-
Bug
-
Resolution: Duplicate
-
Undefined
-
None
-
4.15
-
None
-
Important
-
No
-
Proposed
-
False
-
Description of problem:
When run DAST test against RODO operator using trivy some weaknesses are reported.
1. Pod 'runoncedurationoverride-9m2qs' should not set 'spec.template.spec.hostNetwork' to true
2. Container 'runoncedurationoverride' of Pod 'runoncedurationoverride-9m2qs' should set 'securityContext.readOnlyRootFilesystem' to true
3. Container 'runoncedurationoverride' of Pod 'runoncedurationoverride-9m2qs' should not set host ports, 'ports[*].hostPort'
4. Container 'run-once-duration-override-operator' of Pod 'run-once-duration-override-operator-cb84c5557-pfxjn' should set 'securityContext.readOnlyRootFilesystem' to true
Version-Release number of selected component (if applicable):
1.1.1
How reproducible:
Always
Steps to Reproduce:
1. Install RODO latest operator
2. clone repo https://github.com/RedHatProductSecurity/rapidast
3. Update rapidast_config.yaml as attached here.
4. Run command `rapidast.py --config rapidast_config.yaml`
Actual results:
weaknesses reported with severity HIGH AND CRITICAL
Expected results:
should not see any weaknesses with severity HIGH AND CRITICAL
Additional info:
# This is a configuration template file to perform scans using user-defined container images or scripts # # Author: Red Hat Product Security config: # WARNING: `configVersion` indicates the schema version of the config file. # This value tells RapiDAST what schema should be used to read this configuration. # Therefore you should only change it if you update the configuration to a newer schema # It is intended to keep backward compatibility (newer RapiDAST running an older config) configVersion: 5 # `application` contains data related to the application, not to the scans. application: shortName: "oobttest" # `general` is a section that will be applied to all scanners. general: container: # This configures what technology is to be used for RapiDAST to run each scanner. # Currently supported: `podman` and `none` # none: Default. RapiDAST runs each scanner in the same host or inside the RapiDAST image container # podman: RapiDAST orchestrates each scanner on its own using podman # When undefined, relies on rapidast-defaults.yaml, or `none` if nothing is set type: "none" # `scanners' is a section that configures scanning options scanners: generic_oobt: # toolDir: scanners/generic/tools inline: "python3 oobtkube.py -d 120 -p 12345 -i <update_local_host_ip> -f /tmp/<update with cr for rodo>" generic_trivy: # results: # An absolute path to file or directory where results are stored on the host. # if it is "*stdout" or unspecified, the command's standard output will be selected # When container.type is 'podman', this needs to be used along with the container.volumes configuration below # If the result needs to be sent to DefectDojo, this must be a SARIF format file # results: "/test/results" # Example: scan a k8s cluster for misconfiguration issue # - kubeconfig file for the cluster is required # - See https://aquasecurity.github.io/trivy/v0.49/docs/target/kubernetes/ for more information on 'trivy k8s' scan # - scanners/generic/tools/convert_trivy_k8s_to_sarif.py converts the Trivy json result to the SARIF format # 'inline' is used when container.type is not 'podman' # 'toolDir' specifies the default directory where inline scripts are located #toolDir: scanners/generic/tools inline: "trivy k8s --kubeconfig=<kubeconfig_file_path> -n openshift-run-once-duration-override-operator pod --severity=HIGH,CRITICAL --scanners=misconfig --report all --format json" container: parameters: # Optional: list of expected return codes, anything else will be considered as an error. by default: [0] validReturns: [ 0 ]
Attaching the report as well
[^stdout-report.txt]
