Consider patched versions as not vulnerable by default (#220)

* Consider patched versions as not vulnerable by default Change `--ignore-downstream` to `--ignore-patched-versions` and invert it's effect. From now on, kube-hunter will not alert patched components as default behavior. Resolves #194 * Rename flag --ignore-patched-versions to --include-patched-versions
aquasecurity · Nov 26, 2019 · 1d7bdd6 · 1d7bdd6
1 parent 14c4992
commit 1d7bdd6
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 14 deletions.
diff --git a/kube-hunter.py b/kube-hunter.py
@@ -9,7 +9,7 @@
 parser.add_argument('--interface', action="store_true", help="set hunting of all network interfaces")
 parser.add_argument('--pod', action="store_true", help="set hunter as an insider pod")
 parser.add_argument('--quick', action="store_true", help="Prefer quick scan (subnet 24)")
-parser.add_argument('--ignore-downstream', action="store_true", help="Ignore patched kubernetes versions")
+parser.add_argument('--include-patched-versions', action="store_true", help="Don't skip patched versions when scanning")
 parser.add_argument('--cidr', type=str, help="set an ip range to scan, example: 192.168.0.0/16")
 parser.add_argument('--mapping', action="store_true", help="outputs only a mapping of the cluster's nodes")
 parser.add_argument('--remote', nargs='+', metavar="HOST", default=list(), help="one or more remote ip/dns to hunt")

diff --git a/runtest.py b/runtest.py
@@ -6,7 +6,7 @@
 parser.add_argument('--interface', action="store_true", help="set hunting of all interface network interfaces")
 parser.add_argument('--pod', action="store_true", help="set hunter as an insider pod")
 parser.add_argument('--quick', action="store_true", help="Prefer quick scan (subnet 24)")
-parser.add_argument('--ignore-downstream', action="store_true", help="Ignore patched kubernetes versions")
+parser.add_argument('--include-patched-versions', action="store_true", help="Don't skip patched versions when scanning")
 parser.add_argument('--cidr', type=str, help="set an ip range to scan, example: 192.168.0.0/16")
 parser.add_argument('--mapping', action="store_true", help="outputs only a mapping of the cluster's nodes")
 parser.add_argument('--remote', nargs='+', metavar="HOST", default=list(), help="one or more remote ip/dns to hunt")

diff --git a/src/modules/hunting/cves.py b/src/modules/hunting/cves.py
@@ -154,7 +154,7 @@ def execute(self):
             ServerApiClusterScopedResourcesAccess: ["1.13.9", "1.14.5", "1.15.2"]
         }        
         for vulnerability, fix_versions in cve_mapping.items():
-            if CveUtils.is_vulnerable(fix_versions, self.event.version, config.ignore_downstream):
+            if CveUtils.is_vulnerable(fix_versions, self.event.version, not config.include_patched_versions):
                 self.publish_event(vulnerability(self.event.version))
 
 
@@ -173,5 +173,5 @@ def execute(self):
         }
         logging.debug('Kubectl Cve Hunter determining vulnerable version: {}'.format(self.event.version))
         for vulnerability, fix_versions in cve_mapping.items():
-            if CveUtils.is_vulnerable(fix_versions, self.event.version, config.ignore_downstream):
+            if CveUtils.is_vulnerable(fix_versions, self.event.version, not config.include_patched_versions):
                 self.publish_event(vulnerability(binary_version=self.event.version))
diff --git a/tests/hunting/test_cvehunting.py b/tests/hunting/test_cvehunting.py
@@ -20,16 +20,7 @@ def test_K8sCveHunter():
     assert cve_counter == 2
     cve_counter = 0
 
-    # test complex version
-    e = K8sVersionDisclosure(version="1.10.1-gke-1", from_endpoint="/version")
-    h = K8sClusterCveHunter(e)
-    h.execute()
-
-    time.sleep(0.01)
-    assert cve_counter == 2
-    cve_counter = 0
-
-    # test complex version
+    # test patched version
     e = K8sVersionDisclosure(version="v1.13.6-gke.13", from_endpoint="/version")
     h = K8sClusterCveHunter(e)
     h.execute()