-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
4.13.z, 4.12
-
None
-
Important
-
No
-
1
-
Workloads Sprint 262
-
1
-
Proposed
-
False
-
Description of problem:
Mutiple vulnerabilities are reported for OSSO scan
1. Container 'Container 'secondary-scheduler' of Pod 'secondary-scheduler-6cf9b577d7-zsbg7' should set 'securityContext.readOnlyRootFilesystem' to true' to true
2. Container 'secondary-scheduler' of Pod 'Container 'secondary-scheduler-operator' of Pod 'secondary-scheduler-operator-696d77bb-zht8w' should set 'securityContext.readOnlyRootFilesystem' to true' to true
Version-Release number of selected component (if applicable):
OSSO 1.1.4
How reproducible:
Always
Steps to Reproduce:
1. Install 4.12 openshift cluster
2. Install OSSO
3. clone repo https://github.com/RedHatProductSecurity/rapidast
4. Update rapidast_config.yaml as attached here.
5. Run command `rapidast.py --config rapidast_config.yaml`
Actual results:
vulnerabilites reported with HIGH and CRITICAL Severity
Expected results:
No vulnerabilites should be seen with HIGH and CRITICAL Severity
Additional info:
# This is a configuration template file to perform scans using user-defined container images or scripts # # Author: Red Hat Product Security config: # WARNING: `configVersion` indicates the schema version of the config file. # This value tells RapiDAST what schema should be used to read this configuration. # Therefore you should only change it if you update the configuration to a newer schema # It is intended to keep backward compatibility (newer RapiDAST running an older config) configVersion: 5 # `application` contains data related to the application, not to the scans. application: shortName: "oobttest" # `general` is a section that will be applied to all scanners. general: container: # This configures what technology is to be used for RapiDAST to run each scanner. # Currently supported: `podman` and `none` # none: Default. RapiDAST runs each scanner in the same host or inside the RapiDAST image container # podman: RapiDAST orchestrates each scanner on its own using podman # When undefined, relies on rapidast-defaults.yaml, or `none` if nothing is set type: "none" # `scanners' is a section that configures scanning options scanners: generic_oobt: # toolDir: scanners/generic/tools inline: "python3 oobtkube.py -d 120 -p 12345 -i <update_local_host_ip> -f /tmp/<update with cr for osso>" generic_trivy: # results: # An absolute path to file or directory where results are stored on the host. # if it is "*stdout" or unspecified, the command's standard output will be selected # When container.type is 'podman', this needs to be used along with the container.volumes configuration below # If the result needs to be sent to DefectDojo, this must be a SARIF format file # results: "/test/results" # Example: scan a k8s cluster for misconfiguration issue # - kubeconfig file for the cluster is required # - See https://aquasecurity.github.io/trivy/v0.49/docs/target/kubernetes/ for more information on 'trivy k8s' scan # - scanners/generic/tools/convert_trivy_k8s_to_sarif.py converts the Trivy json result to the SARIF format # 'inline' is used when container.type is not 'podman' # 'toolDir' specifies the default directory where inline scripts are located #toolDir: scanners/generic/tools inline: "trivy k8s --kubeconfig=<kubeconfig_file_path> -n openshift-secondary-scheduler-operator --severity=HIGH,CRITICAL --scanners=misconfig --report all --format json" container: parameters: # Optional: list of expected return codes, anything else will be considered as an error. by default: [0] validReturns: [ 0 ]
- clones
-
-
- Closed
-
