etcd
etcd copied to clipboard
Published
4 hours ago
•
etcd-io
etcd-io
etcd v3.4.38 trivy scan gaves a false positive
Bug report criteria
- [x] This bug report is not security related, security issues should be disclosed privately via [email protected].
- [x] This is not a support request or question, support requests or questions should be raised in the etcd discussion forums.
- [x] You have read the etcd bug reporting guidelines.
- [x] Existing open issues along with etcd frequently asked questions have been checked and this is not a duplicate.
What happened?
Running a trivy scan against the newest released image, 3.4.38, gives a false positive.
What did you expect to happen?
Run:
$ trivy image gcr.io/etcd-development/etcd:v3.4.38 --severity HIGH,CRITICAL
2025-10-23T10:59:39-07:00 INFO [vuln] Vulnerability scanning is enabled
2025-10-23T10:59:39-07:00 INFO [secret] Secret scanning is enabled
2025-10-23T10:59:39-07:00 INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-10-23T10:59:39-07:00 INFO [secret] Please see https://trivy.dev/v0.67/docs/scanner/secret#recommendation for faster secret detection
2025-10-23T10:59:40-07:00 INFO Detected OS family="debian" version="11.10"
2025-10-23T10:59:40-07:00 INFO [debian] Detecting vulnerabilities... os_version="11" pkg_num=3
2025-10-23T10:59:40-07:00 INFO Number of language-specific files num=2
2025-10-23T10:59:40-07:00 INFO [gobinary] Detecting vulnerabilities...
2025-10-23T10:59:40-07:00 WARN Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/v0.67/docs/scanner/vulnerability#severity-selection for details.
Report Summary
┌─────────────────────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│ Target │ Type │ Vulnerabilities │ Secrets │
├─────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ gcr.io/etcd-development/etcd:v3.4.38 (debian 11.10) │ debian │ 0 │ - │
├─────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/bin/etcd │ gobinary │ 2 │ - │
├─────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/bin/etcdctl │ gobinary │ 2 │ - │
└─────────────────────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)
usr/local/bin/etcd (gobinary)
Total: 2 (HIGH: 2, CRITICAL: 0)
┌─────────────────┬────────────────┬──────────┬────────┬────────────────────────────────────┬─────────────────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────────────┼────────────────┼──────────┼────────┼────────────────────────────────────┼─────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ go.etcd.io/etcd │ CVE-2018-16886 │ HIGH │ fixed │ v0.0.0-20251021182904-f1f5c1c2a4ed │ 0.5.0-alpha.5.0.20190108173120-83c051b701d3 │ etcd: Improper Authentication in │
│ │ │ │ │ │ │ auth/store.go:AuthInfoFromTLS() via gRPC-gateway │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16886 │
│ ├────────────────┤ │ │ ├─────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2020-15114 │ │ │ │ 3.4.10, 3.3.23 │ etcd: gateway can include itself as an endpoint resulting in │
│ │ │ │ │ │ │ resource exhaustion... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-15114 │
└─────────────────┴────────────────┴──────────┴────────┴────────────────────────────────────┴─────────────────────────────────────────────┴──────────────────────────────────────────────────────────────┘
usr/local/bin/etcdctl (gobinary)
Total: 2 (HIGH: 2, CRITICAL: 0)
┌─────────────────┬────────────────┬──────────┬────────┬────────────────────────────────────┬─────────────────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────────────┼────────────────┼──────────┼────────┼────────────────────────────────────┼─────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ go.etcd.io/etcd │ CVE-2018-16886 │ HIGH │ fixed │ v0.0.0-20251021182904-f1f5c1c2a4ed │ 0.5.0-alpha.5.0.20190108173120-83c051b701d3 │ etcd: Improper Authentication in │
│ │ │ │ │ │ │ auth/store.go:AuthInfoFromTLS() via gRPC-gateway │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16886 │
│ ├────────────────┤ │ │ ├─────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2020-15114 │ │ │ │ 3.4.10, 3.3.23 │ etcd: gateway can include itself as an endpoint resulting in │
│ │ │ │ │ │ │ resource exhaustion... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-15114 │
└─────────────────┴────────────────┴──────────┴────────┴────────────────────────────────────┴─────────────────────────────────────────────┴──────────────────────────────────────────────────────────────┘
How can we reproduce it (as minimally and precisely as possible)?
Please use the previous command.
Anything else we need to know?
No response
Etcd version (please run commands below)
$ etcd --version
# paste output here
$ etcdctl version
# paste output here
Etcd configuration (command line flags or environment variables)
paste your configuration here
Etcd debug information (please run commands below, feel free to obfuscate the IP address or FQDN in the output)
$ etcdctl member list -w table
# paste output here
$ etcdctl --endpoints=<member list> endpoint status -w table
# paste output here
Relevant log output
The problem is that with Go 1.24+, the toolchain now sets the main module’s version in the binary from VCS info. And because the Go module from 3.4 doesn't have the /v3 suffix, it is resolving it wrong.
Running:
go version -m ./bin/etcd | head
./bin/etcd: go1.24.9
path go.etcd.io/etcd
mod go.etcd.io/etcd v0.0.0-20251021082836-367dbd80deea
Shows the wrong pseudo-version.
Running GOFLAGS="-buildvcs=false" make build fixes the issue:
$ GOFLAGS="-buildvcs=false" make build
GO_BUILD_FLAGS="-v" ./build
./bin/etcd --version
WARNING: Package "github.com/golang/protobuf/protoc-gen-go/generator" is deprecated.
A future release of golang/protobuf will delete this package,
which has long been excluded from the compatibility promise.
etcd Version: 3.4.37
Git SHA: 367dbd8
Go Version: go1.24.9
Go OS/Arch: linux/amd64
./bin/etcdctl version
etcdctl version: 3.4.37
API version: 3.4
$ go version -m ./bin/etcd | head
./bin/etcd: go1.24.9
path go.etcd.io/etcd
mod go.etcd.io/etcd (devel)
dep github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
dep github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
dep github.com/coreos/go-semver v0.2.0 h1:3Jm3tLmsgAYcjC+4Up7hJrFBPr+n7rAqYeSw/SZazuY=
dep github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7 h1:u9SHYsPQNyt5tgDm3YN7+9dYrpK96E5wFilTFWIDZOM=
dep github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf h1:CAKfRE2YtTUIjjh1bkBtyYFaUT/WmOqsJjgtihT0vMI=
dep github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4 h1:qk/FSDDxo05wdJH28W+p5yivv7LuLYLRXPPD8KQCtZs=
dep github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
@ivanvc please feel free to close this ticket once it's confirmed that the false positive CVE are resolved, thx
@ahrtr, unfortunately, we'll need to do a new release (unless we want to amend the released artifacts/images). I'll open a new issue and will add a mention to the CHANGELOG.
@ahrtr, unfortunately, we'll need to do a new release (unless we want to amend the released artifacts/images). I'll open a new issue and will add a mention to the CHANGELOG.
sure, thx
Hi @ivanvc I checked v3.4.39 binary and found that it's still with (v0.0.0-20251112043835-af367e02b948).
but your change can make make build with -buildvcs=false by default.
Thanks, @fuweid. v3.4.40 should then address this issue. I'll close the issue when we release it.