From 89734ec85fb5f4e3f09d3f41b3a3c001b2370251 Mon Sep 17 00:00:00 2001 From: TrueCharts-Bot Date: Sat, 26 Mar 2022 23:24:26 +0000 Subject: [PATCH] Commit new App releases for TrueCharts Signed-off-by: TrueCharts-Bot --- stable/clamav/2.0.7/templates/common.yaml | 1 - stable/clamav/{2.0.7 => 2.1.0}/CHANGELOG.md | 18 +- stable/clamav/{2.0.7 => 2.1.0}/CONFIG.md | 0 stable/clamav/{2.0.7 => 2.1.0}/Chart.lock | 2 +- stable/clamav/{2.0.7 => 2.1.0}/Chart.yaml | 2 +- stable/clamav/{2.0.7 => 2.1.0}/README.md | 0 stable/clamav/{2.0.7 => 2.1.0}/app-readme.md | 0 .../{2.0.7 => 2.1.0}/charts/common-9.1.15.tgz | Bin stable/clamav/{2.0.7 => 2.1.0}/helm-values.md | 23 +- stable/clamav/{2.0.7 => 2.1.0}/ix_values.yaml | 41 ++-- stable/clamav/{2.0.7 => 2.1.0}/questions.yaml | 217 +++++++++++++++++- stable/clamav/{2.0.7 => 2.1.0}/security.md | 44 ++++ stable/clamav/2.1.0/templates/_cronjob.tpl | 85 +++++++ stable/clamav/2.1.0/templates/common.yaml | 10 + stable/clamav/{2.0.7 => 2.1.0}/values.yaml | 0 15 files changed, 400 insertions(+), 43 deletions(-) delete mode 100644 stable/clamav/2.0.7/templates/common.yaml rename stable/clamav/{2.0.7 => 2.1.0}/CHANGELOG.md (91%) rename stable/clamav/{2.0.7 => 2.1.0}/CONFIG.md (100%) rename stable/clamav/{2.0.7 => 2.1.0}/Chart.lock (80%) rename stable/clamav/{2.0.7 => 2.1.0}/Chart.yaml (98%) rename stable/clamav/{2.0.7 => 2.1.0}/README.md (100%) rename stable/clamav/{2.0.7 => 2.1.0}/app-readme.md (100%) rename stable/clamav/{2.0.7 => 2.1.0}/charts/common-9.1.15.tgz (100%) rename stable/clamav/{2.0.7 => 2.1.0}/helm-values.md (78%) rename stable/clamav/{2.0.7 => 2.1.0}/ix_values.yaml (77%) rename stable/clamav/{2.0.7 => 2.1.0}/questions.yaml (92%) rename stable/clamav/{2.0.7 => 2.1.0}/security.md (56%) create mode 100644 stable/clamav/2.1.0/templates/_cronjob.tpl create mode 100644 stable/clamav/2.1.0/templates/common.yaml rename stable/clamav/{2.0.7 => 2.1.0}/values.yaml (100%) diff --git a/stable/clamav/2.0.7/templates/common.yaml b/stable/clamav/2.0.7/templates/common.yaml deleted file mode 100644 index a6613c2ce2..0000000000 --- a/stable/clamav/2.0.7/templates/common.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "common.all" . }} diff --git a/stable/clamav/2.0.7/CHANGELOG.md b/stable/clamav/2.1.0/CHANGELOG.md similarity index 91% rename from stable/clamav/2.0.7/CHANGELOG.md rename to stable/clamav/2.1.0/CHANGELOG.md index db1f9e44a2..4c85d497ee 100644 --- a/stable/clamav/2.0.7/CHANGELOG.md +++ b/stable/clamav/2.1.0/CHANGELOG.md @@ -1,6 +1,15 @@ # Changelog
+ +### [clamav-2.1.0](https://github.com/truecharts/apps/compare/clamav-2.0.7...clamav-2.1.0) (2022-03-26) + +#### Feat + +* cron ([#2294](https://github.com/truecharts/apps/issues/2294)) + + + ### [clamav-2.0.7](https://github.com/truecharts/apps/compare/clamav-2.0.6...clamav-2.0.7) (2022-03-26) @@ -88,12 +97,3 @@ - -### [clamav-1.0.9](https://github.com/truecharts/apps/compare/clamav-1.0.8...clamav-1.0.9) (2022-02-14) - -#### Chore - -* update docker general non-major ([#1895](https://github.com/truecharts/apps/issues/1895)) - - - diff --git a/stable/clamav/2.0.7/CONFIG.md b/stable/clamav/2.1.0/CONFIG.md similarity index 100% rename from stable/clamav/2.0.7/CONFIG.md rename to stable/clamav/2.1.0/CONFIG.md diff --git a/stable/clamav/2.0.7/Chart.lock b/stable/clamav/2.1.0/Chart.lock similarity index 80% rename from stable/clamav/2.0.7/Chart.lock rename to stable/clamav/2.1.0/Chart.lock index f8be0f75e1..cf89ab3a8c 100644 --- a/stable/clamav/2.0.7/Chart.lock +++ b/stable/clamav/2.1.0/Chart.lock @@ -3,4 +3,4 @@ dependencies: repository: https://library-charts.truecharts.org version: 9.1.15 digest: sha256:8f13af42bdb9c005c8b99d3443c5b350c9d99c45f485e7bbcb233fd14b3ab4f4 -generated: "2022-03-26T14:42:06.258422891Z" +generated: "2022-03-26T23:18:20.692582241Z" diff --git a/stable/clamav/2.0.7/Chart.yaml b/stable/clamav/2.1.0/Chart.yaml similarity index 98% rename from stable/clamav/2.0.7/Chart.yaml rename to stable/clamav/2.1.0/Chart.yaml index e7506e60fe..2412db71c9 100644 --- a/stable/clamav/2.0.7/Chart.yaml +++ b/stable/clamav/2.1.0/Chart.yaml @@ -21,7 +21,7 @@ sources: - https://hub.docker.com/r/clamav/clamav - https://docs.clamav.net/ type: application -version: 2.0.7 +version: 2.1.0 annotations: truecharts.org/catagories: | - utilities diff --git a/stable/clamav/2.0.7/README.md b/stable/clamav/2.1.0/README.md similarity index 100% rename from stable/clamav/2.0.7/README.md rename to stable/clamav/2.1.0/README.md diff --git a/stable/clamav/2.0.7/app-readme.md b/stable/clamav/2.1.0/app-readme.md similarity index 100% rename from stable/clamav/2.0.7/app-readme.md rename to stable/clamav/2.1.0/app-readme.md diff --git a/stable/clamav/2.0.7/charts/common-9.1.15.tgz b/stable/clamav/2.1.0/charts/common-9.1.15.tgz similarity index 100% rename from stable/clamav/2.0.7/charts/common-9.1.15.tgz rename to stable/clamav/2.1.0/charts/common-9.1.15.tgz diff --git a/stable/clamav/2.0.7/helm-values.md b/stable/clamav/2.1.0/helm-values.md similarity index 78% rename from stable/clamav/2.0.7/helm-values.md rename to stable/clamav/2.1.0/helm-values.md index 674b77e8f4..5d3bd52d34 100644 --- a/stable/clamav/2.0.7/helm-values.md +++ b/stable/clamav/2.1.0/helm-values.md @@ -11,6 +11,15 @@ You will, however, be able to use all values referenced in the common chart here | Key | Type | Default | Description | |-----|------|---------|-------------| +| clamav.cron_enabled | bool | `true` | | +| clamav.cron_schedule | string | `"* * * * *"` | | +| clamav.date_format | string | `"+%m-%d-%Y_%H.%M.%S"` | | +| clamav.extra_args | string | `""` | | +| clamav.log_file_name | string | `"clamscan_report"` | | +| clamav.report_path | string | `"/logs"` | | +| cronjob.annotations | object | `{}` | | +| cronjob.failedJobsHistoryLimit | int | `5` | | +| cronjob.successfulJobsHistoryLimit | int | `2` | | | env.CLAMAV_NO_CLAMD | bool | `false` | | | env.CLAMAV_NO_FRESHCLAMD | bool | `false` | | | env.CLAMAV_NO_MILTERD | bool | `true` | | @@ -19,6 +28,8 @@ You will, however, be able to use all values referenced in the common chart here | image.pullPolicy | string | `"IfNotPresent"` | | | image.repository | string | `"tccr.io/truecharts/clamav"` | | | image.tag | string | `"v0.104.2@sha256:eb816a62ce0b7c331d893e8d51e54fe96b1cb5878c7394e935a48468b0b44f6d"` | | +| persistence.logs.enabled | bool | `true` | | +| persistence.logs.mountPath | string | `"/logs"` | | | persistence.scandir.enabled | bool | `true` | | | persistence.scandir.mountPath | string | `"/scandir"` | | | persistence.scandir.readOnly | bool | `true` | | @@ -29,24 +40,12 @@ You will, however, be able to use all values referenced in the common chart here | probes.liveness.custom | bool | `true` | | | probes.liveness.enabled | bool | `true` | | | probes.liveness.spec.exec.command[0] | string | `"clamdcheck.sh"` | | -| probes.liveness.spec.failureThreshold | int | `10` | | -| probes.liveness.spec.initialDelaySeconds | int | `15` | | -| probes.liveness.spec.periodSeconds | int | `30` | | -| probes.liveness.spec.timeoutSeconds | int | `1` | | | probes.readiness.custom | bool | `true` | | | probes.readiness.enabled | bool | `true` | | | probes.readiness.spec.exec.command[0] | string | `"clamdcheck.sh"` | | -| probes.readiness.spec.failureThreshold | int | `10` | | -| probes.readiness.spec.initialDelaySeconds | int | `15` | | -| probes.readiness.spec.periodSeconds | int | `30` | | -| probes.readiness.spec.timeoutSeconds | int | `1` | | | probes.startup.custom | bool | `true` | | | probes.startup.enabled | bool | `true` | | | probes.startup.spec.exec.command[0] | string | `"clamdcheck.sh"` | | -| probes.startup.spec.failureThreshold | int | `10` | | -| probes.startup.spec.initialDelaySeconds | int | `15` | | -| probes.startup.spec.periodSeconds | int | `30` | | -| probes.startup.spec.timeoutSeconds | int | `1` | | | securityContext.readOnlyRootFilesystem | bool | `false` | | | securityContext.runAsNonRoot | bool | `false` | | | service.main.ports.main.port | int | `3310` | | diff --git a/stable/clamav/2.0.7/ix_values.yaml b/stable/clamav/2.1.0/ix_values.yaml similarity index 77% rename from stable/clamav/2.0.7/ix_values.yaml rename to stable/clamav/2.1.0/ix_values.yaml index bf9ada51d4..483b3fa055 100644 --- a/stable/clamav/2.0.7/ix_values.yaml +++ b/stable/clamav/2.1.0/ix_values.yaml @@ -11,6 +11,22 @@ securityContext: readOnlyRootFilesystem: false runAsNonRoot: false +env: + CLAMAV_NO_CLAMD: false + CLAMAV_NO_FRESHCLAMD: false + CLAMAV_NO_MILTERD: true + CLAMD_STARTUP_TIMEOUT: 1800 + FRESHCLAM_CHECKS: 1 + +clamav: + report_path: "/logs" + # User Defined + cron_enabled: true + cron_schedule: "* * * * *" + date_format: "+%m-%d-%Y_%H.%M.%S" + log_file_name: "clamscan_report" + extra_args: "" + probes: liveness: enabled: true @@ -19,10 +35,6 @@ probes: exec: command: - clamdcheck.sh - initialDelaySeconds: 15 - periodSeconds: 30 - failureThreshold: 10 - timeoutSeconds: 1 readiness: enabled: true custom: true @@ -30,10 +42,6 @@ probes: exec: command: - clamdcheck.sh - initialDelaySeconds: 15 - periodSeconds: 30 - failureThreshold: 10 - timeoutSeconds: 1 startup: enabled: true custom: true @@ -41,10 +49,6 @@ probes: exec: command: - clamdcheck.sh - initialDelaySeconds: 15 - periodSeconds: 30 - failureThreshold: 10 - timeoutSeconds: 1 service: main: @@ -60,12 +64,10 @@ service: port: 7357 targetPort: 7357 -env: - CLAMAV_NO_CLAMD: false - CLAMAV_NO_FRESHCLAMD: false - CLAMAV_NO_MILTERD: true - CLAMD_STARTUP_TIMEOUT: 1800 - FRESHCLAM_CHECKS: 1 +cronjob: + annotations: {} + failedJobsHistoryLimit: 5 + successfulJobsHistoryLimit: 2 persistence: sigdatabase: @@ -75,3 +77,6 @@ persistence: enabled: true mountPath: "/scandir" readOnly: true + logs: + enabled: true + mountPath: "/logs" diff --git a/stable/clamav/2.0.7/questions.yaml b/stable/clamav/2.1.0/questions.yaml similarity index 92% rename from stable/clamav/2.0.7/questions.yaml rename to stable/clamav/2.1.0/questions.yaml index 11a1019d31..67e6803f80 100644 --- a/stable/clamav/2.0.7/questions.yaml +++ b/stable/clamav/2.1.0/questions.yaml @@ -186,6 +186,58 @@ questions: schema: type: int default: 1 + - variable: clamav + group: "Container Configuration" + label: "ClamAV Cron Configuration" + schema: + additional_attrs: true + type: dict + attrs: + - variable: cron_enabled + label: "Enable cronjob" + description: "Enables automatic scan for /scandir" + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: cron_schedule + label: "Cron Schedule" + description: "Enter a valid cron schedule" + schema: + type: string + default: "@daily" + required: true + - variable: log_file_name + label: "Log File Name" + description: "Log file name for the scan report. You will find this report in /logs/FILENAME_DATEFORMAT" + schema: + type: string + default: "clamscan_report" + required: true + - variable: date_format + label: "Date Format" + description: "Date format for the log file" + schema: + type: string + default: "MM-DD-YYYY_HH.MM.SS" + required: true + enum: + - value: "+%m-%d-%Y_%H.%M.%S" + description: "MM-DD-YYYY_HH.MM.SS" + - value: "+%Y-%m-%d_%H.%M.%S" + description: "YYYY-MM-DD_HH.MM.SS" + - value: "+%H.%M.%S_%m-%d-%Y" + description: "HH.MM.SS_MM-DD-YYYY" + - value: "+%H.%M.%S_%Y-%m-%d" + description: "HH.MM.SS_YYYY-MM-DD" + - variable: extra_args + label: "Extra Args" + description: "Set extra args for clamscan here. (https://linux.die.net/man/1/clamscan). We already set --log, --database and --recursive. Do not add those here." + schema: + type: string + default: "" + - variable: TZ label: "Timezone" @@ -1010,7 +1062,170 @@ questions: type: string - variable: scandir label: "App Scan Dir Storage" - description: "Stores the Application Scan Directory." + description: "Stores the Application Scan Directory. (By default set to readOnly)" + schema: + additional_attrs: true + type: dict + attrs: + - variable: type + label: "Type of Storage" + description: "Sets the persistence type, Anything other than PVC could break rollback!" + schema: + type: string + default: "simplePVC" + enum: + - value: "simplePVC" + description: "PVC (simple)" + - value: "simpleHP" + description: "HostPath (simple)" + - value: "emptyDir" + description: "emptyDir" + - value: "pvc" + description: "pvc" + - value: "hostPath" + description: "hostPath" + - variable: setPermissionsSimple + label: "Automatic Permissions" + description: "Automatically set permissions on install" + schema: + show_if: [["type", "=", "simpleHP"]] + type: boolean + default: true + - variable: setPermissions + label: "Automatic Permissions" + description: "Automatically set permissions on install" + schema: + show_if: [["type", "=", "hostPath"]] + type: boolean + default: true + - variable: readOnly + label: "readOnly" + schema: + type: boolean + default: false + - variable: hostPathSimple + label: "hostPath" + description: "Path inside the container the storage is mounted" + schema: + show_if: [["type", "=", "simpleHP"]] + type: hostpath + - variable: hostPath + label: "hostPath" + description: "Path inside the container the storage is mounted" + schema: + show_if: [["type", "=", "hostPath"]] + type: hostpath + - variable: medium + label: "EmptyDir Medium" + schema: + show_if: [["type", "=", "emptyDir"]] + type: string + default: "" + enum: + - value: "" + description: "Default" + - value: "Memory" + description: "Memory" + - variable: size + label: "Size quotum of storage" + schema: + show_if: [["type", "=", "pvc"]] + type: string + default: "999Gi" + - variable: hostPathType + label: "(Advanced) hostPath Type" + schema: + show_if: [["type", "=", "hostPath"]] + type: string + default: "" + enum: + - value: "" + description: "Default" + - value: "DirectoryOrCreate" + description: "DirectoryOrCreate" + - value: "Directory" + description: "Directory" + - value: "FileOrCreate" + description: "FileOrCreate" + - value: "File" + description: "File" + - value: "Socket" + description: "Socket" + - value: "CharDevice" + description: "CharDevice" + - value: "BlockDevice" + description: "BlockDevice" + - variable: storageClass + label: "(Advanced) storageClass" + description: "Warning: Anything other than SCALE-ZFS or empty will break rollback!" + schema: + show_if: [["type", "=", "pvc"]] + type: string + default: "SCALE-ZFS" + - variable: accessMode + label: "(Advanced) Access Mode" + description: "Allow or disallow multiple PVC's writhing to the same PV" + schema: + show_if: [["type", "=", "pvc"]] + type: string + default: "ReadWriteOnce" + enum: + - value: "ReadWriteOnce" + description: "ReadWriteOnce" + - value: "ReadOnlyMany" + description: "ReadOnlyMany" + - value: "ReadWriteMany" + description: "ReadWriteMany" + - variable: advanced + label: "Show Advanced Options" + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: labelsList + label: "Labels" + schema: + type: list + default: [] + items: + - variable: labelItem + label: "Label" + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: "Name" + schema: + type: string + - variable: value + label: "Value" + schema: + type: string + - variable: annotationsList + label: "Annotations" + schema: + type: list + default: [] + items: + - variable: annotationItem + label: "Label" + schema: + additional_attrs: true + type: dict + attrs: + - variable: name + label: "Name" + schema: + type: string + - variable: value + label: "Value" + schema: + type: string + - variable: logs + label: "App Logs Storage" + description: "Stores the Application Logs." schema: additional_attrs: true type: dict diff --git a/stable/clamav/2.0.7/security.md b/stable/clamav/2.1.0/security.md similarity index 56% rename from stable/clamav/2.0.7/security.md rename to stable/clamav/2.1.0/security.md index 800e449831..efac2c0b21 100644 --- a/stable/clamav/2.0.7/security.md +++ b/stable/clamav/2.1.0/security.md @@ -17,15 +17,19 @@ hide: | Type | Misconfiguration ID | Check | Severity | Explaination | Links | |:----------------|:------------------:|:-----------:|:------------------:|-----------------------------------------|-----------------------------------------| +| Kubernetes Security Check | KSV001 | Process can elevate its own privileges | MEDIUM |
Expand... A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.


Container 'clamav' of CronJob 'RELEASE-NAME-clamav-cronjob' should set 'securityContext.allowPrivilegeEscalation' to false
|
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv001
| | Kubernetes Security Check | KSV001 | Process can elevate its own privileges | MEDIUM |
Expand... A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.


Container 'hostpatch' of Deployment 'RELEASE-NAME-clamav' should set 'securityContext.allowPrivilegeEscalation' to false
|
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv001
| | Kubernetes Security Check | KSV003 | Default capabilities not dropped | LOW |
Expand... The container should drop all default capabilities and add only those that are needed for its execution.


Container 'RELEASE-NAME-clamav' of Deployment 'RELEASE-NAME-clamav' should add 'ALL' to 'securityContext.capabilities.drop'
|
Expand...https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
https://avd.aquasec.com/appshield/ksv003
| +| Kubernetes Security Check | KSV003 | Default capabilities not dropped | LOW |
Expand... The container should drop all default capabilities and add only those that are needed for its execution.


Container 'clamav' of CronJob 'RELEASE-NAME-clamav-cronjob' should add 'ALL' to 'securityContext.capabilities.drop'
|
Expand...https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
https://avd.aquasec.com/appshield/ksv003
| | Kubernetes Security Check | KSV003 | Default capabilities not dropped | LOW |
Expand... The container should drop all default capabilities and add only those that are needed for its execution.


Container 'hostpatch' of Deployment 'RELEASE-NAME-clamav' should add 'ALL' to 'securityContext.capabilities.drop'
|
Expand...https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
https://avd.aquasec.com/appshield/ksv003
| | Kubernetes Security Check | KSV011 | CPU not limited | LOW |
Expand... Enforcing CPU limits prevents DoS via resource exhaustion.


Container 'hostpatch' of Deployment 'RELEASE-NAME-clamav' should set 'resources.limits.cpu'
|
Expand...https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits
https://avd.aquasec.com/appshield/ksv011
| | Kubernetes Security Check | KSV012 | Runs as root user | MEDIUM |
Expand... 'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.


Container 'RELEASE-NAME-clamav' of Deployment 'RELEASE-NAME-clamav' should set 'securityContext.runAsNonRoot' to true
|
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv012
| | Kubernetes Security Check | KSV012 | Runs as root user | MEDIUM |
Expand... 'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.


Container 'autopermissions' of Deployment 'RELEASE-NAME-clamav' should set 'securityContext.runAsNonRoot' to true
|
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv012
| +| Kubernetes Security Check | KSV012 | Runs as root user | MEDIUM |
Expand... 'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.


Container 'clamav' of CronJob 'RELEASE-NAME-clamav-cronjob' should set 'securityContext.runAsNonRoot' to true
|
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv012
| | Kubernetes Security Check | KSV012 | Runs as root user | MEDIUM |
Expand... 'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.


Container 'hostpatch' of Deployment 'RELEASE-NAME-clamav' should set 'securityContext.runAsNonRoot' to true
|
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv012
| | Kubernetes Security Check | KSV014 | Root file system is not read-only | LOW |
Expand... An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.


Container 'RELEASE-NAME-clamav' of Deployment 'RELEASE-NAME-clamav' should set 'securityContext.readOnlyRootFilesystem' to true
|
Expand...https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/
https://avd.aquasec.com/appshield/ksv014
| | Kubernetes Security Check | KSV014 | Root file system is not read-only | LOW |
Expand... An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.


Container 'autopermissions' of Deployment 'RELEASE-NAME-clamav' should set 'securityContext.readOnlyRootFilesystem' to true
|
Expand...https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/
https://avd.aquasec.com/appshield/ksv014
| +| Kubernetes Security Check | KSV014 | Root file system is not read-only | LOW |
Expand... An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.


Container 'clamav' of CronJob 'RELEASE-NAME-clamav-cronjob' should set 'securityContext.readOnlyRootFilesystem' to true
|
Expand...https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/
https://avd.aquasec.com/appshield/ksv014
| | Kubernetes Security Check | KSV014 | Root file system is not read-only | LOW |
Expand... An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.


Container 'hostpatch' of Deployment 'RELEASE-NAME-clamav' should set 'securityContext.readOnlyRootFilesystem' to true
|
Expand...https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/
https://avd.aquasec.com/appshield/ksv014
| | Kubernetes Security Check | KSV015 | CPU requests not specified | LOW |
Expand... When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.


Container 'hostpatch' of Deployment 'RELEASE-NAME-clamav' should set 'resources.requests.cpu'
|
Expand...https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits
https://avd.aquasec.com/appshield/ksv015
| | Kubernetes Security Check | KSV016 | Memory requests not specified | LOW |
Expand... When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.


Container 'hostpatch' of Deployment 'RELEASE-NAME-clamav' should set 'resources.requests.memory'
|
Expand...https://kubesec.io/basics/containers-resources-limits-memory/
https://avd.aquasec.com/appshield/ksv016
| @@ -33,10 +37,13 @@ hide: | Kubernetes Security Check | KSV018 | Memory not limited | LOW |
Expand... Enforcing memory limits prevents DoS via resource exhaustion.


Container 'hostpatch' of Deployment 'RELEASE-NAME-clamav' should set 'resources.limits.memory'
|
Expand...https://kubesec.io/basics/containers-resources-limits-memory/
https://avd.aquasec.com/appshield/ksv018
| | Kubernetes Security Check | KSV020 | Runs with low user ID | MEDIUM |
Expand... Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.


Container 'RELEASE-NAME-clamav' of Deployment 'RELEASE-NAME-clamav' should set 'securityContext.runAsUser' > 10000
|
Expand...https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv020
| | Kubernetes Security Check | KSV020 | Runs with low user ID | MEDIUM |
Expand... Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.


Container 'autopermissions' of Deployment 'RELEASE-NAME-clamav' should set 'securityContext.runAsUser' > 10000
|
Expand...https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv020
| +| Kubernetes Security Check | KSV020 | Runs with low user ID | MEDIUM |
Expand... Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.


Container 'clamav' of CronJob 'RELEASE-NAME-clamav-cronjob' should set 'securityContext.runAsUser' > 10000
|
Expand...https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv020
| | Kubernetes Security Check | KSV020 | Runs with low user ID | MEDIUM |
Expand... Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.


Container 'hostpatch' of Deployment 'RELEASE-NAME-clamav' should set 'securityContext.runAsUser' > 10000
|
Expand...https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv020
| | Kubernetes Security Check | KSV021 | Runs with low group ID | MEDIUM |
Expand... Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.


Container 'RELEASE-NAME-clamav' of Deployment 'RELEASE-NAME-clamav' should set 'securityContext.runAsGroup' > 10000
|
Expand...https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv021
| | Kubernetes Security Check | KSV021 | Runs with low group ID | MEDIUM |
Expand... Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.


Container 'autopermissions' of Deployment 'RELEASE-NAME-clamav' should set 'securityContext.runAsGroup' > 10000
|
Expand...https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv021
| +| Kubernetes Security Check | KSV021 | Runs with low group ID | MEDIUM |
Expand... Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.


Container 'clamav' of CronJob 'RELEASE-NAME-clamav-cronjob' should set 'securityContext.runAsGroup' > 10000
|
Expand...https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv021
| | Kubernetes Security Check | KSV021 | Runs with low group ID | MEDIUM |
Expand... Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.


Container 'hostpatch' of Deployment 'RELEASE-NAME-clamav' should set 'securityContext.runAsGroup' > 10000
|
Expand...https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv021
| +| Kubernetes Security Check | KSV023 | hostPath volumes mounted | MEDIUM |
Expand... HostPath volumes must be forbidden.


CronJob 'RELEASE-NAME-clamav-cronjob' should not set 'spec.template.volumes.hostPath'
|
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline
https://avd.aquasec.com/appshield/ksv023
| | Kubernetes Security Check | KSV023 | hostPath volumes mounted | MEDIUM |
Expand... HostPath volumes must be forbidden.


Deployment 'RELEASE-NAME-clamav' should not set 'spec.template.volumes.hostPath'
|
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline
https://avd.aquasec.com/appshield/ksv023
| | Kubernetes Security Check | KSV029 | A root primary or supplementary GID set | LOW |
Expand... Containers should be forbidden from running with a root primary or supplementary GID.


Deployment 'RELEASE-NAME-clamav' should set 'spec.securityContext.runAsGroup', 'spec.securityContext.supplementalGroups[*]' and 'spec.securityContext.fsGroup' to integer greater than 0
|
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv029
| @@ -47,6 +54,7 @@ hide: tccr.io/truecharts/alpine:v3.15.2@sha256:29ed3480a0ee43f7af681fed5d4fc215516abf1c41eade6938b26d8c9c2c7583 tccr.io/truecharts/alpine:v3.15.2@sha256:29ed3480a0ee43f7af681fed5d4fc215516abf1c41eade6938b26d8c9c2c7583 tccr.io/truecharts/clamav:v0.104.2@sha256:eb816a62ce0b7c331d893e8d51e54fe96b1cb5878c7394e935a48468b0b44f6d + tccr.io/truecharts/clamav:v0.104.2@sha256:eb816a62ce0b7c331d893e8d51e54fe96b1cb5878c7394e935a48468b0b44f6d ##### Scan Results @@ -75,6 +83,42 @@ hide: +#### Container: tccr.io/truecharts/clamav:v0.104.2@sha256:eb816a62ce0b7c331d893e8d51e54fe96b1cb5878c7394e935a48468b0b44f6d (alpine 3.14.2) + + +**alpine** + + +| Package | Vulnerability | Severity | Installed Version | Fixed Version | Links | +|:----------------|:------------------:|:-----------:|:------------------:|:-------------:|-----------------------------------------| +| busybox | CVE-2021-42378 | HIGH | 1.33.1-r3 | 1.33.1-r6 |
Expand...https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42378
https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/
https://security.netapp.com/advisory/ntap-20211223-0002/
https://ubuntu.com/security/notices/USN-5179-1
| +| busybox | CVE-2021-42379 | HIGH | 1.33.1-r3 | 1.33.1-r6 |
Expand...https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42379
https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/
https://security.netapp.com/advisory/ntap-20211223-0002/
https://ubuntu.com/security/notices/USN-5179-1
| +| busybox | CVE-2021-42380 | HIGH | 1.33.1-r3 | 1.33.1-r6 |
Expand...https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42380
https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/
https://security.netapp.com/advisory/ntap-20211223-0002/
https://ubuntu.com/security/notices/USN-5179-1
| +| busybox | CVE-2021-42381 | HIGH | 1.33.1-r3 | 1.33.1-r6 |
Expand...https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42381
https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/
https://security.netapp.com/advisory/ntap-20211223-0002/
https://ubuntu.com/security/notices/USN-5179-1
| +| busybox | CVE-2021-42382 | HIGH | 1.33.1-r3 | 1.33.1-r6 |
Expand...https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42382
https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/
https://security.netapp.com/advisory/ntap-20211223-0002/
https://ubuntu.com/security/notices/USN-5179-1
| +| busybox | CVE-2021-42383 | HIGH | 1.33.1-r3 | 1.33.1-r6 |
Expand...https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/
https://security.netapp.com/advisory/ntap-20211223-0002/
| +| busybox | CVE-2021-42384 | HIGH | 1.33.1-r3 | 1.33.1-r6 |
Expand...https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42384
https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/
https://security.netapp.com/advisory/ntap-20211223-0002/
https://ubuntu.com/security/notices/USN-5179-1
| +| busybox | CVE-2021-42385 | HIGH | 1.33.1-r3 | 1.33.1-r6 |
Expand...https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42385
https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/
https://security.netapp.com/advisory/ntap-20211223-0002/
https://ubuntu.com/security/notices/USN-5179-1
| +| busybox | CVE-2021-42386 | HIGH | 1.33.1-r3 | 1.33.1-r6 |
Expand...https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42386
https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/
https://security.netapp.com/advisory/ntap-20211223-0002/
https://ubuntu.com/security/notices/USN-5179-1
| +| busybox | CVE-2021-42374 | MEDIUM | 1.33.1-r3 | 1.33.1-r4 |
Expand...https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42374
https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/
https://security.netapp.com/advisory/ntap-20211223-0002/
https://ubuntu.com/security/notices/USN-5179-1
| +| busybox | CVE-2021-42375 | MEDIUM | 1.33.1-r3 | 1.33.1-r5 |
Expand...https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/
https://security.netapp.com/advisory/ntap-20211223-0002/
| +| libcrypto1.1 | CVE-2022-0778 | HIGH | 1.1.1l-r0 | 1.1.1n-r0 |
Expand...https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0778
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=3118eb64934499d93db3230748a452351d1d9a65
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=380085481c64de749a6dd25cdf0bcf4360b30f83
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a466912611aa6cbdf550cd10601390e587451246
https://linux.oracle.com/cve/CVE-2022-0778.html
https://linux.oracle.com/errata/ELSA-2022-9246.html
https://lists.debian.org/debian-lts-announce/2022/03/msg00023.html
https://lists.debian.org/debian-lts-announce/2022/03/msg00024.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GDB3GQVJPXJE7X5C5JN6JAA4XUDWD6E6/
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0002
https://security.netapp.com/advisory/ntap-20220321-0002/
https://ubuntu.com/security/notices/USN-5328-1
https://ubuntu.com/security/notices/USN-5328-2
https://www.debian.org/security/2022/dsa-5103
https://www.openssl.org/news/secadv/20220315.txt
| +| libretls | CVE-2022-0778 | HIGH | 3.3.3p1-r2 | 3.3.3p1-r3 |
Expand...https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0778
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=3118eb64934499d93db3230748a452351d1d9a65
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=380085481c64de749a6dd25cdf0bcf4360b30f83
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a466912611aa6cbdf550cd10601390e587451246
https://linux.oracle.com/cve/CVE-2022-0778.html
https://linux.oracle.com/errata/ELSA-2022-9246.html
https://lists.debian.org/debian-lts-announce/2022/03/msg00023.html
https://lists.debian.org/debian-lts-announce/2022/03/msg00024.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GDB3GQVJPXJE7X5C5JN6JAA4XUDWD6E6/
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0002
https://security.netapp.com/advisory/ntap-20220321-0002/
https://ubuntu.com/security/notices/USN-5328-1
https://ubuntu.com/security/notices/USN-5328-2
https://www.debian.org/security/2022/dsa-5103
https://www.openssl.org/news/secadv/20220315.txt
| +| libssl1.1 | CVE-2022-0778 | HIGH | 1.1.1l-r0 | 1.1.1n-r0 |
Expand...https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0778
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=3118eb64934499d93db3230748a452351d1d9a65
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=380085481c64de749a6dd25cdf0bcf4360b30f83
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a466912611aa6cbdf550cd10601390e587451246
https://linux.oracle.com/cve/CVE-2022-0778.html
https://linux.oracle.com/errata/ELSA-2022-9246.html
https://lists.debian.org/debian-lts-announce/2022/03/msg00023.html
https://lists.debian.org/debian-lts-announce/2022/03/msg00024.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GDB3GQVJPXJE7X5C5JN6JAA4XUDWD6E6/
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0002
https://security.netapp.com/advisory/ntap-20220321-0002/
https://ubuntu.com/security/notices/USN-5328-1
https://ubuntu.com/security/notices/USN-5328-2
https://www.debian.org/security/2022/dsa-5103
https://www.openssl.org/news/secadv/20220315.txt
| +| libxml2 | CVE-2022-23308 | HIGH | 2.9.12-r1 | 2.9.13-r0 |
Expand...https://access.redhat.com/security/cve/CVE-2022-23308
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23308
https://github.com/GNOME/libxml2/commit/652dd12a858989b14eed4e84e453059cd3ba340e
https://gitlab.gnome.org/GNOME/libxml2/-/blob/v2.9.13/NEWS
https://linux.oracle.com/cve/CVE-2022-23308.html
https://linux.oracle.com/errata/ELSA-2022-0899.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LA3MWWAYZADWJ5F6JOUBX65UZAMQB7RF/
https://ubuntu.com/security/notices/USN-5324-1
| +| ssl_client | CVE-2021-42378 | HIGH | 1.33.1-r3 | 1.33.1-r6 |
Expand...https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42378
https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/
https://security.netapp.com/advisory/ntap-20211223-0002/
https://ubuntu.com/security/notices/USN-5179-1
| +| ssl_client | CVE-2021-42379 | HIGH | 1.33.1-r3 | 1.33.1-r6 |
Expand...https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42379
https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/
https://security.netapp.com/advisory/ntap-20211223-0002/
https://ubuntu.com/security/notices/USN-5179-1
| +| ssl_client | CVE-2021-42380 | HIGH | 1.33.1-r3 | 1.33.1-r6 |
Expand...https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42380
https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/
https://security.netapp.com/advisory/ntap-20211223-0002/
https://ubuntu.com/security/notices/USN-5179-1
| +| ssl_client | CVE-2021-42381 | HIGH | 1.33.1-r3 | 1.33.1-r6 |
Expand...https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42381
https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/
https://security.netapp.com/advisory/ntap-20211223-0002/
https://ubuntu.com/security/notices/USN-5179-1
| +| ssl_client | CVE-2021-42382 | HIGH | 1.33.1-r3 | 1.33.1-r6 |
Expand...https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42382
https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/
https://security.netapp.com/advisory/ntap-20211223-0002/
https://ubuntu.com/security/notices/USN-5179-1
| +| ssl_client | CVE-2021-42383 | HIGH | 1.33.1-r3 | 1.33.1-r6 |
Expand...https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/
https://security.netapp.com/advisory/ntap-20211223-0002/
| +| ssl_client | CVE-2021-42384 | HIGH | 1.33.1-r3 | 1.33.1-r6 |
Expand...https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42384
https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/
https://security.netapp.com/advisory/ntap-20211223-0002/
https://ubuntu.com/security/notices/USN-5179-1
| +| ssl_client | CVE-2021-42385 | HIGH | 1.33.1-r3 | 1.33.1-r6 |
Expand...https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42385
https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/
https://security.netapp.com/advisory/ntap-20211223-0002/
https://ubuntu.com/security/notices/USN-5179-1
| +| ssl_client | CVE-2021-42386 | HIGH | 1.33.1-r3 | 1.33.1-r6 |
Expand...https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42386
https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/
https://security.netapp.com/advisory/ntap-20211223-0002/
https://ubuntu.com/security/notices/USN-5179-1
| +| ssl_client | CVE-2021-42374 | MEDIUM | 1.33.1-r3 | 1.33.1-r4 |
Expand...https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42374
https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/
https://security.netapp.com/advisory/ntap-20211223-0002/
https://ubuntu.com/security/notices/USN-5179-1
| +| ssl_client | CVE-2021-42375 | MEDIUM | 1.33.1-r3 | 1.33.1-r5 |
Expand...https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/
https://security.netapp.com/advisory/ntap-20211223-0002/
| + + #### Container: tccr.io/truecharts/clamav:v0.104.2@sha256:eb816a62ce0b7c331d893e8d51e54fe96b1cb5878c7394e935a48468b0b44f6d (alpine 3.14.2) diff --git a/stable/clamav/2.1.0/templates/_cronjob.tpl b/stable/clamav/2.1.0/templates/_cronjob.tpl new file mode 100644 index 0000000000..c74a24cb69 --- /dev/null +++ b/stable/clamav/2.1.0/templates/_cronjob.tpl @@ -0,0 +1,85 @@ +{{/* Define the cronjob */}} +{{- define "clamav.cronjob" -}} +{{- $jobName := include "common.names.fullname" . }} + +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: {{ printf "%s-cronjob" $jobName }} + labels: + {{- include "common.labels" . | nindent 4 }} +spec: + schedule: "{{ .Values.clamav.cron_schedule }}" + concurrencyPolicy: Forbid + {{- with .Values.cronjob.failedJobsHistoryLimit }} + failedJobsHistoryLimit: {{ . }} + {{- end }} + {{- with .Values.cronjob.successfulJobsHistoryLimit }} + successfulJobsHistoryLimit: {{ . }} + {{- end }} + jobTemplate: + metadata: + spec: + template: + metadata: + spec: + restartPolicy: Never + {{- with (include "common.controller.volumes" . | trim) }} + volumes: + {{- nindent 12 . }} + {{- end }} + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + - name: date_format + value: {{ .Values.clamav.date_format }} + - name: log_file_name + value: {{ .Values.clamav.log_file_name }} + - name: report_path + value: {{ .Values.clamav.report_path | trimSuffix "/" }} + - name: extra_args + value: {{ .Values.clamav.extra_args }} + command: ["sh", "-c"] + args: + - > + export databasePath=/var/lib/clamav; + if [ "$(ls -A $databasePath)" ]; + then + echo "Virus database exists..."; + else + echo "Virus database does not exist yet..."; + echo "Exiting..."; + exit 1; + fi; + export status=99; + export now=$(date ${date_format}); + export log_file=$report_path/${log_file_name}_${now}; + touch $log_file; + echo "Starting scan of \"/scandir\""; + echo "Args for clamscan: --database=${databasePath} --log=$log_file --recursive ${extra_args}"; + clamscan --database=${databasePath} --log=$log_file --recursive ${extra_args} /scandir; + status=$?; + if [ $status -eq 0 ]; + then + echo "Exit Status: $status"; + echo "No Virus found!"; + elif [ $status -eq 1]; + then + echo "Exit Status: $status."; + echo "Virus(es) found. Check \"${log_file}\"."; + elif [ $status -eq 2]; + then + echo "Exit Status: $status."; + echo "Some error(s) occured."; + else + echo "Exit Status: $status."; + fi; + {{- with (include "common.controller.volumeMounts" . | trim) }} + volumeMounts: + {{ nindent 16 . }} + {{- end }} + resources: +{{ toYaml .Values.resources | indent 16 }} +{{- end -}} diff --git a/stable/clamav/2.1.0/templates/common.yaml b/stable/clamav/2.1.0/templates/common.yaml new file mode 100644 index 0000000000..2a6d613a92 --- /dev/null +++ b/stable/clamav/2.1.0/templates/common.yaml @@ -0,0 +1,10 @@ +{{/* Make sure all variables are set properly */}} +{{- include "common.setup" . }} + +{{- if and .Values.clamav.cron_enabled .Values.clamav.cron_schedule}} +{{/* Render cronjob for clamav */}} +{{- include "clamav.cronjob" . }} +{{- end -}} + +{{/* Render the templates */}} +{{ include "common.postSetup" . }} diff --git a/stable/clamav/2.0.7/values.yaml b/stable/clamav/2.1.0/values.yaml similarity index 100% rename from stable/clamav/2.0.7/values.yaml rename to stable/clamav/2.1.0/values.yaml