Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package marvin for openSUSE:Factory checked
in at 2024-09-29 18:10:16
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/marvin (Old)
and /work/SRC/openSUSE:Factory/.marvin.new.29891 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "marvin"
Sun Sep 29 18:10:16 2024 rev:2 rq:1204242 version:0.2.6
Changes:
--------
--- /work/SRC/openSUSE:Factory/marvin/marvin.changes 2024-08-01
22:06:32.113678353 +0200
+++ /work/SRC/openSUSE:Factory/.marvin.new.29891/marvin.changes 2024-09-29
18:11:02.530632886 +0200
@@ -1,0 +2,7 @@
+Fri Sep 27 20:40:34 UTC 2024 - opensuse_buildserv...@ojkastl.de
+
+- Update to version 0.2.6:
+ * UD-1664: Add check for unauthenticated or anonymous subjects
+ within role bindings
+
+-------------------------------------------------------------------
Old:
----
marvin-0.2.5.obscpio
New:
----
marvin-0.2.6.obscpio
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ marvin.spec ++++++
--- /var/tmp/diff_new_pack.y7mp9U/_old 2024-09-29 18:11:03.210660981 +0200
+++ /var/tmp/diff_new_pack.y7mp9U/_new 2024-09-29 18:11:03.214661146 +0200
@@ -1,7 +1,7 @@
#
# spec file for package marvin
#
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -19,7 +19,7 @@
%define __arch_install_post export NO_BRP_STRIP_DEBUG=true
Name: marvin
-Version: 0.2.5
+Version: 0.2.6
Release: 0
Summary: Scans a k8s cluster for misconfigurations and vulnerabilities
License: Apache-2.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.y7mp9U/_old 2024-09-29 18:11:03.254662799 +0200
+++ /var/tmp/diff_new_pack.y7mp9U/_new 2024-09-29 18:11:03.258662964 +0200
@@ -3,7 +3,7 @@
<param name="url">https://github.com/undistro/marvin</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
- <param name="revision">v0.2.5</param>
+ <param name="revision">v0.2.6</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="changesgenerate">enable</param>
<param name="versionrewrite-pattern">v(.*)</param>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.y7mp9U/_old 2024-09-29 18:11:03.278663790 +0200
+++ /var/tmp/diff_new_pack.y7mp9U/_new 2024-09-29 18:11:03.282663956 +0200
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://github.com/undistro/marvin</param>
- <param
name="changesrevision">120531821e5b54859c50c2abf78ca9fd864adf75</param></service></servicedata>
+ <param
name="changesrevision">70da7ad5cded412b46441bda987c49cf078565e3</param></service></servicedata>
(No newline at EOF)
++++++ marvin-0.2.5.obscpio -> marvin-0.2.6.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/marvin-0.2.5/checks.md new/marvin-0.2.6/checks.md
--- old/marvin-0.2.5/checks.md 2024-07-30 20:16:21.000000000 +0200
+++ new/marvin-0.2.6/checks.md 2024-08-08 16:35:46.000000000 +0200
@@ -3,39 +3,40 @@
In the table below, you can view all checks present on Marvin. Click on the
#ID column item for more details about each check.
-| Framework | #ID
| Severity | Message
|
-|------------------|-------------------------------------------------------------------------------------|----------|-------------------------------------------------------|
-| CIS Benchmarks |
[M-500](/internal/builtins/cis/M-500_default_namespace.yaml)
| Medium | Workloads in default namespace |
-| General |
[M-400](/internal/builtins/general/M-400_image_tag_latest.yaml)
| Medium | Image tagged latest |
-| |
[M-401](/internal/builtins/general/M-401_unmanaged_pod.yaml)
| Low | Unmanaged Pod |
-| |
[M-402](/internal/builtins/general/M-402_readiness_probe.yaml)
| Medium | Readiness and startup probe not configured |
-| |
[M-403](/internal/builtins/general/M-403_liveness_probe.yaml)
| Medium | Liveness probe not configured |
-| |
[M-404](/internal/builtins/general/M-404_memory_requests.yaml)
| Medium | Memory requests not specified |
-| |
[M-405](/internal/builtins/general/M-405_cpu_requests.yaml)
| Medium | CPU requests not specified |
-| |
[M-406](/internal/builtins/general/M-406_memory_limit.yaml)
| Medium | Memory not limited |
-| | [M-407](/internal/builtins/general/M-407_cpu_limit.yaml)
| Medium | CPU not limited
|
-| |
[M-408](/internal/builtins/general/M-408_sudo_container_entrypoint.yaml)
| Medium | Sudo in container entrypoint |
-| |
[M-409](/internal/builtins/general/M-409_deprecated_image_registry.yaml)
| Medium | Deprecated image registry |
-| |
[M-410](/internal/builtins/general/M-410_resource_using_invalid_restartpolicy.yaml)
| Medium | Resource is using an invalid restartPolicy |
-| NSA-CISA |
[M-300](/internal/builtins/nsa/M-300_read_only_root_filesystem.yml)
| Low | Root filesystem write allowed |
-| MITRE ATT&CK |
[M-200](/internal/builtins/mitre/M-200_allowed_registries.yml)
| Medium | Image registry not allowed |
-| |
[M-201](/internal/builtins/mitre/M-201_app_credentials.yml)
| High | Application credentials stored in configuration files |
-| |
[M-202](/internal/builtins/mitre/M-202_auto_mount_service_account.yml)
| Low | Automounted service account token |
-| | [M-203](/internal/builtins/mitre/M-203_ssh.yml)
| Low | SSH server running inside container
|
-| PSS - Baseline |
[M-100](/internal/builtins/pss/baseline/M-100_host_process.yml)
| High | Privileged access to the Windows node |
-| |
[M-101](/internal/builtins/pss/baseline/M-101_host_namespaces.yml)
| High | Host namespaces |
-| |
[M-102](/internal/builtins/pss/baseline/M-102_privileged_containers.yml)
| High | Privileged container |
-| |
[M-103](/internal/builtins/pss/baseline/M-103_capabilities.yml)
| High | Insecure capabilities |
-| |
[M-104](/internal/builtins/pss/baseline/M-104_host_path_volumes.yml)
| High | HostPath volume |
-| |
[M-105](/internal/builtins/pss/baseline/M-105_host_ports.yml)
| High | Not allowed hostPort |
-| |
[M-106](/internal/builtins/pss/baseline/M-106_apparmor.yml)
| Medium | Forbidden AppArmor profile |
-| |
[M-107](/internal/builtins/pss/baseline/M-107_selinux.yml)
| Medium | Forbidden SELinux options |
-| |
[M-108](/internal/builtins/pss/baseline/M-108_proc_mount.yml)
| Medium | Forbidden proc mount type |
-| |
[M-109](/internal/builtins/pss/baseline/M-109_seccomp.yml)
| Medium | Forbidden seccomp profile |
-| |
[M-110](/internal/builtins/pss/baseline/M-110_sysctls.yml)
| Medium | Unsafe sysctls |
-| PSS - Restricted |
[M-111](/internal/builtins/pss/restricted/M-111_volume_types.yml)
| Low | Not allowed volume type |
-| |
[M-112](/internal/builtins/pss/restricted/M-112_privilege_escalation.yml)
| Medium | Allowed privilege escalation |
-| |
[M-113](/internal/builtins/pss/restricted/M-113_run_as_non_root.yml)
| Medium | Container could be running as root user |
-| |
[M-114](/internal/builtins/pss/restricted/M-114_run_as_user.yml)
| Medium | Container running as root UID |
-| |
[M-115](/internal/builtins/pss/restricted/M-115_seccomp.yml)
| Low | Not allowed seccomp profile |
-| |
[M-116](/internal/builtins/pss/restricted/M-116_capabilities.yml)
| Low | Not allowed added/dropped capabilities |
+| Framework | #ID
| Severity | Message
|
+|------------------|------------------------------------------------------------------------------------------------------|----------|------------------------------------------------------------------|
+| CIS Benchmarks |
[M-500](/internal/builtins/cis/M-500_default_namespace.yaml)
| Medium | Workloads in default namespace
|
+| General |
[M-400](/internal/builtins/general/M-400_image_tag_latest.yaml)
| Medium | Image tagged latest
|
+| |
[M-401](/internal/builtins/general/M-401_unmanaged_pod.yaml)
| Low | Unmanaged Pod
|
+| |
[M-402](/internal/builtins/general/M-402_readiness_probe.yaml)
| Medium | Readiness and startup probe not configured
|
+| |
[M-403](/internal/builtins/general/M-403_liveness_probe.yaml)
| Medium | Liveness probe not configured
|
+| |
[M-404](/internal/builtins/general/M-404_memory_requests.yaml)
| Medium | Memory requests not specified
|
+| |
[M-405](/internal/builtins/general/M-405_cpu_requests.yaml)
| Medium | CPU requests not specified
|
+| |
[M-406](/internal/builtins/general/M-406_memory_limit.yaml)
| Medium | Memory not limited
|
+| | [M-407](/internal/builtins/general/M-407_cpu_limit.yaml)
| Medium | CPU not limited
|
+| |
[M-408](/internal/builtins/general/M-408_sudo_container_entrypoint.yaml)
| Medium | Sudo in container entrypoint
|
+| |
[M-409](/internal/builtins/general/M-409_deprecated_image_registry.yaml)
| Medium | Deprecated image registry
|
+| |
[M-410](/internal/builtins/general/M-410_resource_using_invalid_restartpolicy.yaml)
| Medium | Resource is using an invalid restartPolicy
|
+| |
[M-411](/internal/builtins/general/M-411_role_binding_referencing_anonymous_or_unauthanticated.yaml)
| Medium | Role Binding referencing anonymous user or unauthenticated group |
+| NSA-CISA |
[M-300](/internal/builtins/nsa/M-300_read_only_root_filesystem.yml)
| Low | Root filesystem write allowed
|
+| MITRE ATT&CK |
[M-200](/internal/builtins/mitre/M-200_allowed_registries.yml)
| Medium | Image registry not allowed
|
+| |
[M-201](/internal/builtins/mitre/M-201_app_credentials.yml)
| High | Application credentials stored in
configuration files |
+| |
[M-202](/internal/builtins/mitre/M-202_auto_mount_service_account.yml)
| Low | Automounted service account token
|
+| | [M-203](/internal/builtins/mitre/M-203_ssh.yml)
| Low | SSH server running
inside container |
+| PSS - Baseline |
[M-100](/internal/builtins/pss/baseline/M-100_host_process.yml)
| High | Privileged access to the Windows node
|
+| |
[M-101](/internal/builtins/pss/baseline/M-101_host_namespaces.yml)
| High | Host namespaces
|
+| |
[M-102](/internal/builtins/pss/baseline/M-102_privileged_containers.yml)
| High | Privileged container
|
+| |
[M-103](/internal/builtins/pss/baseline/M-103_capabilities.yml)
| High | Insecure capabilities
|
+| |
[M-104](/internal/builtins/pss/baseline/M-104_host_path_volumes.yml)
| High | HostPath volume
|
+| |
[M-105](/internal/builtins/pss/baseline/M-105_host_ports.yml)
| High | Not allowed hostPort
|
+| |
[M-106](/internal/builtins/pss/baseline/M-106_apparmor.yml)
| Medium | Forbidden AppArmor profile
|
+| |
[M-107](/internal/builtins/pss/baseline/M-107_selinux.yml)
| Medium | Forbidden SELinux options
|
+| |
[M-108](/internal/builtins/pss/baseline/M-108_proc_mount.yml)
| Medium | Forbidden proc mount type
|
+| |
[M-109](/internal/builtins/pss/baseline/M-109_seccomp.yml)
| Medium | Forbidden seccomp profile
|
+| |
[M-110](/internal/builtins/pss/baseline/M-110_sysctls.yml)
| Medium | Unsafe sysctls
|
+| PSS - Restricted |
[M-111](/internal/builtins/pss/restricted/M-111_volume_types.yml)
| Low | Not allowed volume type
|
+| |
[M-112](/internal/builtins/pss/restricted/M-112_privilege_escalation.yml)
| Medium | Allowed privilege escalation
|
+| |
[M-113](/internal/builtins/pss/restricted/M-113_run_as_non_root.yml)
| Medium | Container could be running as root user
|
+| |
[M-114](/internal/builtins/pss/restricted/M-114_run_as_user.yml)
| Medium | Container running as root UID
|
+| |
[M-115](/internal/builtins/pss/restricted/M-115_seccomp.yml)
| Low | Not allowed seccomp profile
|
+| |
[M-116](/internal/builtins/pss/restricted/M-116_capabilities.yml)
| Low | Not allowed added/dropped capabilities
|
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/marvin-0.2.5/internal/builtins/general/M-411_role_binding_referencing_anonymous_or_unauthanticated.yaml
new/marvin-0.2.6/internal/builtins/general/M-411_role_binding_referencing_anonymous_or_unauthanticated.yaml
---
old/marvin-0.2.5/internal/builtins/general/M-411_role_binding_referencing_anonymous_or_unauthanticated.yaml
1970-01-01 01:00:00.000000000 +0100
+++
new/marvin-0.2.6/internal/builtins/general/M-411_role_binding_referencing_anonymous_or_unauthanticated.yaml
2024-08-08 16:35:46.000000000 +0200
@@ -0,0 +1,33 @@
+# Copyright 2023 Undistro Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+id: M-411
+slug: role binding referencing anonymous or unauthenticated
+severity: Medium
+message: "Role Binding referencing anonymous user or unauthenticated group"
+match:
+ resources:
+ - group: "rbac.authorization.k8s.io"
+ version: v1
+ resource: rolebindings
+ - group: "rbac.authorization.k8s.io"
+ version: v1
+ resource: clusterrolebindings
+validations:
+ - expression: >
+ !has(object.subjects) ||
+ object.subjects.all(subject,
+ !(subject.kind == "User" && subject.name == "system:anonymous") &&
+ !(subject.kind == "Group" && subject.name == "system:unauthenticated")
+ )
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/marvin-0.2.5/internal/builtins/general/M-411_role_binding_referencing_anonymous_or_unauthanticated_test.yaml
new/marvin-0.2.6/internal/builtins/general/M-411_role_binding_referencing_anonymous_or_unauthanticated_test.yaml
---
old/marvin-0.2.5/internal/builtins/general/M-411_role_binding_referencing_anonymous_or_unauthanticated_test.yaml
1970-01-01 01:00:00.000000000 +0100
+++
new/marvin-0.2.6/internal/builtins/general/M-411_role_binding_referencing_anonymous_or_unauthanticated_test.yaml
2024-08-08 16:35:46.000000000 +0200
@@ -0,0 +1,123 @@
+# Copyright 2023 Undistro Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: "anonymous user in role binding"
+ pass: false
+ input: |
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: RoleBinding
+ metadata:
+ name: binding-name
+ namespace: binding-namespace
+ roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: role-name
+ subjects:
+ - apiGroup: rbac.authorization.k8s.io
+ kind: User
+ name: system:anonymous
+ - kind: ServiceAccount
+ name: zora-operator
+ namespace: zora-system
+
+- name: "anonymous user in cluster role binding"
+ pass: false
+ input: |
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRoleBinding
+ metadata:
+ name: binding-name
+ roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: role-name
+ subjects:
+ - apiGroup: rbac.authorization.k8s.io
+ kind: User
+ name: system:anonymous
+ - kind: ServiceAccount
+ name: zora-operator
+ namespace: zora-system
+
+- name: "unauthenticated group in role binding"
+ pass: false
+ input: |
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: RoleBinding
+ metadata:
+ name: binding-name
+ namespace: binding-namespace
+ roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: role-name
+ subjects:
+ - apiGroup: rbac.authorization.k8s.io
+ kind: Group
+ name: system:unauthenticated
+ - kind: ServiceAccount
+ name: zora-operator
+ namespace: zora-system
+
+- name: "unauthenticated group in cluster role binding"
+ pass: false
+ input: |
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRoleBinding
+ metadata:
+ name: binding-name
+ roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: role-name
+ subjects:
+ - apiGroup: rbac.authorization.k8s.io
+ kind: Group
+ name: system:unauthenticated
+ - kind: ServiceAccount
+ name: zora-operator
+ namespace: zora-system
+
+- name: "valid role binding"
+ pass: true
+ input: |
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: RoleBinding
+ metadata:
+ name: binding-name
+ roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: role-name
+ subjects:
+ - kind: ServiceAccount
+ name: zora-operator
+ namespace: zora-system
+
+- name: "valid cluster role binding"
+ pass: true
+ input: |
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRoleBinding
+ metadata:
+ name: binding-name
+ roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: role-name
+ subjects:
+ - kind: ServiceAccount
+ name: zora-operator
+ namespace: zora-system
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/marvin-0.2.5/pkg/loader/builtin_test.go
new/marvin-0.2.6/pkg/loader/builtin_test.go
--- old/marvin-0.2.5/pkg/loader/builtin_test.go 2024-07-30 20:16:21.000000000
+0200
+++ new/marvin-0.2.6/pkg/loader/builtin_test.go 2024-08-08 16:35:46.000000000
+0200
@@ -23,5 +23,5 @@
func TestBuiltins(t *testing.T) {
assert.NotNil(t, Builtins)
assert.Greater(t, len(Builtins), 0)
- assert.Equal(t, len(Builtins), 34)
+ assert.Equal(t, 35, len(Builtins))
}
++++++ marvin.obsinfo ++++++
--- /var/tmp/diff_new_pack.y7mp9U/_old 2024-09-29 18:11:03.446670732 +0200
+++ /var/tmp/diff_new_pack.y7mp9U/_new 2024-09-29 18:11:03.450670896 +0200
@@ -1,5 +1,5 @@
name: marvin
-version: 0.2.5
-mtime: 1722363381
-commit: 120531821e5b54859c50c2abf78ca9fd864adf75
+version: 0.2.6
+mtime: 1723127746
+commit: 70da7ad5cded412b46441bda987c49cf078565e3
++++++ vendor.tar.gz ++++++
/work/SRC/openSUSE:Factory/marvin/vendor.tar.gz
/work/SRC/openSUSE:Factory/.marvin.new.29891/vendor.tar.gz differ: char 5, line
1
