Kubesec Analyzer will not report all vulnerabilities for manifest with multiple objects

The Kubesec analyzer has a bug causing it to not report all vulnerabilities in a Helm project. More generally, in any manifest file containing multiple objects.

This is caused by a logical flaw while parsing the Kubesec scan report. Specifically a Kubesec scan report for a manifest generated from Helm charts will contain multiple objects. However, the analyzer reports the vulnerabilities found only in the last object.

Snippet containing example Manifest and Report

Possible Cause

The loop through the Kubesec scan report overwrites the result in each iteration instead of adding up all the results in an array. Link to relevant code.

Possible Fix

The decodeReport method should return an array of reports and not just one.

Steps to Reproduce

1. Consider a simple Kubernetes manifest, e.g. score-3-pod-apparmor.yml
2. Duplicate the object and change metadata.name to be different from the first one (e.g. nginx-apparmor-2).
3. Run Kubesec analyzer and Kubesec binary (kubesec scan)
4. Comparing the reports, in the analyzer report location.class will only be Pod/nginx-apparmor-2.default. It is expected to contain vulnerabilities for Pod/nginx-apparmor.default and Pod/nginx-apparmor-2.default

Notes

While fixing this bug, a test manifest should be added to reproduce and test this scenario.