to fix it, follow [this link](https://github.com/Shopify/kubeaudit/blob/main/docs/auditors/asat.md)\n**Description:** Finds containers where the deprecated SA field is used or with a mounted default SA\n\n *Note*: These audit results are generated with `kubeaudit`, a command line tool and a Go package that checks for potential security concerns in kubernetes manifest specs. You can read more about it at https://github.com/Shopify/kubeaudit " }, "properties": { "precision": "very-high", - "security-severity": "8.0", "tags": [ - "misconfiguration", "security", - "HIGH" + "kubernetes", + "infrastructure" ] } } - ], - "version": "0.27.1" + ] } }, "results": [ { - "ruleId": "KSV008", - "ruleIndex": 0, - "level": "error", - "message": { - "text": "Artifact: auditors/hostns/fixtures/host-ipc-true-allowed.yml\nType: kubernetes\nVulnerability KSV008\nSeverity: HIGH\nMessage: Pod 'pod' should not set 'spec.template.spec.hostIPC' to true\nLink: [KSV008](https://avd.aquasec.com/appshield/ksv008)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "auditors/hostns/fixtures/host-ipc-true-allowed.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV008", - "ruleIndex": 0, - "level": "error", - "message": { - "text": "Artifact: auditors/hostns/fixtures/host-ipc-true.yml\nType: kubernetes\nVulnerability KSV008\nSeverity: HIGH\nMessage: Pod 'pod' should not set 'spec.template.spec.hostIPC' to true\nLink: [KSV008](https://avd.aquasec.com/appshield/ksv008)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "auditors/hostns/fixtures/host-ipc-true.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV009", - "ruleIndex": 1, - "level": "error", - "message": { - "text": "Artifact: auditors/hostns/fixtures/host-network-true-allowed.yml\nType: kubernetes\nVulnerability KSV009\nSeverity: HIGH\nMessage: Pod 'pod' should not set 'spec.template.spec.hostNetwork' to true\nLink: [KSV009](https://avd.aquasec.com/appshield/ksv009)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "auditors/hostns/fixtures/host-network-true-allowed.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV009", - "ruleIndex": 1, - "level": "error", - "message": { - "text": "Artifact: auditors/hostns/fixtures/host-network-true.yml\nType: kubernetes\nVulnerability KSV009\nSeverity: HIGH\nMessage: Pod 'pod' should not set 'spec.template.spec.hostNetwork' to true\nLink: [KSV009](https://avd.aquasec.com/appshield/ksv009)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "auditors/hostns/fixtures/host-network-true.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV010", - "ruleIndex": 2, - "level": "error", - "message": { - "text": "Artifact: auditors/hostns/fixtures/host-pid-true-allowed.yml\nType: kubernetes\nVulnerability KSV010\nSeverity: HIGH\nMessage: Pod 'pod' should not set 'spec.template.spec.hostPID' to true\nLink: [KSV010](https://avd.aquasec.com/appshield/ksv010)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "auditors/hostns/fixtures/host-pid-true-allowed.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV010", - "ruleIndex": 2, - "level": "error", - "message": { - "text": "Artifact: auditors/hostns/fixtures/host-pid-true.yml\nType: kubernetes\nVulnerability KSV010\nSeverity: HIGH\nMessage: Pod 'pod' should not set 'spec.template.spec.hostPID' to true\nLink: [KSV010](https://avd.aquasec.com/appshield/ksv010)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "auditors/hostns/fixtures/host-pid-true.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV008", - "ruleIndex": 0, - "level": "error", - "message": { - "text": "Artifact: auditors/hostns/fixtures/namespaces-all-true-allowed.yml\nType: kubernetes\nVulnerability KSV008\nSeverity: HIGH\nMessage: Pod 'pod' should not set 'spec.template.spec.hostIPC' to true\nLink: [KSV008](https://avd.aquasec.com/appshield/ksv008)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "auditors/hostns/fixtures/namespaces-all-true-allowed.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV009", - "ruleIndex": 1, - "level": "error", - "message": { - "text": "Artifact: auditors/hostns/fixtures/namespaces-all-true-allowed.yml\nType: kubernetes\nVulnerability KSV009\nSeverity: HIGH\nMessage: Pod 'pod' should not set 'spec.template.spec.hostNetwork' to true\nLink: [KSV009](https://avd.aquasec.com/appshield/ksv009)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "auditors/hostns/fixtures/namespaces-all-true-allowed.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV010", - "ruleIndex": 2, - "level": "error", - "message": { - "text": "Artifact: auditors/hostns/fixtures/namespaces-all-true-allowed.yml\nType: kubernetes\nVulnerability KSV010\nSeverity: HIGH\nMessage: Pod 'pod' should not set 'spec.template.spec.hostPID' to true\nLink: [KSV010](https://avd.aquasec.com/appshield/ksv010)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "auditors/hostns/fixtures/namespaces-all-true-allowed.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV008", + "ruleId": "AppArmorInvalidAnnotation", "ruleIndex": 0, "level": "error", "message": { - "text": "Artifact: auditors/hostns/fixtures/namespaces-all-true.yml\nType: kubernetes\nVulnerability KSV008\nSeverity: HIGH\nMessage: Pod 'pod' should not set 'spec.template.spec.hostIPC' to true\nLink: [KSV008](https://avd.aquasec.com/appshield/ksv008)" + "text": "Details: AppArmor annotation key refers to a container that doesn't exist. Remove the annotation 'container.apparmor.security.beta.kubernetes.io/container: badval'.\n Auditor: apparmor\nDescription: Finds containers that do not have AppArmor enabled\nAuditor docs: https://github.com/Shopify/kubeaudit/blob/main/docs/auditors/apparmor.md " }, "locations": [ { "physicalLocation": { "artifactLocation": { - "uri": "auditors/hostns/fixtures/namespaces-all-true.yml", + "uri": "internal/sarif/fixtures/apparmor-invalid.yaml", "uriBaseId": "ROOTPATH" }, "region": { @@ -360,1004 +70,17 @@ ] }, { - "ruleId": "KSV009", + "ruleId": "AutomountServiceAccountTokenTrueAndDefaultSA", "ruleIndex": 1, "level": "error", "message": { - "text": "Artifact: auditors/hostns/fixtures/namespaces-all-true.yml\nType: kubernetes\nVulnerability KSV009\nSeverity: HIGH\nMessage: Pod 'pod' should not set 'spec.template.spec.hostNetwork' to true\nLink: [KSV009](https://avd.aquasec.com/appshield/ksv009)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "auditors/hostns/fixtures/namespaces-all-true.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV010", - "ruleIndex": 2, - "level": "error", - "message": { - "text": "Artifact: auditors/hostns/fixtures/namespaces-all-true.yml\nType: kubernetes\nVulnerability KSV010\nSeverity: HIGH\nMessage: Pod 'pod' should not set 'spec.template.spec.hostPID' to true\nLink: [KSV010](https://avd.aquasec.com/appshield/ksv010)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "auditors/hostns/fixtures/namespaces-all-true.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV006", - "ruleIndex": 3, - "level": "error", - "message": { - "text": "Artifact: auditors/mounts/fixtures/docker-sock-mounted.yml\nType: kubernetes\nVulnerability KSV006\nSeverity: HIGH\nMessage: Pod 'pod' should not specify '/var/run/docker.socker' in 'spec.template.volumes.hostPath.path'\nLink: [KSV006](https://avd.aquasec.com/appshield/ksv006)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "auditors/mounts/fixtures/docker-sock-mounted.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV017", - "ruleIndex": 4, - "level": "error", - "message": { - "text": "Artifact: auditors/privileged/fixtures/privileged-true-allowed-multi-containers-multi-labels.yml\nType: kubernetes\nVulnerability KSV017\nSeverity: HIGH\nMessage: Container 'container1' of DaemonSet 'daemonset' should set 'securityContext.privileged' to false\nLink: [KSV017](https://avd.aquasec.com/appshield/ksv017)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "auditors/privileged/fixtures/privileged-true-allowed-multi-containers-multi-labels.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV017", - "ruleIndex": 4, - "level": "error", - "message": { - "text": "Artifact: auditors/privileged/fixtures/privileged-true-allowed-multi-containers-multi-labels.yml\nType: kubernetes\nVulnerability KSV017\nSeverity: HIGH\nMessage: Container 'container2' of DaemonSet 'daemonset' should set 'securityContext.privileged' to false\nLink: [KSV017](https://avd.aquasec.com/appshield/ksv017)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "auditors/privileged/fixtures/privileged-true-allowed-multi-containers-multi-labels.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV017", - "ruleIndex": 4, - "level": "error", - "message": { - "text": "Artifact: auditors/privileged/fixtures/privileged-true-allowed-multi-containers-single-label.yml\nType: kubernetes\nVulnerability KSV017\nSeverity: HIGH\nMessage: Container 'container1' of DaemonSet 'daemonset' should set 'securityContext.privileged' to false\nLink: [KSV017](https://avd.aquasec.com/appshield/ksv017)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "auditors/privileged/fixtures/privileged-true-allowed-multi-containers-single-label.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV017", - "ruleIndex": 4, - "level": "error", - "message": { - "text": "Artifact: auditors/privileged/fixtures/privileged-true-allowed-multi-containers-single-label.yml\nType: kubernetes\nVulnerability KSV017\nSeverity: HIGH\nMessage: Container 'container2' of DaemonSet 'daemonset' should set 'securityContext.privileged' to false\nLink: [KSV017](https://avd.aquasec.com/appshield/ksv017)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "auditors/privileged/fixtures/privileged-true-allowed-multi-containers-single-label.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV017", - "ruleIndex": 4, - "level": "error", - "message": { - "text": "Artifact: auditors/privileged/fixtures/privileged-true-allowed.yml\nType: kubernetes\nVulnerability KSV017\nSeverity: HIGH\nMessage: Container 'container' of DaemonSet 'daemonset' should set 'securityContext.privileged' to false\nLink: [KSV017](https://avd.aquasec.com/appshield/ksv017)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "auditors/privileged/fixtures/privileged-true-allowed.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV017", - "ruleIndex": 4, - "level": "error", - "message": { - "text": "Artifact: auditors/privileged/fixtures/privileged-true.yml\nType: kubernetes\nVulnerability KSV017\nSeverity: HIGH\nMessage: Container 'container' of DaemonSet 'daemonset' should set 'securityContext.privileged' to false\nLink: [KSV017](https://avd.aquasec.com/appshield/ksv017)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "auditors/privileged/fixtures/privileged-true.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV008", - "ruleIndex": 0, - "level": "error", - "message": { - "text": "Artifact: internal/test/fixtures/all_resources/cronjob.yml\nType: kubernetes\nVulnerability KSV008\nSeverity: HIGH\nMessage: CronJob 'cronjob' should not set 'spec.template.spec.hostIPC' to true\nLink: [KSV008](https://avd.aquasec.com/appshield/ksv008)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "internal/test/fixtures/all_resources/cronjob.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV009", - "ruleIndex": 1, - "level": "error", - "message": { - "text": "Artifact: internal/test/fixtures/all_resources/cronjob.yml\nType: kubernetes\nVulnerability KSV009\nSeverity: HIGH\nMessage: CronJob 'cronjob' should not set 'spec.template.spec.hostNetwork' to true\nLink: [KSV009](https://avd.aquasec.com/appshield/ksv009)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "internal/test/fixtures/all_resources/cronjob.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV010", - "ruleIndex": 2, - "level": "error", - "message": { - "text": "Artifact: internal/test/fixtures/all_resources/cronjob.yml\nType: kubernetes\nVulnerability KSV010\nSeverity: HIGH\nMessage: CronJob 'cronjob' should not set 'spec.template.spec.hostPID' to true\nLink: [KSV010](https://avd.aquasec.com/appshield/ksv010)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "internal/test/fixtures/all_resources/cronjob.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV008", - "ruleIndex": 0, - "level": "error", - "message": { - "text": "Artifact: internal/test/fixtures/all_resources/daemonset-v1.yml\nType: kubernetes\nVulnerability KSV008\nSeverity: HIGH\nMessage: DaemonSet 'daemonset1' should not set 'spec.template.spec.hostIPC' to true\nLink: [KSV008](https://avd.aquasec.com/appshield/ksv008)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "internal/test/fixtures/all_resources/daemonset-v1.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV009", - "ruleIndex": 1, - "level": "error", - "message": { - "text": "Artifact: internal/test/fixtures/all_resources/daemonset-v1.yml\nType: kubernetes\nVulnerability KSV009\nSeverity: HIGH\nMessage: DaemonSet 'daemonset1' should not set 'spec.template.spec.hostNetwork' to true\nLink: [KSV009](https://avd.aquasec.com/appshield/ksv009)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "internal/test/fixtures/all_resources/daemonset-v1.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV010", - "ruleIndex": 2, - "level": "error", - "message": { - "text": "Artifact: internal/test/fixtures/all_resources/daemonset-v1.yml\nType: kubernetes\nVulnerability KSV010\nSeverity: HIGH\nMessage: DaemonSet 'daemonset1' should not set 'spec.template.spec.hostPID' to true\nLink: [KSV010](https://avd.aquasec.com/appshield/ksv010)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "internal/test/fixtures/all_resources/daemonset-v1.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV008", - "ruleIndex": 0, - "level": "error", - "message": { - "text": "Artifact: internal/test/fixtures/all_resources/daemonset-v1beta1.yml\nType: kubernetes\nVulnerability KSV008\nSeverity: HIGH\nMessage: DaemonSet 'daemonset1' should not set 'spec.template.spec.hostIPC' to true\nLink: [KSV008](https://avd.aquasec.com/appshield/ksv008)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "internal/test/fixtures/all_resources/daemonset-v1beta1.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV009", - "ruleIndex": 1, - "level": "error", - "message": { - "text": "Artifact: internal/test/fixtures/all_resources/daemonset-v1beta1.yml\nType: kubernetes\nVulnerability KSV009\nSeverity: HIGH\nMessage: DaemonSet 'daemonset1' should not set 'spec.template.spec.hostNetwork' to true\nLink: [KSV009](https://avd.aquasec.com/appshield/ksv009)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "internal/test/fixtures/all_resources/daemonset-v1beta1.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV010", - "ruleIndex": 2, - "level": "error", - "message": { - "text": "Artifact: internal/test/fixtures/all_resources/daemonset-v1beta1.yml\nType: kubernetes\nVulnerability KSV010\nSeverity: HIGH\nMessage: DaemonSet 'daemonset1' should not set 'spec.template.spec.hostPID' to true\nLink: [KSV010](https://avd.aquasec.com/appshield/ksv010)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "internal/test/fixtures/all_resources/daemonset-v1beta1.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV008", - "ruleIndex": 0, - "level": "error", - "message": { - "text": "Artifact: internal/test/fixtures/all_resources/daemonset-v1beta2.yml\nType: kubernetes\nVulnerability KSV008\nSeverity: HIGH\nMessage: DaemonSet 'daemonset1' should not set 'spec.template.spec.hostIPC' to true\nLink: [KSV008](https://avd.aquasec.com/appshield/ksv008)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "internal/test/fixtures/all_resources/daemonset-v1beta2.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV009", - "ruleIndex": 1, - "level": "error", - "message": { - "text": "Artifact: internal/test/fixtures/all_resources/daemonset-v1beta2.yml\nType: kubernetes\nVulnerability KSV009\nSeverity: HIGH\nMessage: DaemonSet 'daemonset1' should not set 'spec.template.spec.hostNetwork' to true\nLink: [KSV009](https://avd.aquasec.com/appshield/ksv009)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "internal/test/fixtures/all_resources/daemonset-v1beta2.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV010", - "ruleIndex": 2, - "level": "error", - "message": { - "text": "Artifact: internal/test/fixtures/all_resources/daemonset-v1beta2.yml\nType: kubernetes\nVulnerability KSV010\nSeverity: HIGH\nMessage: DaemonSet 'daemonset1' should not set 'spec.template.spec.hostPID' to true\nLink: [KSV010](https://avd.aquasec.com/appshield/ksv010)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "internal/test/fixtures/all_resources/daemonset-v1beta2.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV008", - "ruleIndex": 0, - "level": "error", - "message": { - "text": "Artifact: internal/test/fixtures/all_resources/deployment-apps-v1.yml\nType: kubernetes\nVulnerability KSV008\nSeverity: HIGH\nMessage: Deployment 'deployment' should not set 'spec.template.spec.hostIPC' to true\nLink: [KSV008](https://avd.aquasec.com/appshield/ksv008)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "internal/test/fixtures/all_resources/deployment-apps-v1.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV009", - "ruleIndex": 1, - "level": "error", - "message": { - "text": "Artifact: internal/test/fixtures/all_resources/deployment-apps-v1.yml\nType: kubernetes\nVulnerability KSV009\nSeverity: HIGH\nMessage: Deployment 'deployment' should not set 'spec.template.spec.hostNetwork' to true\nLink: [KSV009](https://avd.aquasec.com/appshield/ksv009)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "internal/test/fixtures/all_resources/deployment-apps-v1.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV010", - "ruleIndex": 2, - "level": "error", - "message": { - "text": "Artifact: internal/test/fixtures/all_resources/deployment-apps-v1.yml\nType: kubernetes\nVulnerability KSV010\nSeverity: HIGH\nMessage: Deployment 'deployment' should not set 'spec.template.spec.hostPID' to true\nLink: [KSV010](https://avd.aquasec.com/appshield/ksv010)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "internal/test/fixtures/all_resources/deployment-apps-v1.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV008", - "ruleIndex": 0, - "level": "error", - "message": { - "text": "Artifact: internal/test/fixtures/all_resources/deployment-apps-v1beta1.yml\nType: kubernetes\nVulnerability KSV008\nSeverity: HIGH\nMessage: Deployment 'deployment' should not set 'spec.template.spec.hostIPC' to true\nLink: [KSV008](https://avd.aquasec.com/appshield/ksv008)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "internal/test/fixtures/all_resources/deployment-apps-v1beta1.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV009", - "ruleIndex": 1, - "level": "error", - "message": { - "text": "Artifact: internal/test/fixtures/all_resources/deployment-apps-v1beta1.yml\nType: kubernetes\nVulnerability KSV009\nSeverity: HIGH\nMessage: Deployment 'deployment' should not set 'spec.template.spec.hostNetwork' to true\nLink: [KSV009](https://avd.aquasec.com/appshield/ksv009)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "internal/test/fixtures/all_resources/deployment-apps-v1beta1.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV010", - "ruleIndex": 2, - "level": "error", - "message": { - "text": "Artifact: internal/test/fixtures/all_resources/deployment-apps-v1beta1.yml\nType: kubernetes\nVulnerability KSV010\nSeverity: HIGH\nMessage: Deployment 'deployment' should not set 'spec.template.spec.hostPID' to true\nLink: [KSV010](https://avd.aquasec.com/appshield/ksv010)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "internal/test/fixtures/all_resources/deployment-apps-v1beta1.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV008", - "ruleIndex": 0, - "level": "error", - "message": { - "text": "Artifact: internal/test/fixtures/all_resources/deployment-apps-v1beta2.yml\nType: kubernetes\nVulnerability KSV008\nSeverity: HIGH\nMessage: Deployment 'deployment' should not set 'spec.template.spec.hostIPC' to true\nLink: [KSV008](https://avd.aquasec.com/appshield/ksv008)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "internal/test/fixtures/all_resources/deployment-apps-v1beta2.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV009", - "ruleIndex": 1, - "level": "error", - "message": { - "text": "Artifact: internal/test/fixtures/all_resources/deployment-apps-v1beta2.yml\nType: kubernetes\nVulnerability KSV009\nSeverity: HIGH\nMessage: Deployment 'deployment' should not set 'spec.template.spec.hostNetwork' to true\nLink: [KSV009](https://avd.aquasec.com/appshield/ksv009)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "internal/test/fixtures/all_resources/deployment-apps-v1beta2.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV010", - "ruleIndex": 2, - "level": "error", - "message": { - "text": "Artifact: internal/test/fixtures/all_resources/deployment-apps-v1beta2.yml\nType: kubernetes\nVulnerability KSV010\nSeverity: HIGH\nMessage: Deployment 'deployment' should not set 'spec.template.spec.hostPID' to true\nLink: [KSV010](https://avd.aquasec.com/appshield/ksv010)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "internal/test/fixtures/all_resources/deployment-apps-v1beta2.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV008", - "ruleIndex": 0, - "level": "error", - "message": { - "text": "Artifact: internal/test/fixtures/all_resources/deployment-extensions-v1beta1.yml\nType: kubernetes\nVulnerability KSV008\nSeverity: HIGH\nMessage: Deployment 'deployment' should not set 'spec.template.spec.hostIPC' to true\nLink: [KSV008](https://avd.aquasec.com/appshield/ksv008)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "internal/test/fixtures/all_resources/deployment-extensions-v1beta1.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV009", - "ruleIndex": 1, - "level": "error", - "message": { - "text": "Artifact: internal/test/fixtures/all_resources/deployment-extensions-v1beta1.yml\nType: kubernetes\nVulnerability KSV009\nSeverity: HIGH\nMessage: Deployment 'deployment' should not set 'spec.template.spec.hostNetwork' to true\nLink: [KSV009](https://avd.aquasec.com/appshield/ksv009)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "internal/test/fixtures/all_resources/deployment-extensions-v1beta1.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV010", - "ruleIndex": 2, - "level": "error", - "message": { - "text": "Artifact: internal/test/fixtures/all_resources/deployment-extensions-v1beta1.yml\nType: kubernetes\nVulnerability KSV010\nSeverity: HIGH\nMessage: Deployment 'deployment' should not set 'spec.template.spec.hostPID' to true\nLink: [KSV010](https://avd.aquasec.com/appshield/ksv010)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "internal/test/fixtures/all_resources/deployment-extensions-v1beta1.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV008", - "ruleIndex": 0, - "level": "error", - "message": { - "text": "Artifact: internal/test/fixtures/all_resources/job.yml\nType: kubernetes\nVulnerability KSV008\nSeverity: HIGH\nMessage: Job 'job' should not set 'spec.template.spec.hostIPC' to true\nLink: [KSV008](https://avd.aquasec.com/appshield/ksv008)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "internal/test/fixtures/all_resources/job.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV009", - "ruleIndex": 1, - "level": "error", - "message": { - "text": "Artifact: internal/test/fixtures/all_resources/job.yml\nType: kubernetes\nVulnerability KSV009\nSeverity: HIGH\nMessage: Job 'job' should not set 'spec.template.spec.hostNetwork' to true\nLink: [KSV009](https://avd.aquasec.com/appshield/ksv009)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "internal/test/fixtures/all_resources/job.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV010", - "ruleIndex": 2, - "level": "error", - "message": { - "text": "Artifact: internal/test/fixtures/all_resources/job.yml\nType: kubernetes\nVulnerability KSV010\nSeverity: HIGH\nMessage: Job 'job' should not set 'spec.template.spec.hostPID' to true\nLink: [KSV010](https://avd.aquasec.com/appshield/ksv010)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "internal/test/fixtures/all_resources/job.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV008", - "ruleIndex": 0, - "level": "error", - "message": { - "text": "Artifact: internal/test/fixtures/all_resources/pod.yml\nType: kubernetes\nVulnerability KSV008\nSeverity: HIGH\nMessage: Pod 'pod' should not set 'spec.template.spec.hostIPC' to true\nLink: [KSV008](https://avd.aquasec.com/appshield/ksv008)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "internal/test/fixtures/all_resources/pod.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV009", - "ruleIndex": 1, - "level": "error", - "message": { - "text": "Artifact: internal/test/fixtures/all_resources/pod.yml\nType: kubernetes\nVulnerability KSV009\nSeverity: HIGH\nMessage: Pod 'pod' should not set 'spec.template.spec.hostNetwork' to true\nLink: [KSV009](https://avd.aquasec.com/appshield/ksv009)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "internal/test/fixtures/all_resources/pod.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV010", - "ruleIndex": 2, - "level": "error", - "message": { - "text": "Artifact: internal/test/fixtures/all_resources/pod.yml\nType: kubernetes\nVulnerability KSV010\nSeverity: HIGH\nMessage: Pod 'pod' should not set 'spec.template.spec.hostPID' to true\nLink: [KSV010](https://avd.aquasec.com/appshield/ksv010)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "internal/test/fixtures/all_resources/pod.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV008", - "ruleIndex": 0, - "level": "error", - "message": { - "text": "Artifact: internal/test/fixtures/all_resources/replicationcontroller.yml\nType: kubernetes\nVulnerability KSV008\nSeverity: HIGH\nMessage: ReplicationController 'replicationcontroller' should not set 'spec.template.spec.hostIPC' to true\nLink: [KSV008](https://avd.aquasec.com/appshield/ksv008)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "internal/test/fixtures/all_resources/replicationcontroller.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV009", - "ruleIndex": 1, - "level": "error", - "message": { - "text": "Artifact: internal/test/fixtures/all_resources/replicationcontroller.yml\nType: kubernetes\nVulnerability KSV009\nSeverity: HIGH\nMessage: ReplicationController 'replicationcontroller' should not set 'spec.template.spec.hostNetwork' to true\nLink: [KSV009](https://avd.aquasec.com/appshield/ksv009)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "internal/test/fixtures/all_resources/replicationcontroller.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV010", - "ruleIndex": 2, - "level": "error", - "message": { - "text": "Artifact: internal/test/fixtures/all_resources/replicationcontroller.yml\nType: kubernetes\nVulnerability KSV010\nSeverity: HIGH\nMessage: ReplicationController 'replicationcontroller' should not set 'spec.template.spec.hostPID' to true\nLink: [KSV010](https://avd.aquasec.com/appshield/ksv010)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "internal/test/fixtures/all_resources/replicationcontroller.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV008", - "ruleIndex": 0, - "level": "error", - "message": { - "text": "Artifact: internal/test/fixtures/all_resources/statefulset-v1.yml\nType: kubernetes\nVulnerability KSV008\nSeverity: HIGH\nMessage: StatefulSet 'statefulset' should not set 'spec.template.spec.hostIPC' to true\nLink: [KSV008](https://avd.aquasec.com/appshield/ksv008)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "internal/test/fixtures/all_resources/statefulset-v1.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV009", - "ruleIndex": 1, - "level": "error", - "message": { - "text": "Artifact: internal/test/fixtures/all_resources/statefulset-v1.yml\nType: kubernetes\nVulnerability KSV009\nSeverity: HIGH\nMessage: StatefulSet 'statefulset' should not set 'spec.template.spec.hostNetwork' to true\nLink: [KSV009](https://avd.aquasec.com/appshield/ksv009)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "internal/test/fixtures/all_resources/statefulset-v1.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV010", - "ruleIndex": 2, - "level": "error", - "message": { - "text": "Artifact: internal/test/fixtures/all_resources/statefulset-v1.yml\nType: kubernetes\nVulnerability KSV010\nSeverity: HIGH\nMessage: StatefulSet 'statefulset' should not set 'spec.template.spec.hostPID' to true\nLink: [KSV010](https://avd.aquasec.com/appshield/ksv010)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "internal/test/fixtures/all_resources/statefulset-v1.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV008", - "ruleIndex": 0, - "level": "error", - "message": { - "text": "Artifact: internal/test/fixtures/all_resources/statefulset-v1beta1.yml\nType: kubernetes\nVulnerability KSV008\nSeverity: HIGH\nMessage: StatefulSet 'statefulset' should not set 'spec.template.spec.hostIPC' to true\nLink: [KSV008](https://avd.aquasec.com/appshield/ksv008)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "internal/test/fixtures/all_resources/statefulset-v1beta1.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV009", - "ruleIndex": 1, - "level": "error", - "message": { - "text": "Artifact: internal/test/fixtures/all_resources/statefulset-v1beta1.yml\nType: kubernetes\nVulnerability KSV009\nSeverity: HIGH\nMessage: StatefulSet 'statefulset' should not set 'spec.template.spec.hostNetwork' to true\nLink: [KSV009](https://avd.aquasec.com/appshield/ksv009)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "internal/test/fixtures/all_resources/statefulset-v1beta1.yml", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - } - } - ] - }, - { - "ruleId": "KSV010", - "ruleIndex": 2, - "level": "error", - "message": { - "text": "Artifact: internal/test/fixtures/all_resources/statefulset-v1beta1.yml\nType: kubernetes\nVulnerability KSV010\nSeverity: HIGH\nMessage: StatefulSet 'statefulset' should not set 'spec.template.spec.hostPID' to true\nLink: [KSV010](https://avd.aquasec.com/appshield/ksv010)" + "text": "Details: Default service account with token mounted. automountServiceAccountToken should be set to 'false' on either the ServiceAccount or on the PodSpec or a non-default service account should be used.\n Auditor: asat\nDescription: Finds containers where the deprecated SA field is used or with a mounted default SA\nAuditor docs: https://github.com/Shopify/kubeaudit/blob/main/docs/auditors/asat.md " }, "locations": [ { "physicalLocation": { "artifactLocation": { - "uri": "internal/test/fixtures/all_resources/statefulset-v1beta1.yml", + "uri": "internal/sarif/fixtures/apparmor-invalid.yaml", "uriBaseId": "ROOTPATH" }, "region": { diff --git a/internal/sarif/sarif.go b/internal/sarif/sarif.go index d4fcb9c3..6a75d1a7 100644 --- a/internal/sarif/sarif.go +++ b/internal/sarif/sarif.go @@ -42,13 +42,14 @@ func Create(kubeauditReport *kubeaudit.Report) (*sarif.Report, error) { docsURL = "https://github.com/Shopify/kubeaudit/blob/main/docs/auditors/" + auditor + ".md" } - helpMessage := fmt.Sprintf("**Type**: kubernetes\n**Docs**: %s\n**Description:** %s", docsURL, allAuditors[auditor]) + helpMessage := fmt.Sprintf("**Type**: kubernetes\n**Auditor Docs**: To find out more about the issue and how to fix it, follow [this link](%s)\n**Description:** %s\n\n *Note*: These audit results are generated with `kubeaudit`, a command line tool and a Go package that checks for potential security concerns in kubernetes manifest specs. You can read more about it at https://github.com/Shopify/kubeaudit ", + docsURL, allAuditors[auditor]) // we only add rules to the report based on the result findings run.AddRule(result.Rule). WithName(result.Auditor). WithMarkdownHelp(helpMessage). - WithHelp(&sarif.MultiformatMessageString{Text: &docsURL}). + WithHelp(&sarif.MultiformatMessageString{Text: &helpMessage}). WithShortDescription(&sarif.MultiformatMessageString{Text: &result.Rule}). WithProperties(sarif.Properties{ "tags": []string{ @@ -66,11 +67,14 @@ func Create(kubeauditReport *kubeaudit.Report) (*sarif.Report, error) { severityLevel = "note" } + details := fmt.Sprintf("Details: %s\n Auditor: %s\nDescription: %s\nAuditor docs: %s ", + result.Message, result.Auditor, allAuditors[auditor], docsURL) + location := sarif.NewPhysicalLocation(). WithArtifactLocation(sarif.NewSimpleArtifactLocation(result.FilePath).WithUriBaseId("ROOTPATH")). WithRegion(sarif.NewRegion().WithStartLine(1)) result := sarif.NewRuleResult(result.Rule). - WithMessage(sarif.NewTextMessage(result.Message)). + WithMessage(sarif.NewTextMessage(details)). WithLevel(severityLevel). WithLocations([]*sarif.Location{sarif.NewLocation().WithPhysicalLocation(location)}) run.AddResult(result) diff --git a/internal/sarif/sarif_test.go b/internal/sarif/sarif_test.go index 7d91e872..77a46654 100644 --- a/internal/sarif/sarif_test.go +++ b/internal/sarif/sarif_test.go @@ -89,7 +89,7 @@ func TestCreate(t *testing.T) { ruleNames = append(ruleNames, sarifRule.ID) - assert.Equal(t, tc.expectedURI, *sarifRule.Help.Text) + assert.Contains(t, *sarifRule.Help.Text, tc.expectedURI) } for _, sarifResult := range sarifReport.Runs[0].Results {