Generating VEX documents using Kubescape Operator
Note: this is an experimental feature
What is VEX?
VEX stands for Vulnerability Exploitability Exchange, which is a standardized format for describing and sharing information about software vulnerabilities. VEX documents typically include details about the vulnerability, affected software versions, and information about a given vulnerability that is exploitable in the given software product. This information can be used by security practitioners and operators to prioritize efforts to fix vulnerabilities.
Read more about it here
Kubescape and VEX
The Kubescape supports runtime profiling of applications using eBPF enables it to decide which vulnerability is reachable in a given workload and which is not. Read more about it here
Using the information that Kubescape generates, it can also produce meaningful VEX documents for the images running in a Kubernetes cluster. It can mark (logically) vulnerabilities as "affected" based on whether the package that the vulnerability belongs to is loaded into the memory during the runtime of the container and left as "not affected" when not loaded to the memory.
There are multiple formats and implementations of the VEX as an idea. Kubescape uses the OpenVEX specification.
Installing Kubescape Operator
Kubescape operator is installed as usual (see full install guide here) expect that VEX document generation needs to be explicitly enabled using
capabilities.vexGeneration=enable HELM flag (in older HELM chart version 1.16.2 the flag was
Run the following to install Kubescape Operator with VEX generation.
helm repo add kubescape https://kubescape.github.io/helm-charts/ helm repo update helm upgrade --install kubescape kubescape/kubescape-operator -n kubescape --create-namespace --set clusterName=`kubectl config current-context` --set capabilities.vexGeneration=enable --set kubevuln.config.vexGeneration=true
Make sure that all the components are running:
Getting VEX document
To produce a VEX document, Kubescape needs to see a workload that runs the given image from its start. In other words, it needs to see containers from start.
Let's run a simple Nginx deployment:
Wait for the VEX objects using this command:
It takes 2 minutes of monitoring time (by default) to produce the first version of the VEX for the image in the above deployment, it can take more if the processing queue is busy.
To get the VEX document as a JSON file locally you can use
jsonpath to extract the
.spec field that contains the VEX itself:
Here is an example to see how many vulnerabilities are affected:
Using the generated VEX document with Grype
(tested with Grype 0.71.0)
You can use the produced VEX document with Grype. Grype will take into account the VEX information when calculating results for the image
nginx:1.14.2 . Grype shall ignore all vulnerabilities that were marked as "not_affected".
Here is how to run it:
This produces the following output (note the 338 ignored vulnerabilities!):
$ grype nginx:1.14.2 --vex nginx.json ✔ Vulnerability DB [no update available] ✔ Loaded image nginx:1.14.2 ✔ Parsed image sha256:295c7be079025306c4f1d65997fcf7adb411c88f139ad1d34b537164aa060369 ✔ Cataloged packages [111 packages] ✔ Scanned for vulnerabilities [58 vulnerability matches] ├── by severity: 55 critical, 102 high, 85 medium, 52 low, 102 negligible └── by status: 126 fixed, 270 not-fixed, 338 ignored