Vulnerabilities In Use

The In Use functionality will enable ARMO users to understand which of the vulnerable packages is currently loaded into the memory


ARMO's In Use (aka Taster) is based on eBPF. It scans the running environment and maps out artifacts and libraries that are loaded into memory and therefore are in use in the environment.

The Taster is part of ARMO's in-cluster components. It uses eBPF probes to look at the file activity of a running container. When a pod starts on a node, the Taster will watch its containers for a configurable learning period and store an activity log.

During the process of scanning a container, an SBOM is generated. This contains the vulnerability scanner’s understanding of which components are installed in the container. When vulnerabilities are checked the engine is provided with a filtered SBOM, including the packages that relate to files that were accessed during the learning period.

Configure the 'In Use' capability

To configure the configurable learning periods of the feature use the following flags:

learningPeriod2 minutesThe learning period is the amount of time the Taster will observe a running container to determine the relevancy of files. The value represents the minutes--set nodeAgent.config.learningPeriod=15
maxLearningPeriod180 minutesThe max learning period is the amount of time the Taster will observe a running container. The value represents the minutes--set nodeAgent.config.maxLearningPeriod=200

Prioritize workloads with the 'In Use' Vulnerability filter

After installation, the Taster will start listening for every new / restarted container for the time configured in the learning period. Once the learning period is concluded the relevant information will be available in the cluster storage and ARMO Platform. Taster will keep listening for the container until the maxLearningPeriod is reached.

Vulnerabilities - Workloads view

  • Navigate to the Vulnerabilities section
  • Click on the Vulnerabilities filter
  • Mark the 'In Use' checkbox (notice the numbers under the Vulnerabilities column go down)
  • The table will show only workloads that contain vulnerabilities which their vulnerable package loaded to the memory. Hence, it is In Use.

Workload - Missing runtime info

Upon drilling down into a workloads table, some of the workloads might contain a warning sign indicating Missing runtime info with the following explanation:

See here how to troubleshoot Missing runtime info

View relevant information from the cluster storage

View SBOM information

% kubectl get -n kubescape --show-labels SBOMSPDXv2p3
NAME                                                               CREATED AT             LABELS
0349106521d476e8a833088c33f6db5ac4c898f00d1b6b6f15d9902ff5fdd0f4   2023-04-23T09:07:47Z
0f232ba18b63363e33f205d0242ef98324fb388434f8598c2fc8e967dca146bc   2023-04-23T09:04:23Z
1198b3b3f1e324799012d0634e96ef99e43831cdb240749f7ceaaab551b09622   2023-04-23T09:15:28Z
13964b29d63efcd1490d1a500c4332c642655fe4ca613683fa4dde9a205dd0f7   2023-04-23T09:14:05Z
1d20492ca374191e5b6ff4b7712b62b41ab75ce226424974356dc266e6e99e83   2023-04-23T09:04:06Z
20b172e673454b675cade099b95125fb1ce01b53fbf99c5b6260e048174060b1   2023-04-23T09:08:29Z

View filtered SBOM information

% kubectl get -n kubescape --show-labels SBOMSPDXv2p3Filtered
NAME                                                               CREATED AT             LABELS
0207f7055a0a13a655efe073c320de83219ca19e396e37e1bdcc83de976ca99a   2023-04-23T10:05:48Z,,,,,
0d69953f27f65b0546fbd29b12849368cbc5a0cf358b828ee31fbe2865279dea   2023-04-23T10:06:07Z,,,,,
28372aa3a8dfdebb9cd2561f85beabbe58fbeb67060c3bde74a061c62923183f   2023-04-23T10:05:49Z,,,,,
30c70b40821cd009b417167b2280cd9d2df4e4eef8dff79f3c7f9a8ee7d75672   2023-04-23T10:05:42Z,,,,,

Get CVE list & relevant CVE list

% kubectl get -n kubescape --show-labels VulnerabilityManifests
NAME                                                               CREATED AT             LABELS
0207f7055a0a13a655efe073c320de83219ca19e396e37e1bdcc83de976ca99a   2023-04-23T10:56:39Z,,,,,,
0349106521d476e8a833088c33f6db5ac4c898f00d1b6b6f15d9902ff5fdd0f4   2023-04-23T09:07:53Z
0d69953f27f65b0546fbd29b12849368cbc5a0cf358b828ee31fbe2865279dea   2023-04-23T10:56:42Z,,,,,,


Linux kernel

The relevancy functionality is based on eBPF technology which is implemented only on Linux kernels. Therefore the feature will work only on Linux distributions. The Linux kernel version in the node must be >= 5.4.