Kvesta Vesta Versions Save

Notable Updates:

• Add CVE-2024-21626 checking Checking the mount path, due to the variety of fd number, vesta checks the key path /proc/self/fd in WORKDIR.
• Add CVE-2024-3094 checking Checking the library liblzma.so, refer to detect.sh
• Add the severity of each Linux capabilities Reorder the security severity for different Capabilities based on the ease of exploitation.

Notable Updates:

• Add Docker Histories environment checking The Docker Histories checking inlcuding the malicious variables, unsafe command and hardcode. This feature is implemented in the Docker analysis and image scan, accepting either a tar file or an image ID.
• Add the filesystem scanning
• Add BearerToken for authentication
• Delete the --inside flag in the k8s analysis The founction clientcmd.BuildConfigFromFlags will automatically use restclient.InClusterConfig when it can't find the config in user directory. Therefore, remove the redundant inside symbols.

Notable Updates:

• Add Docker Swarm Service checking Checking the docker config, docker secret in Docker swarm, and find the relevant docker services. Also, reviewing the vulnerable container related to the docker services.
• Annotate the tag of image checking After researching, We find that it is hard to observe evidence of image poisoning, and there are often numerous security issues related to image tags after scanning. Therefore, annotate the image tags checking temporarily.
• Add dangerous image used checking in Docker Each container will also check whether it uses the dangerous image.
• Add checking of the usage of ephemeral-storage limitation
• Fixed the incorrect of the input parameter in image scan

Notable Updates:

• Add OSCS as part of the data resource Add the OSCS for malicious package checking in Python and Node.
• Add the node privilege checking
• Add helm installation for k8s Detailed documentation can be seen at https://github.com/kvesta/vesta/tree/main/helm/vesta

Notable Updates:

• Add Backdoor Checking in k8s and Docker We check the executed binary and malicious commands in each k8s configuration. Detailed references can be found in https://github.com/kvesta/vesta/wiki/Backdoor-Detection.
• Change the default namespaces of serval checkings Change the ConfigMap, Secret, Job, and Cronjob checkings from out-of-whitelist to every namespace.
• Add PodScurityPolicy and k8s version checking
• Fixed the inaccuracy of kernel version checking

Notable Updates:

• Add Python pip analysis from poetry and venv
• Rewrite part of analysis method of java libraries and add special dependence detected, such as log4j
• Add some rules of docker analysis add some dangerous Linux Capacity checkings, add --pid=host, --net=host to checking list.

Notable Updates:

• Add sidecar Environment Checking, including Env and EnvFrom Mainly check the weak password in Env and check ConfigMap or Secret referenced in EnvFrom.
• Change command upgrade to update
• Add malicious packages checking We collected names of the most popular PyPI packages and known malicious packages, then judged the similarity ratio of official package names.

14/02/2023: fixed DNS panic due to the C.getaddrinfo.

Notable Updates:

• Add java, php, rust libraries analysis
• Add istio checking
• Add Docker history analysis
• Revise the rules of RBAC checking Divide the RBAC vulnerabilities into four categories, high, medium, low and warning. Key resources such as pods, deployments and statefulsets with dangerous verbs such as create, patch and delete need to be noticed. Service account mount path /var/run/secrets/kubernetes.io/serviceaccount/token is checked with RBAC vulnerabilities. Untrusted users are printed for self-checking.

Notable Updates:

• Add cilium checking
• Add Kubelet read-only-port and kubectl proxy checking
• Add Etcd safe configuration checking
• Add RoleBinding checking
• Optimize layer integration and add go binary analysis

Notable Updates:

• Add weak password checking in Configmap and Secret
• Add weak password checking in Docker env
• Add Envoy admin checking