Status
Justification
Impact
This vulnerability is not applicable to the reports-server package because the binary does not load or
evaluate Kyverno policies and does not execute the Service Call functionality.
The reports-server package only imports and uses Kyverno report API types and the generated typed client
to list and inspect PolicyReport and ClusterPolicyReport resources.
The Kyverno client usage is limited to the ReportsV1 API group only.
All runtime interactions with the Kyverno client are restricted to operations on policy reports
performed via kyvernoClient.ReportsV1() in the server configuration code.
Verified by static analysis of the reports-server source confirming that kyverno imports are limited to reports API and client packages.
The Kyverno client is imported in a single file, all the kyverno client usage in that file is limited to calling the ReportsV1 method on it.
Can be checked with:
grep -RIn "github.com/kyverno/kyverno" pkg/
| grep -v "github.com/kyverno/kyverno/api/reports/v1"
| grep -v "github.com/kyverno/kyverno/api/policyreport"
| grep -v "github.com/kyverno/kyverno/pkg/clients/kyverno"
For the client usage confirmation: grep -RIn "kyverno" pkg/server/config.go
Govulncheck found no affected symbols in the scanned Go binaries.
Status