trivy
trivy copied to clipboard
aquasecurity
trivy doesn't detect go dependencies as update after update
Description
trivy doesn't detect go dependencies as update after running:
go get -u golang.org/x/text
replace golang.org/x/text => golang.org/x/text v0.6.0
go mod tidy\vendor
As you can see in the image below the only reference I have for golang.org/x/text is for 0.6.0 and trivy detect it as 0.3.7 as the installed version(can see the installed version in the output below):
As i saw in other issues running trivy with--clear-cache doesn't resolve my issue.
also running
go version -m <image> | grep golang.org/x/text returns the following output:
dep golang.org/x/text v0.6.0 => golang.org/x/text v0.6.0 h1:3XmdazWV+ubf7QgHSTWeykHOci5oeekaGJBLkrkaw4k=
What did you expect to happen?
I did the same change that is explained above to fix the same security issue but used govulncheck as the scanner and after this change govulncheck detect this vuln as resolved.
For simplicity I choose golang.org/x/text this issue is within every dependency i tried to fix and cannot resolve it.
Output of run with -debug:
2023-02-05T14:47:49.815+0200 DEBUG Severities: ["HIGH" "CRITICAL"]
2023-02-05T14:47:49.867+0200 DEBUG cache dir: /Users/nirshaa/Library/Caches/trivy
2023-02-05T14:47:49.870+0200 DEBUG DB update was skipped because the local DB is the latest
2023-02-05T14:47:49.870+0200 DEBUG DB Schema: 2, UpdatedAt: 2023-02-05 12:07:49.297988387 +0000 UTC, NextUpdate: 2023-02-05 18:07:49.297988087 +0000 UTC, DownloadedAt: 2023-02-05 12:29:49.684927 +0000 UTC
2023-02-05T14:47:49.876+0200 INFO Vulnerability scanning is enabled
2023-02-05T14:47:49.876+0200 DEBUG Vulnerability type: [os library]
2023-02-05T14:47:49.876+0200 INFO Secret scanning is enabled
2023-02-05T14:47:49.876+0200 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2023-02-05T14:47:49.876+0200 INFO Please see also https://aquasecurity.github.io/trivy/v0.36/docs/secret/scanning/#recommendation for faster secret detection
2023-02-05T14:47:51.208+0200 DEBUG No secret config detected: trivy-secret.yaml
2023-02-05T14:47:51.456+0200 DEBUG Image ID: sha256:8cc565bc87e9b5c559ad02d67030ca0146718f0961ebdd121843cc6cccaadebd
2023-02-05T14:47:51.456+0200 DEBUG Diff IDs: [sha256:a027cdd1c07338355997b9bc7fe296ea5a6a4dae16317a6bcdf504eb6f519e2d sha256:180f0b626cb65803adb54be30d2085d6b3c8198338a6544adea803c5a587b9f7 sha256:3102171377b577d2230a16c43f178c2480a284d3e2e5de6af095adbcfbc79908 sha256:0ee3490a9b9d76a4e085e8c967f113bd269bf4eedaa922b12d0d7424e3111eb8 sha256:367afc9ef8a0915bedd5a01c5a49c2051d8a9e9ee477eabe512ee13ccb0afc4a sha256:fbc835efdae8b3a7b9b7055951cca591964fe037dea8d0a83764b8217b89898c sha256:7602f86b3b5a8a71e3ad7f18718f7bf35d0dc11367724802a037ee599c88b42b sha256:fd2b4eeaa684e6758c8b662735a901df34b8601c1b73f9465b61f11614dead49 sha256:3f306a227179d433c1dfc17705fb3cbc449d77ac3b625abf71a0bca3e4d8b570 sha256:2878201f5f8b9f7c825afc4244bef771bc6ded6a6e89b6320f19adbf3530cfcc sha256:3895e9331cad2b4e3a26aaff80098faae4b7625b02e0f69b5bc926c7d42b4bcb sha256:ed347c23f76ef96ddbc20cf2c378bd380c550230a074c61ce4a03533dfdc9c13 sha256:70f07de4d2b1a1f044fa35fe8ccc202c44a9e0a6b9e5dde82bf6cc2dc9b696c5 sha256:7602f86b3b5a8a71e3ad7f18718f7bf35d0dc11367724802a037ee599c88b42b sha256:55eeeb3aa384cfe765b778201db9bfb223d34223d62197782923f5e7008179e2]
2023-02-05T14:47:51.456+0200 DEBUG Base Layers: []
2023-02-05T14:47:51.469+0200 DEBUG OS is not detected.
2023-02-05T14:47:51.469+0200 DEBUG Detected OS: unknown
2023-02-05T14:47:51.469+0200 INFO Number of language-specific files: 3
2023-02-05T14:47:51.469+0200 INFO Detecting gobinary vulnerabilities...
2023-02-05T14:47:51.469+0200 DEBUG Detecting library vulnerabilities, type: gobinary, path: main
2023-02-05T14:47:51.479+0200 DEBUG Detecting library vulnerabilities, type: gobinary, path: opt/agent-linux-amd64
2023-02-05T14:47:51.488+0200 INFO Detecting python-pkg vulnerabilities...
2023-02-05T14:47:51.488+0200 DEBUG Detecting library vulnerabilities, type: python-pkg, path:
opt/agent-linux-amd64 (gobinary)
Total: 9 (HIGH: 8, CRITICAL: 1)
┌─────────────────────────────────────┬────────────────┬──────────┬────────────────────────────────────┬───────────────────────────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├─────────────────────────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ github.com/containerd/containerd │ CVE-2021-43816 │ CRITICAL │ v1.5.8 │ 1.5.9 │ containerd: Unprivileged pod may bind mount any privileged │
│ │ │ │ │ │ regular file on disk... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-43816 │
│ ├────────────────┼──────────┤ ├───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-23648 │ HIGH │ │ 1.4.13, 1.5.10, 1.6.1 │ containerd: insecure handling of image volumes │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-23648 │
├─────────────────────────────────────┼────────────────┤ ├────────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ github.com/opencontainers/runc │ CVE-2022-29162 │ │ v1.0.2 │ v1.1.2 │ runc: incorrect handling of inheritable capabilities │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29162 │
├─────────────────────────────────────┼────────────────┤ ├────────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ github.com/prometheus/client_golang │ CVE-2022-21698 │ │ v1.11.0 │ 1.11.1 │ prometheus/client_golang: Denial of service using │
│ │ │ │ │ │ InstrumentHandlerCounter │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-21698 │
├─────────────────────────────────────┼────────────────┤ ├────────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2021-43565 │ │ v0.0.0-20210920023735-84f357641f63 │ 0.0.0-20211202192323-5770296d904e │ golang.org/x/crypto: empty plaintext packet causes panic │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-43565 │
│ ├────────────────┤ │ ├───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-27191 │ │ │ 0.0.0-20220314234659-1baeb1ce4c0b │ golang: crash in a golang.org/x/crypto/ssh server │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-27191 │
├─────────────────────────────────────┼────────────────┤ ├────────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2021-44716 │ │ v0.0.0-20211020060615-d418f374d309 │ 0.0.0-20211209124913-491a49abca63 │ golang: net/http: limit growth of header canonicalization │
│ │ │ │ │ │ cache │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-44716 │
│ ├────────────────┤ │ ├───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-27664 │ │ │ 0.0.0-20220906165146-f3363e06e74c │ golang: net/http: handle server errors after sending GOAWAY │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-27664 │
├─────────────────────────────────────┼────────────────┤ ├────────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/text │ CVE-2022-32149 │ │ v0.3.7 │ 0.3.8 │ golang: golang.org/x/text/language: ParseAcceptLanguage │
│ │ │ │ │ │ takes a long time to parse complex tags │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-32149 │
└─────────────────────────────────────┴────────────────┴──────────┴────────────────────────────────────┴───────────────────────────────────┴─────────────────────────────────────────────────────────────┘```
(paste your output here)
## Output of `trivy -v`:
tried on many trivy version and got the same result on all of them, for example:
```Version: 0.36.1
Vulnerability DB:
Version: 2
UpdatedAt: 2023-02-05 12:07:49.297988387 +0000 UTC
NextUpdate: 2023-02-05 18:07:49.297988087 +0000 UTC
DownloadedAt: 2023-02-05 12:29:49.684927 +0000 UTC```
(paste your output here)
## Additional details (base image name, container registry info...):
I tried to run trivy on ubuntu and macOS with several trivy version and experience the same issue as explained above.
The image name is: `adanite/connector:feature-trivy-scanner-refactor-1148`
The run command is: `trivy image -d --severity HIGH,CRITICAL adanite/connector:feature-trivy-scanner-refactor-1148`
docker run -v /var/run/docker.sock:/var/run/docker.sock -v $HOME/.docker/config.json:/root/.docker/config.json -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:0.37.1 image adanite/connector:feature-trivy-scanner-refactor-1148
(.docker/config.json contains my creds in order to pull the image, the image is public, just needed to access dockerhub images).
Hi, any suggestion what I might did wrong? this issue present for me for every dependency I try to update.
Hi
I wasn't able to reproduce the issue.
I created simple example that uses golang.org/x/text and added require golang.org/x/text v0.3.7
when I build binary and image then trivy detects vulnerability, but once I added corresponding replace to 6.0 and re-built binary/image then vulnerability is gone.
Any possibility that something wasn't rebuild properly in your case? Regards, Andrey
Hi, As you can see in my project, I added the 'replace' statement as well and only v0.6.0 is found in my go.mod:
I thought that the 'replace' statement also affect other libraries dependencies such as google.golang.org even though I can see them using the problematic version:
I can see that on govulncheck my issue resolve.
So not sure if trivy is false positive or right regarding his finding, will have to look into it more.
note: changing minor/patch versions shouldn't effect API that's why I thought replace should affect other libraries dependencies as well even though their latest is using vulnerable libraries.
Thanks.
This issue is stale because it has been labeled with inactivity.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}