Skip to content

Commit c0c7a6b

Browse files
afdeskafdesk
authored
fix(k8s): disable parallel traversal with fs cache for k8s images (#9534)
1 parent bfd2f6b commit c0c7a6b

File tree

4 files changed

+349
-21
lines changed

4 files changed

+349
-21
lines changed

integration/k8s_test.go

Lines changed: 52 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ import (
66
"encoding/json"
77
"os"
88
"path/filepath"
9+
"sort"
910
"testing"
1011

1112
cdx "github.com/CycloneDX/cyclonedx-go"
@@ -28,19 +29,14 @@ func TestK8s(t *testing.T) {
2829
outputFile := filepath.Join(t.TempDir(), "output.json")
2930

3031
osArgs := []string{
31-
"--cache-dir",
32-
cacheDir,
32+
"--cache-dir", cacheDir,
3333
"k8s",
3434
"kind-kind-test",
35-
"--report",
36-
"summary",
35+
"--report", "summary",
3736
"-q",
38-
"--timeout",
39-
"5m0s",
40-
"--format",
41-
"json",
42-
"--output",
43-
outputFile,
37+
"--timeout", "5m0s",
38+
"--format", "json",
39+
"--output", outputFile,
4440
}
4541

4642
// Run Trivy
@@ -60,15 +56,47 @@ func TestK8s(t *testing.T) {
6056
return resource.Results
6157
})
6258

63-
// Has vulnerabilities
64-
assert.True(t, lo.SomeBy(results, func(r types.Result) bool {
65-
return len(r.Vulnerabilities) > 0
66-
}))
59+
// Collect IDs (CVEs for vulns, IDs for failed misconfigs), allowing duplicates.
60+
ids := k8sFindingIDs{}
61+
for _, r := range results {
62+
for _, v := range r.Vulnerabilities {
63+
if v.VulnerabilityID != "" {
64+
ids.Vulnerabilities = append(ids.Vulnerabilities, v.VulnerabilityID)
65+
}
66+
}
67+
for _, m := range r.Misconfigurations {
68+
if m.Status == types.MisconfStatusFailure && m.ID != "" {
69+
ids.Misconfigurations = append(ids.Misconfigurations, m.ID)
70+
}
71+
}
72+
}
6773

68-
// Has misconfigurations
69-
assert.True(t, lo.SomeBy(results, func(r types.Result) bool {
70-
return len(r.Misconfigurations) > 0
71-
}))
74+
// Sort for deterministic golden files
75+
sort.Strings(ids.Vulnerabilities)
76+
sort.Strings(ids.Misconfigurations)
77+
78+
fixture := filepath.Join("testdata", "fixtures", "k8s", "summary-ids.json.golden")
79+
if *update {
80+
// Update fixture with current IDs (duplicates kept, sorted)
81+
// Note: mage test:k8s may create additional k8s artifacts.
82+
f, err := os.Create(fixture)
83+
require.NoError(t, err)
84+
defer f.Close()
85+
enc := json.NewEncoder(f)
86+
enc.SetIndent("", " ")
87+
require.NoError(t, enc.Encode(ids))
88+
t.Logf("updated fixture: %s", fixture)
89+
return
90+
}
91+
92+
// Read expected IDs from fixture and compare
93+
ef, err := os.Open(fixture)
94+
require.NoError(t, err)
95+
defer ef.Close()
96+
97+
var want k8sFindingIDs
98+
require.NoError(t, json.NewDecoder(ef).Decode(&want))
99+
assert.Equal(t, want, ids)
72100
})
73101
t.Run("kbom cycloneDx", func(t *testing.T) {
74102
// Set up the output file
@@ -106,7 +134,6 @@ func TestK8s(t *testing.T) {
106134
return len(*r.Dependencies) > 0
107135
}))
108136
})
109-
110137
t.Run("limited user test", func(t *testing.T) {
111138
// Set up the output file
112139
outputFile := filepath.Join(t.TempDir(), "output.json")
@@ -158,3 +185,9 @@ func TestK8s(t *testing.T) {
158185

159186
})
160187
}
188+
189+
// k8sFindingIDs is the structure saved into the golden file.
190+
type k8sFindingIDs struct {
191+
Vulnerabilities []string `json:"vulnerabilities"`
192+
Misconfigurations []string `json:"misconfigurations"`
193+
}

integration/testdata/fixtures/k8s/summary-ids.json.golden

Lines changed: 290 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,290 @@
1+
{
2+
"vulnerabilities": [
3+
"CVE-2019-1551",
4+
"CVE-2019-1551",
5+
"CVE-2019-1563",
6+
"CVE-2019-1563",
7+
"CVE-2019-18276",
8+
"CVE-2019-18276",
9+
"CVE-2019-5094",
10+
"CVE-2019-5094",
11+
"CVE-2019-5094",
12+
"CVE-2019-5094",
13+
"CVE-2019-5094",
14+
"CVE-2019-5094",
15+
"CVE-2019-5094",
16+
"CVE-2019-5094"
17+
],
18+
"misconfigurations": [
19+
"AVD-KSV-01010",
20+
"KCV0001",
21+
"KCV0006",
22+
"KCV0010",
23+
"KCV0018",
24+
"KCV0019",
25+
"KCV0020",
26+
"KCV0021",
27+
"KCV0022",
28+
"KCV0030",
29+
"KCV0033",
30+
"KCV0038",
31+
"KCV0059",
32+
"KCV0069",
33+
"KCV0075",
34+
"KCV0077",
35+
"KSV001",
36+
"KSV001",
37+
"KSV001",
38+
"KSV001",
39+
"KSV001",
40+
"KSV001",
41+
"KSV001",
42+
"KSV001",
43+
"KSV001",
44+
"KSV0012",
45+
"KSV003",
46+
"KSV003",
47+
"KSV003",
48+
"KSV003",
49+
"KSV003",
50+
"KSV003",
51+
"KSV003",
52+
"KSV003",
53+
"KSV003",
54+
"KSV004",
55+
"KSV004",
56+
"KSV004",
57+
"KSV004",
58+
"KSV004",
59+
"KSV004",
60+
"KSV004",
61+
"KSV004",
62+
"KSV004",
63+
"KSV009",
64+
"KSV009",
65+
"KSV009",
66+
"KSV009",
67+
"KSV009",
68+
"KSV009",
69+
"KSV011",
70+
"KSV011",
71+
"KSV011",
72+
"KSV011",
73+
"KSV011",
74+
"KSV011",
75+
"KSV011",
76+
"KSV011",
77+
"KSV011",
78+
"KSV012",
79+
"KSV012",
80+
"KSV012",
81+
"KSV012",
82+
"KSV012",
83+
"KSV012",
84+
"KSV012",
85+
"KSV012",
86+
"KSV012",
87+
"KSV012",
88+
"KSV0125",
89+
"KSV0125",
90+
"KSV0125",
91+
"KSV0125",
92+
"KSV0125",
93+
"KSV0125",
94+
"KSV0125",
95+
"KSV0125",
96+
"KSV014",
97+
"KSV014",
98+
"KSV014",
99+
"KSV014",
100+
"KSV014",
101+
"KSV014",
102+
"KSV014",
103+
"KSV014",
104+
"KSV014",
105+
"KSV015",
106+
"KSV015",
107+
"KSV015",
108+
"KSV015",
109+
"KSV016",
110+
"KSV016",
111+
"KSV016",
112+
"KSV016",
113+
"KSV016",
114+
"KSV016",
115+
"KSV016",
116+
"KSV017",
117+
"KSV018",
118+
"KSV018",
119+
"KSV018",
120+
"KSV018",
121+
"KSV018",
122+
"KSV018",
123+
"KSV018",
124+
"KSV018",
125+
"KSV020",
126+
"KSV020",
127+
"KSV020",
128+
"KSV020",
129+
"KSV020",
130+
"KSV020",
131+
"KSV020",
132+
"KSV020",
133+
"KSV020",
134+
"KSV020",
135+
"KSV021",
136+
"KSV021",
137+
"KSV021",
138+
"KSV021",
139+
"KSV021",
140+
"KSV021",
141+
"KSV021",
142+
"KSV021",
143+
"KSV021",
144+
"KSV021",
145+
"KSV022",
146+
"KSV022",
147+
"KSV023",
148+
"KSV023",
149+
"KSV023",
150+
"KSV023",
151+
"KSV023",
152+
"KSV023",
153+
"KSV030",
154+
"KSV030",
155+
"KSV030",
156+
"KSV030",
157+
"KSV030",
158+
"KSV030",
159+
"KSV036",
160+
"KSV041",
161+
"KSV041",
162+
"KSV041",
163+
"KSV041",
164+
"KSV041",
165+
"KSV041",
166+
"KSV041",
167+
"KSV041",
168+
"KSV041",
169+
"KSV041",
170+
"KSV041",
171+
"KSV041",
172+
"KSV041",
173+
"KSV044",
174+
"KSV045",
175+
"KSV046",
176+
"KSV046",
177+
"KSV046",
178+
"KSV046",
179+
"KSV046",
180+
"KSV046",
181+
"KSV046",
182+
"KSV048",
183+
"KSV048",
184+
"KSV048",
185+
"KSV048",
186+
"KSV048",
187+
"KSV048",
188+
"KSV048",
189+
"KSV048",
190+
"KSV048",
191+
"KSV048",
192+
"KSV048",
193+
"KSV048",
194+
"KSV048",
195+
"KSV048",
196+
"KSV048",
197+
"KSV048",
198+
"KSV048",
199+
"KSV048",
200+
"KSV048",
201+
"KSV048",
202+
"KSV048",
203+
"KSV048",
204+
"KSV048",
205+
"KSV048",
206+
"KSV048",
207+
"KSV048",
208+
"KSV048",
209+
"KSV048",
210+
"KSV048",
211+
"KSV048",
212+
"KSV048",
213+
"KSV048",
214+
"KSV048",
215+
"KSV048",
216+
"KSV048",
217+
"KSV048",
218+
"KSV049",
219+
"KSV049",
220+
"KSV049",
221+
"KSV049",
222+
"KSV049",
223+
"KSV049",
224+
"KSV049",
225+
"KSV049",
226+
"KSV050",
227+
"KSV050",
228+
"KSV053",
229+
"KSV053",
230+
"KSV053",
231+
"KSV056",
232+
"KSV056",
233+
"KSV056",
234+
"KSV056",
235+
"KSV056",
236+
"KSV056",
237+
"KSV056",
238+
"KSV056",
239+
"KSV056",
240+
"KSV056",
241+
"KSV056",
242+
"KSV056",
243+
"KSV056",
244+
"KSV056",
245+
"KSV056",
246+
"KSV056",
247+
"KSV056",
248+
"KSV056",
249+
"KSV056",
250+
"KSV104",
251+
"KSV104",
252+
"KSV104",
253+
"KSV104",
254+
"KSV104",
255+
"KSV104",
256+
"KSV106",
257+
"KSV106",
258+
"KSV106",
259+
"KSV106",
260+
"KSV106",
261+
"KSV106",
262+
"KSV106",
263+
"KSV106",
264+
"KSV106",
265+
"KSV110",
266+
"KSV111",
267+
"KSV112",
268+
"KSV112",
269+
"KSV113",
270+
"KSV113",
271+
"KSV117",
272+
"KSV117",
273+
"KSV117",
274+
"KSV118",
275+
"KSV118",
276+
"KSV118",
277+
"KSV118",
278+
"KSV118",
279+
"KSV118",
280+
"KSV118",
281+
"KSV118",
282+
"KSV118",
283+
"KSV119",
284+
"KSV122",
285+
"no-user-pods-in-system-namespace",
286+
"no-user-pods-in-system-namespace",
287+
"no-user-pods-in-system-namespace",
288+
"no-user-pods-in-system-namespace"
289+
]
290+
}

0 commit comments

Comments
 (0)