Kubesec Analyzer will not report all vulnerabilities for manifest with multiple objects
The Kubesec analyzer has a bug causing it to not report all vulnerabilities in a Helm project. More generally, in any manifest file containing multiple objects.
This is caused by a logical flaw while parsing the Kubesec scan report. Specifically a Kubesec scan report for a manifest generated from Helm charts will contain multiple objects. However, the analyzer reports the vulnerabilities found only in the last object.
Snippet containing example Manifest and Report
Possible Cause
The loop through the Kubesec scan report overwrites the result in each iteration instead of adding up all the results in an array. Link to relevant code.
Possible Fix
The decodeReport
method should return an array of reports and not just one.
Steps to Reproduce
- Consider a simple Kubernetes manifest, e.g. score-3-pod-apparmor.yml
- Duplicate the object and change
metadata.name
to be different from the first one (e.g. nginx-apparmor-2). - Run Kubesec analyzer and Kubesec binary (
kubesec scan
) - Comparing the reports, in the analyzer report
location.class
will only bePod/nginx-apparmor-2.default
. It is expected to contain vulnerabilities forPod/nginx-apparmor.default
andPod/nginx-apparmor-2.default
Notes
While fixing this bug, a test manifest should be added to reproduce and test this scenario.