Comments (6)
danielpacak
commented on June 14, 2024
/cc @knqyf263
from harbor-scanner-trivy.
msiebuhr
commented on June 14, 2024
Hacked it by looking for the IP in AWS' ip ranges (curl https://ip-ranges.amazonaws.com/ip-ranges.json | jq | grep 52.216) and stuffing that into a Cilium policy:
- description: "Allow Trivy to access vulnerability scans"
endpointSelector:
matchLabels:
app: harbor
component: trivy
egress:
- toFQDNs:
- matchName: "api.github.com"
toPorts:
- ports:
- port: "443"
protocol: TCP
# Found by watching cilium drop HTTPS to 52.216.160.91, realizing that's
# an S3 address, getting AWS' S3-ranges and figuring which it came from
# `curl https://ip-ranges.amazonaws.com/ip-ranges.json | jq | grep
# 52.216`
- toCIDR:
- '52.216.0.0/15'
toPorts:
- ports:
- port: "443"
protocol: TCPfrom harbor-scanner-trivy.
knqyf263
commented on June 14, 2024
@msiebuhr Thank you for sharing the behavior. I'm going to consider the message. As you said, GitHub Releases redirects to S3.
$ curl https://github.com/aquasecurity/trivy-db/releases/download/v1-2020060912/trivy.db.gz
<html><body>You are being <a href="https://github-production-release-asset-2e65be.s3.amazonaws.com/216830441/7fffe500-aa4a-11ea-8fca-6d3aaa93a8ea?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20200609%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200609T144634Z&X-Amz-Expires=300&X-Amz-Signature=9febdfcab5cb5fe3edaae0a88b27a2f009488865610604fdff21dff4efe61bdd&X-Amz-SignedHeaders=host&actor_id=0&repo_id=216830441&response-content-disposition=attachment%3B%20filename%3Dtrivy.db.gz&response-content-type=application%2Foctet-stream">redirected</a>.</body></html>%
I'm not sure how flexible the egress rule is, but is it possible to allow s3.amazonaws.com and GET query? If so, you may be able to allow s3.amazonaws.com and filename=trivy.db.gz. I'm worried that the IP ranges will be changed.
from harbor-scanner-trivy.
msiebuhr
commented on June 14, 2024
Nice (I couldn't find the URL straight away, so I hacked up this other thing).
AFAIK, Cilium doesn't intercept HTTPS connections (I'd have to spoof AWS' TLS cert), so filename-inspection is off the table. Perhaps some wildcard'y stuff (github-production-release-asset-2e65be.s3.amazonaws.com feels like something that might change later on):
# Untested
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: "fqdn"
spec:
endpointSelector:
matchLabels:
app: harbor
component: trivy
egress:
- toFQDNs:
- matchPattern: "*.s3.amazonaws.com"
toPorts:
- ports:
- port: "443"
protocol: TCPfrom harbor-scanner-trivy.
knqyf263
commented on June 14, 2024
I thought *.s3.amazonaws.com was a bit much since other buckets can be accepted. But if Cilium can't filter a request based on params, *.s3.amazonaws.com looks the best for now.
from harbor-scanner-trivy.
danielpacak
commented on June 14, 2024
@msiebuhr are you okey to close this one? As @knqyf263 explained Trivy downloads a DB file from GitHub, which apparently redirects to S3. Beyond that, this adapter service just gets an error message from Trivy's output and returns back to display it the Harbor interface.
from harbor-scanner-trivy.
Related Issues (20)
- harbor integration trivy report Unhealthy
- Missing attribute preferred_cvss in the report json
- File containing the security issue (target) is not stored
- Trivy cache is growing too fast
- Scan report is missing the binary related to vulnerability HOT 1
- the length of usernames and passwords must match with 2.8.2 HOT 8
- About vulnerabilities [email protected] on image docker
- mkdir /home/scanner/.cache/trivy/fanal: permission denied HOT 1
- ERROR: column t0.critical_cnt does not exist HOT 1
- It does not work when scan java program HOT 1
- Trivy status goes unhealthy during the scan
- how to skip java db update when scanning start
- Allow image layer cache (fanal.db) to be stored in Redis HOT 1
- Trivy scan results are not up to date HOT 1
- Trivy redis connection support redis TLS mode HOT 3
- the helm repo has a bogus release with version 0.31.0 HOT 5
- Allow disable metrics api
- Add private repo environment variable
- /api/v1/scan API should return 400 to the client when the enabled_capabilities.produces_mime_types not specified HOT 1
- /api/v1/scan/{scan_request_id}/report should send http 400 when the sbom_media_type is missed for sbom scan HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from harbor-scanner-trivy.