Scanning Java packages in images
Kaspersky Container Security can scan Java packages contained in registry images. For this purpose, the solution uses Java vulnerability databases.
Scanning for Java packages is available in Kaspersky Container Security v1.2.1 and later. If you have an earlier version installed, you must update the solution to v1.2.1. to use this functionality.
You can configure scanning of Java packages by setting the value of the ENABLE_JAVA_VULN environment variable in the values.yaml file. If ENABLE_JAVA_VULN = true, Kaspersky Container Security performs scanning using the Java vulnerability databases. If ENABLE_JAVA_VULN = false, Java packages are not scanned.
By default, ENABLE_JAVA_VULN is set to false.
Starting from v1.2.1, the kcs-updates component provided in the distribution kit contains Java vulnerability databases. Using this component, you should make sure that the environment variables in the values.yaml file are defined as follows:
ENABLE_JAVA_VULN = trueKCS_UPDATES_TAG=vХ.Х.Х (the value of the version variable is specified in accordance with the version of the solution)KCS_UPDATES=true
If Java packages scanning is activated (ENABLE_JAVA_VULN = true), the kcs-scanner solution component downloads Java vulnerability databases and notifies the kcs-middleware and kcs-ih components accordingly. Then the kcs-ih component receives the database files from kcs-scanner, assembles and validates the database, and uses it during scanning.
Vulnerabilities found using the Java vulnerability database are displayed in the image scanning results.
Kaspersky Container Security can also scan Java packages in images in external registries and during the CI/CD process when an external scanner is used. In this case, you must use the scanner with the vХ.Х.Х-with-db-java tag, which contains a pre-installed Java vulnerability database. The specified scanner is configured and used similarly to the vХ.Х.Х-with-db scanner.