forked from kubewarden/sbomscanner
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathstorage.sbomscanner.kubewarden.io_workloadscanreports.yaml
More file actions
403 lines (403 loc) · 19.4 KB
/
Copy pathstorage.sbomscanner.kubewarden.io_workloadscanreports.yaml
File metadata and controls
403 lines (403 loc) · 19.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.16.5
name: workloadscanreports.storage.sbomscanner.kubewarden.io
spec:
group: storage.sbomscanner.kubewarden.io
names:
kind: WorkloadScanReport
listKind: WorkloadScanReportList
plural: workloadscanreports
singular: workloadscanreport
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: WorkloadScanReport represents the vulnerability scan results
for a workload's containers.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
containers:
description: |-
Containers contains the vulnerability reports for each container.
Populated at read time by joining with VulnerabilityReport data.
items:
description: ContainerResult contains the vulnerability scan results
for a single container.
properties:
name:
description: Name is the name of the container (matches ContainerRef.Name).
type: string
vulnerabilityReports:
description: |-
VulnerabilityReports contains the vulnerability reports for this container's image.
Multiple reports may exist for multi-arch images (one per platform).
items:
description: WorkloadScanVulnerabilityReport contains vulnerability
report data for a specific platform.
properties:
imageMetadata:
description: ImageMetadata contains the VulnerabilityReport's
image metadata.
properties:
digest:
description: Digest specifies the image manifest digest.
type: string
indexDigest:
description: IndexDigest specifies the image index digest
that referenced this manifest. Set only for multi-arch
images.
type: string
platform:
description: Platform specifies the platform of the image.
Example "linux/amd64".
type: string
registry:
description: Registry specifies the name of the Registry
object in the same namespace where the image is stored.
type: string
registryURI:
description: 'RegistryURI specifies the URI of the registry
where the image is stored. Example: "registry-1.docker.io:5000".`'
type: string
repository:
description: 'Repository specifies the repository path
of the image. Example: "kubewarden/sbomscanner".'
type: string
tag:
description: 'Tag specifies the tag of the image. Example:
"latest".'
type: string
required:
- digest
- platform
- registry
- registryURI
- repository
- tag
type: object
name:
description: Name is the name of the VulnerabilityReport.
type: string
namespace:
description: Namespace is the namespace where the VulnerabilityReport
is stored.
type: string
report:
description: Report is the actual vulnerability scan report.
properties:
results:
description: Results per target (e.g., layer, package
type)
items:
description: Result represents scan findings for a specific
target and class of packages
properties:
class:
description: Class is the classification of the
target
type: string
target:
description: Target is the specific target scanned
type: string
type:
description: Type is the language type
type: string
vulnerabilities:
description: Vulnerabilities found in this target
items:
description: |-
Vulnerability contains detailed information about a single vulnerability
found in a package
properties:
cve:
description: CVE identifier
type: string
cvss:
additionalProperties:
description: CVSS holds Common Vulnerability
Scoring System data for a vulnerability.
properties:
v3score:
description: V3Score numerical score
type: string
v3vector:
description: V3Vector string (e.g.,
"AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H")
type: string
required:
- v3score
- v3vector
type: object
description: CVSS scoring details
type: object
cwes:
description: CWEs with which the CVE is classified
items:
type: string
type: array
description:
description: Description of the vulnerability
type: string
diffID:
description: DiffID of the image layer where
the vulnerability was introduced
type: string
fixedVersions:
description: FixedVersions is the list of
versions where the vulnerability is fixed
items:
type: string
type: array
installedVersion:
description: InstalledVersion of the package
that was found
type: string
packageName:
description: |-
PackageName is the name of the vulnerable package
(empty when Class is "binary")
type: string
packagePath:
description: |-
PackagePath is the path where the package was found
(equal to Target when Class is "binary").
trivy removes the "/" at the beginning of the path
so we have to restore it.
type: string
purl:
description: PURL (Package URL) identify the
package uniquely
type: string
references:
description: References contains URLs for
more information
items:
type: string
type: array
severity:
description: Severity rating (e.g., "HIGH",
"MEDIUM")
type: string
severitySource:
description: |-
SeveritySource identifies the vendor that produced the Severity
(e.g. "nvd", "ghsa", "redhat", "alpine").
Consumers can use this key to look up the matching entry in the CVSS map to display alongside Severity.
May be empty when the source vendor is not known.
type: string
suppressed:
description: |-
Suppressed identify when vulnerability has
been suppressed by VEX documents
type: boolean
title:
description: Title is the title of the vulnerability
type: string
vexStatus:
description: VEXStatus information
properties:
repository:
description: Repository providing the
VEX document
type: string
statement:
description: Statement optionally explain
statement from the VEX document
type: string
status:
description: VEX status (e.g., "not_affected",
"fixed", "under_investigation")
type: string
required:
- repository
- statement
- status
type: object
required:
- cve
- diffID
- installedVersion
- purl
- severity
- suppressed
type: object
type: array
required:
- class
- target
- type
- vulnerabilities
type: object
type: array
summary:
description: Summary of vulnerabilities found
properties:
critical:
description: Critical vulnerabilities count
type: integer
high:
description: High vulnerabilities count
type: integer
low:
description: Low vulnerabilities count
type: integer
medium:
description: Medium vulnerabilities count
type: integer
suppressed:
description: Suppressed vulnerabilities count
type: integer
unknown:
description: Unknown vulnerabilities count
type: integer
required:
- critical
- high
- low
- medium
- suppressed
- unknown
type: object
required:
- results
- summary
type: object
required:
- imageMetadata
- name
- namespace
- report
type: object
type: array
required:
- name
type: object
type: array
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec contains the workload container references, written
by the reconciler.
properties:
containers:
description: Containers contains the list of containers in the workload
with their image references.
items:
description: ContainerRef identifies a container and its image reference
for vulnerability lookup.
properties:
imageRef:
description: ImageRef identifies which VulnerabilityReports
to associate with this container.
properties:
namespace:
description: Namespace is the namespace where the VulnerabilityReports
are stored.
type: string
registry:
description: Registry is the name of the Registry custom
resource.
type: string
repository:
description: Repository is the repository path of the image.
type: string
tag:
description: Tag is the tag of the image.
type: string
required:
- namespace
- registry
- repository
- tag
type: object
name:
description: Name is the name of the container.
type: string
required:
- imageRef
- name
type: object
type: array
required:
- containers
type: object
status:
description: |-
Status contains the scan status for each container.
Populated at read time.
properties:
containerStatuses:
description: ContainerStatuses contains the scan status for each container.
items:
description: ContainerStatus contains the scan status for a single
container.
properties:
name:
description: Name is the name of the container (matches ContainerRef.Name).
type: string
scanStatus:
description: ScanStatus indicates the scan status for this container.
type: string
required:
- name
- scanStatus
type: object
type: array
type: object
summary:
description: |-
Summary provides aggregated vulnerability counts across all containers.
Vulnerabilities are deduplicated per container (same CVE across platforms counts as 1),
then summed across all containers.
Populated at read time.
properties:
critical:
description: Critical vulnerabilities count
type: integer
high:
description: High vulnerabilities count
type: integer
low:
description: Low vulnerabilities count
type: integer
medium:
description: Medium vulnerabilities count
type: integer
suppressed:
description: Suppressed vulnerabilities count
type: integer
unknown:
description: Unknown vulnerabilities count
type: integer
required:
- critical
- high
- low
- medium
- suppressed
- unknown
type: object
required:
- spec
type: object
served: true
storage: true