Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ignore Go compiler affecting CVE when Docker image only contains a binary compiled with Go #1782

Open
sunwhawhang opened this issue Apr 3, 2024 · 0 comments
Open

Ignore Go compiler affecting CVE when Docker image only contains a binary compiled with Go #1782

sunwhawhang opened this issue Apr 3, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@sunwhawhang
Copy link

What happened:
Related to bug reported in #1370, quay.io/calico/kube-controllers:v3.20.0 image does not have Go compiler but only contains a binary that was compiled with the Go compiler and statically linked against the Go runtime library.

The issue was fixed in anchore/syft#2195, however, now it's reporting false positive CVE's that only affect to Go compiler itself: CVE-2023-29402, CVE-2023-29404 and CVE-2023-29405:

❯ grype quay.io/calico/kube-controllers:v3.20.0 -q | grep -E '29402|29403|29404|29405'
stdlib                               go1.15.2                                                                               go-module  CVE-2023-29405       Critical  
stdlib                               go1.15.2                                                                               go-module  CVE-2023-29404       Critical  
stdlib                               go1.15.2                                                                               go-module  CVE-2023-29402       Critical  
stdlib                               go1.15.2                                                                               go-module  CVE-2023-29403       High

What you expected to happen:
It should only report CVE-2023-29403 since that's the only vulnerability that affects the runtime library:

❯ grype quay.io/calico/kube-controllers:v3.20.0 -q | grep -E '29402|29403|29404|29405'
stdlib                               go1.15.2                                                                               go-module  CVE-2023-29403       High

How to reproduce it (as minimally and precisely as possible):
Run

grype quay.io/calico/kube-controllers:v3.20.0 -q | grep -E '29402|29403|29404|29405'

Anything else we need to know?:

Environment:

  • Output of grype version: 
    Application:         grype
Version:             0.74.7
BuildDate:           2024-02-26T18:24:14Z
GitCommit:           987238519b8d6e302130ab715f20daed6634da68
GitDescription:      v0.74.7
Platform:            linux/amd64
GoVersion:           go1.21.7
Compiler:            gc
Syft Version:        v0.105.1
Supported DB Schema: 5
  • OS (e.g: cat /etc/os-release or similar): 
    NAME="Ubuntu"
VERSION="18.04.5 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.5 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
OSS
Status: No status
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sunwhawhang