Verify Image Check CVE-2022-42889

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: check-image-vulns-cve-2022-42889
 5  annotations:
 6    policies.kyverno.io/title: Verify Image Check CVE-2022-42889
 7    policies.kyverno.io/category: Software Supply Chain Security
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod
10    policies.kyverno.io/minversion: 1.8.3
11    kyverno.io/kyverno-version: 1.9.0
12    kyverno.io/kubernetes-version: "1.24"
13    policies.kyverno.io/description: >-
14      CVE-2022-42889 is a critical vulnerability in the Apache Commons Text library which
15      could lead to arbitrary code executions and occurs in versions 1.5 through 1.9. Detecting
16      the affected package may be done in an SBOM by identifying the "commons-text" package
17      with one of the affected versions. This policy checks attested SBOMs in CycloneDX format of an image
18      specified under `imageReferences` and denies it if it contains versions 1.5-1.9 of the commons-text
19      package. Using this for your own purposes will require customizing the `imageReferences`,
20      `subject`, and `issuer` fields based on your image signatures and attestations.
21spec:
22  validationFailureAction: Audit
23  webhookTimeoutSeconds: 10
24  rules:
25    - name: cve-2022-42889
26      match:
27        any:
28        - resources:
29            kinds:
30              - Pod
31      verifyImages:
32      - imageReferences:
33        - "myreg.org/myrepo/someimage*"
34        attestations:
35        - predicateType: https://cyclonedx.org/schema
36          attestors:
37          - entries:
38            - keyless:
39                subject: "mysubject"
40                issuer: "myissuer"
41                rekor:
42                  url: https://rekor.sigstore.dev
43          conditions:
44          - all:
45            - key: "{{ components[?name=='commons-text'].version || 'none' }}"
46              operator: AllNotIn
47              value: ["1.5","1.6","1.7","1.8","1.9"]