k3s
k3s copied to clipboard
Published
20 hours ago •
k3s-io
k3s-io
Support scanning k3s images with grype
from @dlorenc
Today, Grype can't determine which k3s version is used in k3s itself because it's built with the file. Here's what a scan looks like:
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
github.com/k3s-io/k3s (devel) 1.24.17 go-module GHSA-m4hf-6vgr-75r2 High
It would be nice if the K3s binaries could be properly scanned by this tool to determine the version.
Validated on Version:
-$ k3s version v1.28.2+k3s-3d25e9f6 (3d25e9f6)
Environment Details
Infrastructure Cloud EC2 instance
Node(s) CPU architecture, OS, and Version: PRETTY_NAME="Ubuntu 22.04.1 LTS" NAME="Ubuntu" VERSION_ID="22.04"
Cluster Configuration: 1 node servers
Steps to validate the fix
- Install k3s with commit
- Install grype https://github.com/anchore/grype#installation
- Run grype on the binary
Reproduction Issue:
k3s version v1.28.2+k3s-9597ea11 (9597ea11)
grype /usr/local/bin/k3s
✔ Vulnerability DB [no update available]
✔ Indexed file system /usr/local/bin
✔ Cataloged packages [33 packages]
✔ Scanned for vulnerabilities [1 vulnerability matches]
├── by severity: 0 critical, 1 high, 0 medium, 0 low, 0 negligible
└── by status: 1 fixed, 0 not-fixed, 0 ignored
[0000] WARN some package(s) are missing CPEs. This may result in missing vulnerabilities. You may autogenerate these using: --add-cpes-if-none
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
github.com/k3s-io/k3s (devel) 1.24.17 go-module GHSA-m4hf-6vgr-75r2 High
Validation Results:
k3s version v1.28.2+k3s-3d25e9f6 (3d25e9f6)
ubuntu@ip-172-31-25-240:~$ grype /usr/local/bin/k3s
✔ Vulnerability DB [no update available]
✔ Indexed file system /usr/local/bin
✔ Cataloged packages [33 packages]
✔ Scanned for vulnerabilities [4 vulnerability matches]
├── by severity: 0 critical, 1 high, 3 medium, 0 low, 0 negligible
└── by status: 4 fixed, 0 not-fixed, 0 ignored
[0000] WARN some package(s) are missing CPEs. This may result in missing vulnerabilities. You may autogenerate these using: --add-cpes-if-none
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
github.com/k3s-io/k3s (devel) 1.24.17 go-module GHSA-m4hf-6vgr-75r2 High
as per see on the comment validation above it still not showing the version and showing (delve) as per discussion with @brandond we are leaving this open for this release.
@fmoral2 On the newest commits I am no longer seeing any problems
curl -sfL https://get.k3s.io | INSTALL_K3S_COMMIT=19fd7e38f674bddaa4571373d767c48bc52867f0 sh -
root@server-0:/home/vagrant# grype /usr/local/bin/k3s
✔ Vulnerability DB [updated]
✔ Indexed file system /usr/local/bin
✔ Cataloged packages [32 packages]
✔ Scanned for vulnerabilities [0 vulnerability matches]
├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
└── by status: 0 fixed, 0 not-fixed, 0 ignored
[0000] WARN some package(s) are missing CPEs. This may result in missing vulnerabilities. You may autogenerate these using: --add-cpes-if-none
No vulnerabilities found
root@server-0:/home/vagrant#
@dereknola I think the issue is that when there are vulns, it shows the installed version as (devel) instead of the actual k3s release version.
Can we update the milestone for this issue and related backports as it seems its not fixed for this release? CC @brandond @carolid @rancher-max
Sure, bumped and put to Needs Additional status as it "needs additional work/information for when there are vulns"
$ k3s -v
k3s version v1.29.1-rc2+k3s1 (d8907ce6)
go version go1.21.6
$ grype /usr/local/bin/k3s --add-cpes-if-none
✔ Vulnerability DB [no update available]
✔ Indexed file system /usr/local/bin
✔ Cataloged contents d8ed07a164b13b247b4ab1d5ad19f65e57b4058078258b284ab6196eee7c85c0
└── ✔ Packages [32 packages]
✔ Scanned for vulnerabilities [0 vulnerability matches]
├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
└── by status: 0 fixed, 0 not-fixed, 0 ignored
No vulnerabilities found
$ grype -vvv /usr/local/bin/k3s -o json
[0000] INFO grype version: 0.74.1
[0000] DEBUG config:
log:
quiet: false
level: trace
file: ""
dev:
profile: none
output:
- json
file: ""
distro: ""
add-cpes-if-none: false
output-template-file: ""
check-for-app-update: true
only-fixed: false
only-notfixed: false
ignore-states: ""
platform: ""
search:
scope: squashed
unindexed-archives: false
indexed-archives: true
ignore: []
exclude: []
db:
cache-dir: /home/ec2-user/.cache/grype/db
update-url: https://toolbox-data.anchore.io/grype/databases/listing.json
ca-cert: ""
auto-update: true
validate-by-hash-on-start: false
validate-age: true
max-allowed-built-age: 120h0m0s
external-sources:
enable: false
maven:
search-upstream: true
base-url: https://search.maven.org/solrsearch/select
match:
java:
using-cpes: false
dotnet:
using-cpes: false
golang:
using-cpes: false
always-use-cpe-for-stdlib: true
javascript:
using-cpes: false
python:
using-cpes: false
ruby:
using-cpes: false
rust:
using-cpes: false
stock:
using-cpes: true
fail-on-severity: ""
registry:
insecure-skip-tls-verify: false
insecure-use-http: false
auth: []
ca-cert: ""
show-suppressed: false
by-cve: false
name: ""
default-image-pull-source: ""
vex-documents: []
vex-add: []
[0000] DEBUG gathering packages
[0000] DEBUG loading DB
[0000] DEBUG looking for updates on vulnerability database
[0000] DEBUG checking for available database updates
[0000] DEBUG found database update candidate: Listing(url=https://toolbox-data.anchore.io/grype/databases/vulnerability-db_v5_2024-01-19T01:27:49Z_f87f267de31b0a1fde9d.tar.gz)
[0000] DEBUG existing database is already up to date
[0000] DEBUG no database update available
[0000] DEBUG no new grype update available
[0000] TRACE unable to open mod cache directory: /home/ec2-user/go/pkg/mod, skipping mod cache resolver
[0000] TRACE unable to open mod cache directory: /home/ec2-user/go/pkg/mod, skipping mod cache resolver
[0000] TRACE indexing filetree path=/usr/local/bin
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE starting package cataloger name=alpm-db-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/var/lib/pacman/local/**/desc
[0000] TRACE searching filetree by glob glob=**/var/lib/pacman/local/**/desc
[0000] DEBUG discovered 0 packages cataloger=alpm-db-cataloger
[0000] TRACE package cataloger completed name=alpm-db-cataloger
[0000] TRACE starting package cataloger name=apk-db-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/lib/apk/db/installed
[0000] TRACE searching filetree by glob glob=**/lib/apk/db/installed
[0000] DEBUG discovered 0 packages cataloger=apk-db-cataloger
[0000] TRACE package cataloger completed name=apk-db-cataloger
[0000] TRACE starting package cataloger name=dpkg-db-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/var/lib/dpkg/status
[0000] TRACE searching filetree by glob glob=**/var/lib/dpkg/status
[0000] TRACE searching for paths matching glob glob=**/var/lib/dpkg/status.d/*
[0000] TRACE searching filetree by glob glob=**/var/lib/dpkg/status.d/*
[0000] TRACE searching for paths matching glob glob=**/lib/opkg/info/*.control
[0000] TRACE searching filetree by glob glob=**/lib/opkg/info/*.control
[0000] TRACE searching for paths matching glob glob=**/lib/opkg/status
[0000] TRACE searching filetree by glob glob=**/lib/opkg/status
[0000] DEBUG discovered 0 packages cataloger=dpkg-db-cataloger
[0000] TRACE package cataloger completed name=dpkg-db-cataloger
[0000] TRACE starting package cataloger name=portage-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/var/db/pkg/*/*/CONTENTS
[0000] TRACE searching filetree by glob glob=**/var/db/pkg/*/*/CONTENTS
[0000] DEBUG discovered 0 packages cataloger=portage-cataloger
[0000] TRACE package cataloger completed name=portage-cataloger
[0000] TRACE starting package cataloger name=rpm-db-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/{var/lib,usr/share,usr/lib/sysimage}/rpm/{Packages,Packages.db,rpmdb.sqlite}
[0000] TRACE searching filetree by glob glob=**/{var/lib,usr/share,usr/lib/sysimage}/rpm/{Packages,Packages.db,rpmdb.sqlite}
[0000] TRACE searching for paths matching glob glob=**/var/lib/rpmmanifest/container-manifest-2
[0000] TRACE searching filetree by glob glob=**/var/lib/rpmmanifest/container-manifest-2
[0000] DEBUG discovered 0 packages cataloger=rpm-db-cataloger
[0000] TRACE package cataloger completed name=rpm-db-cataloger
[0000] TRACE starting package cataloger name=rpm-archive-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/*.rpm
[0000] TRACE searching filetree by glob glob=**/*.rpm
[0000] DEBUG discovered 0 packages cataloger=rpm-archive-cataloger
[0000] TRACE package cataloger completed name=rpm-archive-cataloger
[0000] TRACE starting package cataloger name=conan-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/conanfile.txt
[0000] TRACE searching filetree by glob glob=**/conanfile.txt
[0000] TRACE searching for paths matching glob glob=**/conan.lock
[0000] TRACE searching filetree by glob glob=**/conan.lock
[0000] DEBUG discovered 0 packages cataloger=conan-cataloger
[0000] TRACE package cataloger completed name=conan-cataloger
[0000] TRACE starting package cataloger name=dart-pubspec-lock-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/pubspec.lock
[0000] TRACE searching filetree by glob glob=**/pubspec.lock
[0000] DEBUG discovered 0 packages cataloger=dart-pubspec-lock-cataloger
[0000] TRACE package cataloger completed name=dart-pubspec-lock-cataloger
[0000] TRACE starting package cataloger name=dotnet-deps-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/*.deps.json
[0000] TRACE searching filetree by glob glob=**/*.deps.json
[0000] DEBUG discovered 0 packages cataloger=dotnet-deps-cataloger
[0000] TRACE package cataloger completed name=dotnet-deps-cataloger
[0000] TRACE starting package cataloger name=elixir-mix-lock-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/mix.lock
[0000] TRACE searching filetree by glob glob=**/mix.lock
[0000] DEBUG discovered 0 packages cataloger=elixir-mix-lock-cataloger
[0000] TRACE package cataloger completed name=elixir-mix-lock-cataloger
[0000] TRACE starting package cataloger name=erlang-rebar-lock-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/rebar.lock
[0000] TRACE searching filetree by glob glob=**/rebar.lock
[0000] DEBUG discovered 0 packages cataloger=erlang-rebar-lock-cataloger
[0000] TRACE package cataloger completed name=erlang-rebar-lock-cataloger
[0000] TRACE starting package cataloger name=haskell-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/stack.yaml
[0000] TRACE searching filetree by glob glob=**/stack.yaml
[0000] TRACE searching for paths matching glob glob=**/stack.yaml.lock
[0000] TRACE searching filetree by glob glob=**/stack.yaml.lock
[0000] TRACE searching for paths matching glob glob=**/cabal.project.freeze
[0000] TRACE searching filetree by glob glob=**/cabal.project.freeze
[0000] DEBUG discovered 0 packages cataloger=haskell-cataloger
[0000] TRACE package cataloger completed name=haskell-cataloger
[0000] TRACE starting package cataloger name=go-module-file-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/go.mod
[0000] TRACE searching filetree by glob glob=**/go.mod
[0000] DEBUG discovered 0 packages cataloger=go-module-file-cataloger
[0000] TRACE package cataloger completed name=go-module-file-cataloger
[0000] TRACE starting package cataloger name=java-gradle-lockfile-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/gradle.lockfile*
[0000] TRACE searching filetree by glob glob=**/gradle.lockfile*
[0000] DEBUG discovered 0 packages cataloger=java-gradle-lockfile-cataloger
[0000] TRACE package cataloger completed name=java-gradle-lockfile-cataloger
[0000] TRACE starting package cataloger name=java-pom-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/pom.xml
[0000] TRACE searching filetree by glob glob=**/pom.xml
[0000] DEBUG discovered 0 packages cataloger=java-pom-cataloger
[0000] TRACE package cataloger completed name=java-pom-cataloger
[0000] TRACE starting package cataloger name=javascript-lock-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/package-lock.json
[0000] TRACE searching filetree by glob glob=**/package-lock.json
[0000] TRACE searching for paths matching glob glob=**/yarn.lock
[0000] TRACE searching filetree by glob glob=**/yarn.lock
[0000] TRACE searching for paths matching glob glob=**/pnpm-lock.yaml
[0000] TRACE searching filetree by glob glob=**/pnpm-lock.yaml
[0000] DEBUG discovered 0 packages cataloger=javascript-lock-cataloger
[0000] TRACE package cataloger completed name=javascript-lock-cataloger
[0000] TRACE starting package cataloger name=php-composer-lock-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/composer.lock
[0000] TRACE searching filetree by glob glob=**/composer.lock
[0000] DEBUG discovered 0 packages cataloger=php-composer-lock-cataloger
[0000] TRACE package cataloger completed name=php-composer-lock-cataloger
[0000] TRACE starting package cataloger name=python-package-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/*requirements*.txt
[0000] TRACE searching filetree by glob glob=**/*requirements*.txt
[0000] TRACE searching for paths matching glob glob=**/poetry.lock
[0000] TRACE searching filetree by glob glob=**/poetry.lock
[0000] TRACE searching for paths matching glob glob=**/Pipfile.lock
[0000] TRACE searching filetree by glob glob=**/Pipfile.lock
[0000] TRACE searching for paths matching glob glob=**/setup.py
[0000] TRACE searching filetree by glob glob=**/setup.py
[0000] DEBUG discovered 0 packages cataloger=python-package-cataloger
[0000] TRACE package cataloger completed name=python-package-cataloger
[0000] TRACE starting package cataloger name=ruby-gemfile-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/Gemfile.lock
[0000] TRACE searching filetree by glob glob=**/Gemfile.lock
[0000] DEBUG discovered 0 packages cataloger=ruby-gemfile-cataloger
[0000] TRACE package cataloger completed name=ruby-gemfile-cataloger
[0000] TRACE starting package cataloger name=ruby-gemspec-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/*.gemspec
[0000] TRACE searching filetree by glob glob=**/*.gemspec
[0000] DEBUG discovered 0 packages cataloger=ruby-gemspec-cataloger
[0000] TRACE package cataloger completed name=ruby-gemspec-cataloger
[0000] TRACE starting package cataloger name=rust-cargo-lock-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/Cargo.lock
[0000] TRACE searching filetree by glob glob=**/Cargo.lock
[0000] DEBUG discovered 0 packages cataloger=rust-cargo-lock-cataloger
[0000] TRACE package cataloger completed name=rust-cargo-lock-cataloger
[0000] TRACE starting package cataloger name=cocoapods-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/Podfile.lock
[0000] TRACE searching filetree by glob glob=**/Podfile.lock
[0000] DEBUG discovered 0 packages cataloger=cocoapods-cataloger
[0000] TRACE package cataloger completed name=cocoapods-cataloger
[0000] TRACE starting package cataloger name=swift-package-manager-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/Package.resolved
[0000] TRACE searching filetree by glob glob=**/Package.resolved
[0000] TRACE searching for paths matching glob glob=**/.package.resolved
[0000] TRACE searching filetree by glob glob=**/.package.resolved
[0000] DEBUG discovered 0 packages cataloger=swift-package-manager-cataloger
[0000] TRACE package cataloger completed name=swift-package-manager-cataloger
[0000] TRACE starting package cataloger name=dotnet-portable-executable-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/*.dll
[0000] TRACE searching filetree by glob glob=**/*.dll
[0000] TRACE searching for paths matching glob glob=**/*.exe
[0000] TRACE searching filetree by glob glob=**/*.exe
[0000] DEBUG discovered 0 packages cataloger=dotnet-portable-executable-cataloger
[0000] TRACE package cataloger completed name=dotnet-portable-executable-cataloger
[0000] TRACE starting package cataloger name=python-installed-package-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/*.egg-info
[0000] TRACE searching filetree by glob glob=**/*.egg-info
[0000] TRACE searching for paths matching glob glob=**/*dist-info/METADATA
[0000] TRACE searching filetree by glob glob=**/*dist-info/METADATA
[0000] TRACE searching for paths matching glob glob=**/*egg-info/PKG-INFO
[0000] TRACE searching filetree by glob glob=**/*egg-info/PKG-INFO
[0000] TRACE searching for paths matching glob glob=**/*DIST-INFO/METADATA
[0000] TRACE searching filetree by glob glob=**/*DIST-INFO/METADATA
[0000] TRACE searching for paths matching glob glob=**/*EGG-INFO/PKG-INFO
[0000] TRACE searching filetree by glob glob=**/*EGG-INFO/PKG-INFO
[0000] DEBUG discovered 0 packages cataloger=python-installed-package-cataloger
[0000] TRACE package cataloger completed name=python-installed-package-cataloger
[0000] TRACE starting package cataloger name=go-module-binary-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching mimetype mimetypes=[application/x-elf application/x-sharedlib application/vnd.microsoft.portable-executable application/x-executable application/x-mach-binary]
[0000] TRACE searching filetree by MIME types types=[application/x-elf application/x-sharedlib application/vnd.microsoft.portable-executable application/x-executable application/x-mach-binary]
[0000] TRACE parsing file contents path=/k3s
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/github.com/containerd/stargz-snapshotter/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/github.com/go-logr/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/github.com/gogo/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/github.com/google/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/github.com/google/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/github.com/json-iterator/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/github.com/klauspost/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/github.com/modern-go/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/github.com/modern-go/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/github.com/opencontainers/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/github.com/opencontainers/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/github.com/pierrec/[email protected]+incompatible/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/github.com/pkg/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/github.com/rancher/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/github.com/rancher/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/github.com/sirupsen/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/github.com/spf13/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/github.com/urfave/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/github.com/vbatts/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/golang.org/x/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/golang.org/x/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/golang.org/x/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/golang.org/x/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/gopkg.in/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/gopkg.in/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/github.com/k3s-io/kubernetes/staging/src/k8s.io/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/github.com/k3s-io/klog/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/k8s.io/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/sigs.k8s.io/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/sigs.k8s.io/structured-merge-diff/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/github.com/k3s-io/k3s@(devel)/*
[0000] DEBUG discovered 32 packages cataloger=go-module-binary-cataloger
[0000] TRACE package cataloger completed name=go-module-binary-cataloger
[0000] TRACE starting package cataloger name=java-archive-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/*.jar
[0000] TRACE searching filetree by glob glob=**/*.jar
[0000] TRACE searching for paths matching glob glob=**/*.war
[0000] TRACE searching filetree by glob glob=**/*.war
[0000] TRACE searching for paths matching glob glob=**/*.ear
[0000] TRACE searching filetree by glob glob=**/*.ear
[0000] TRACE searching for paths matching glob glob=**/*.par
[0000] TRACE searching filetree by glob glob=**/*.par
[0000] TRACE searching for paths matching glob glob=**/*.sar
[0000] TRACE searching filetree by glob glob=**/*.sar
[0000] TRACE searching for paths matching glob glob=**/*.nar
[0000] TRACE searching filetree by glob glob=**/*.nar
[0000] TRACE searching for paths matching glob glob=**/*.jpi
[0000] TRACE searching filetree by glob glob=**/*.jpi
[0000] TRACE searching for paths matching glob glob=**/*.hpi
[0000] TRACE searching filetree by glob glob=**/*.hpi
[0000] TRACE searching for paths matching glob glob=**/*.lpkg
[0000] TRACE searching filetree by glob glob=**/*.lpkg
[0000] TRACE searching for paths matching glob glob=**/*.zip
[0000] TRACE searching filetree by glob glob=**/*.zip
[0000] DEBUG discovered 0 packages cataloger=java-archive-cataloger
[0000] TRACE package cataloger completed name=java-archive-cataloger
[0000] TRACE starting package cataloger name=graalvm-native-image-cataloger
[0000] TRACE searching filetree by MIME types types=[application/vnd.microsoft.portable-executable application/x-executable application/x-mach-binary application/x-elf application/x-sharedlib]
[0000] TRACE unable to extract SBOM from possible java native-image /k3s: no symbols found in binary: no symbol section
[0000] TRACE not a MachO binary error=invalid magic number in record at byte 0x0 filename=/k3s
[0000] TRACE not a PE binary error=unrecognized PE machine: 0x457f filename=/k3s
[0000] DEBUG discovered 0 packages cataloger=graalvm-native-image-cataloger
[0000] TRACE package cataloger completed name=graalvm-native-image-cataloger
[0000] TRACE starting package cataloger name=nix-store-cataloger
[0000] DEBUG discovered 0 packages cataloger=nix-store-cataloger
[0000] TRACE package cataloger completed name=nix-store-cataloger
[0000] TRACE starting package cataloger name=binary-cataloger
[0000] TRACE cataloging binaries classifier=python-binary
[0000] TRACE searching filetree by glob glob=**/python*
[0000] TRACE cataloging binaries classifier=python-binary-lib
[0000] TRACE searching filetree by glob glob=**/libpython*.so*
[0000] TRACE cataloging binaries classifier=pypy-binary-lib
[0000] TRACE searching filetree by glob glob=**/libpypy*.so*
[0000] TRACE cataloging binaries classifier=go-binary
[0000] TRACE searching filetree by glob glob=**/go
[0000] TRACE cataloging binaries classifier=julia-binary
[0000] TRACE searching filetree by glob glob=**/libjulia-internal.so
[0000] TRACE cataloging binaries classifier=helm
[0000] TRACE searching filetree by glob glob=**/helm
[0000] TRACE cataloging binaries classifier=redis-binary
[0000] TRACE searching filetree by glob glob=**/redis-server
[0000] TRACE cataloging binaries classifier=java-binary-openjdk
[0000] TRACE searching filetree by glob glob=**/java
[0000] TRACE cataloging binaries classifier=java-binary-ibm
[0000] TRACE searching filetree by glob glob=**/java
[0000] TRACE cataloging binaries classifier=java-binary-oracle
[0000] TRACE searching filetree by glob glob=**/java
[0000] TRACE cataloging binaries classifier=nodejs-binary
[0000] TRACE searching filetree by glob glob=**/node
[0000] TRACE cataloging binaries classifier=go-binary-hint
[0000] TRACE searching filetree by glob glob=**/VERSION
[0000] TRACE cataloging binaries classifier=busybox-binary
[0000] TRACE searching filetree by glob glob=**/busybox
[0000] TRACE cataloging binaries classifier=haproxy-binary
[0000] TRACE searching filetree by glob glob=**/haproxy
[0000] TRACE cataloging binaries classifier=perl-binary
[0000] TRACE searching filetree by glob glob=**/perl
[0000] TRACE cataloging binaries classifier=php-cli-binary
[0000] TRACE searching filetree by glob glob=**/php*
[0000] TRACE cataloging binaries classifier=php-fpm-binary
[0000] TRACE searching filetree by glob glob=**/php-fpm*
[0000] TRACE cataloging binaries classifier=php-apache-binary
[0000] TRACE searching filetree by glob glob=**/libphp*.so
[0000] TRACE cataloging binaries classifier=php-composer-binary
[0000] TRACE searching filetree by glob glob=**/composer*
[0000] TRACE cataloging binaries classifier=httpd-binary
[0000] TRACE searching filetree by glob glob=**/httpd
[0000] TRACE cataloging binaries classifier=memcached-binary
[0000] TRACE searching filetree by glob glob=**/memcached
[0000] TRACE cataloging binaries classifier=traefik-binary
[0000] TRACE searching filetree by glob glob=**/traefik
[0000] TRACE cataloging binaries classifier=postgresql-binary
[0000] TRACE searching filetree by glob glob=**/postgres
[0000] TRACE cataloging binaries classifier=mysql-binary
[0000] TRACE searching filetree by glob glob=**/mysql
[0000] TRACE cataloging binaries classifier=mysql-binary
[0000] TRACE searching filetree by glob glob=**/mysql
[0000] TRACE cataloging binaries classifier=mysql-binary
[0000] TRACE searching filetree by glob glob=**/mysql
[0000] TRACE cataloging binaries classifier=xtrabackup-binary
[0000] TRACE searching filetree by glob glob=**/xtrabackup
[0000] TRACE cataloging binaries classifier=mariadb-binary
[0000] TRACE searching filetree by glob glob=**/mariadb
[0000] TRACE cataloging binaries classifier=rust-standard-library-linux
[0000] TRACE searching filetree by glob glob=**/libstd-????????????????.so
[0000] TRACE cataloging binaries classifier=rust-standard-library-macos
[0000] TRACE searching filetree by glob glob=**/libstd-????????????????.dylib
[0000] TRACE cataloging binaries classifier=ruby-binary
[0000] TRACE searching filetree by glob glob=**/ruby
[0000] TRACE cataloging binaries classifier=erlang-binary
[0000] TRACE searching filetree by glob glob=**/erlexec
[0000] TRACE cataloging binaries classifier=consul-binary
[0000] TRACE searching filetree by glob glob=**/consul
[0000] TRACE cataloging binaries classifier=nginx-binary
[0000] TRACE searching filetree by glob glob=**/nginx
[0000] TRACE cataloging binaries classifier=bash-binary
[0000] TRACE searching filetree by glob glob=**/bash
[0000] TRACE cataloging binaries classifier=openssl-binary
[0000] TRACE searching filetree by glob glob=**/openssl
[0000] TRACE cataloging binaries classifier=gcc-binary
[0000] TRACE searching filetree by glob glob=**/gcc
[0000] TRACE cataloging binaries classifier=wordpress-cli-binary
[0000] TRACE searching filetree by glob glob=**/wp
[0000] DEBUG discovered 0 packages cataloger=binary-cataloger
[0000] TRACE package cataloger completed name=binary-cataloger
[0000] TRACE starting package cataloger name=github-actions-usage-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/.github/workflows/*.yaml
[0000] TRACE searching filetree by glob glob=**/.github/workflows/*.yaml
[0000] TRACE searching for paths matching glob glob=**/.github/workflows/*.yml
[0000] TRACE searching filetree by glob glob=**/.github/workflows/*.yml
[0000] TRACE searching for paths matching glob glob=**/.github/actions/*/action.yml
[0000] TRACE searching filetree by glob glob=**/.github/actions/*/action.yml
[0000] TRACE searching for paths matching glob glob=**/.github/actions/*/action.yaml
[0000] TRACE searching filetree by glob glob=**/.github/actions/*/action.yaml
[0000] DEBUG discovered 0 packages cataloger=github-actions-usage-cataloger
[0000] TRACE package cataloger completed name=github-actions-usage-cataloger
[0000] TRACE starting package cataloger name=github-action-workflow-usage-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/.github/workflows/*.yaml
[0000] TRACE searching filetree by glob glob=**/.github/workflows/*.yaml
[0000] TRACE searching for paths matching glob glob=**/.github/workflows/*.yml
[0000] TRACE searching filetree by glob glob=**/.github/workflows/*.yml
[0000] DEBUG discovered 0 packages cataloger=github-action-workflow-usage-cataloger
[0000] TRACE package cataloger completed name=github-action-workflow-usage-cataloger
[0000] TRACE starting package cataloger name=sbom-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/*.syft.json
[0000] TRACE searching filetree by glob glob=**/*.syft.json
[0000] TRACE searching for paths matching glob glob=**/*.bom.*
[0000] TRACE searching filetree by glob glob=**/*.bom.*
[0000] TRACE searching for paths matching glob glob=**/*.bom
[0000] TRACE searching filetree by glob glob=**/*.bom
[0000] TRACE searching for paths matching glob glob=**/bom
[0000] TRACE searching filetree by glob glob=**/bom
[0000] TRACE searching for paths matching glob glob=**/*.sbom.*
[0000] TRACE searching filetree by glob glob=**/*.sbom.*
[0000] TRACE searching for paths matching glob glob=**/*.sbom
[0000] TRACE searching filetree by glob glob=**/*.sbom
[0000] TRACE searching for paths matching glob glob=**/sbom
[0000] TRACE searching filetree by glob glob=**/sbom
[0000] TRACE searching for paths matching glob glob=**/*.cdx.*
[0000] TRACE searching filetree by glob glob=**/*.cdx.*
[0000] TRACE searching for paths matching glob glob=**/*.cdx
[0000] TRACE searching filetree by glob glob=**/*.cdx
[0000] TRACE searching for paths matching glob glob=**/*.spdx.*
[0000] TRACE searching filetree by glob glob=**/*.spdx.*
[0000] TRACE searching for paths matching glob glob=**/*.spdx
[0000] TRACE searching filetree by glob glob=**/*.spdx
[0000] DEBUG discovered 0 packages cataloger=sbom-cataloger
[0000] TRACE package cataloger completed name=sbom-cataloger
[0000] DEBUG no CPEs for package: Pkg(name="gopkg.in/inf.v0" version="v0.9.1" type="go-module" id="b5deedfa261e49cc")
[0000] DEBUG no CPEs for package: Pkg(name="gopkg.in/yaml.v2" version="v2.4.0" type="go-module" id="a53ee3c94a76e116")
[0000] DEBUG no CPEs for package: Pkg(name="k8s.io/utils" version="v0.0.0-20230726121419-3b25d923346b" type="go-module" id="a5194fe5d3543933")
[0000] DEBUG no CPEs for package: Pkg(name="sigs.k8s.io/json" version="v0.0.0-20221116044647-bc3834ca7abd" type="go-module" id="e8881ea2c2759b24")
[0000] WARN some package(s) are missing CPEs. This may result in missing vulnerabilities. You may autogenerate these using: --add-cpes-if-none
[0000] TRACE finding matches against DB
[0000] DEBUG adding matcher: deb
[0000] DEBUG adding matcher: gem
[0000] DEBUG adding matcher: python
[0000] DEBUG adding matcher: dotnet
[0000] DEBUG adding matcher: rpm
[0000] DEBUG adding matcher: java-archive
[0000] DEBUG adding matcher: jenkins-plugin
[0000] DEBUG adding matcher: npm
[0000] DEBUG adding matcher: apk
[0000] DEBUG adding matcher: go-module
[0000] DEBUG adding matcher: msrc-kb
[0000] DEBUG adding matcher: portage
[0000] DEBUG adding matcher: rust-crate
[0000] TRACE searching for vulnerability matches package=pkg:golang/github.com/containerd/stargz-snapshotter/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/github.com/go-logr/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/github.com/gogo/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/github.com/google/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/github.com/google/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/github.com/json-iterator/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/github.com/k3s-io/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/github.com/k3s-io/klog/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/github.com/k3s-io/kubernetes/staging/src/k8s.io/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/github.com/klauspost/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/github.com/modern-go/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/github.com/modern-go/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/github.com/opencontainers/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/github.com/opencontainers/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/github.com/pierrec/[email protected]+incompatible
[0000] TRACE searching for vulnerability matches package=pkg:golang/github.com/pkg/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/github.com/rancher/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/github.com/rancher/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/github.com/sirupsen/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/github.com/spf13/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/github.com/urfave/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/github.com/vbatts/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/golang.org/x/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/golang.org/x/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/golang.org/x/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/golang.org/x/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/gopkg.in/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/gopkg.in/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/k8s.io/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/sigs.k8s.io/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/sigs.k8s.io/structured-merge-diff/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/[email protected]
[0000] TRACE finding matches against available VEX documents
[0000] INFO found 0 vulnerability matches across 32 packages
[0000] DEBUG ├── fixed: 0
[0000] DEBUG ├── ignored: 0 (due to user-provided rule)
[0000] DEBUG ├── dropped: 0 (due to hard-coded correction)
[0000] DEBUG └── matched: 0
[0000] DEBUG ├── unknown severity: 0
[0000] DEBUG ├── negligible: 0
[0000] DEBUG ├── low: 0
[0000] DEBUG ├── medium: 0
[0000] DEBUG ├── high: 0
[0000] DEBUG └── critical: 0
[0000] TRACE worker stopped component=eventloop
[0000] TRACE signal exit component=eventloop
{
"matches": [],
"source": {
"type": "file",
"target": "/usr/local/bin/k3s"
},
"distro": {
"name": "",
"version": "",
"idLike": null
},
"descriptor": {
"name": "grype",
"version": "0.74.1",
"configuration": {
"output": [
"json"
],
"file": "",
"distro": "",
"add-cpes-if-none": false,
"output-template-file": "",
"check-for-app-update": true,
"only-fixed": false,
"only-notfixed": false,
"ignore-wontfix": "",
"platform": "",
"search": {
"scope": "squashed",
"unindexed-archives": false,
"indexed-archives": true
},
"ignore": null,
"exclude": [],
"db": {
"cache-dir": "/home/ec2-user/.cache/grype/db",
"update-url": "https://toolbox-data.anchore.io/grype/databases/listing.json",
"ca-cert": "",
"auto-update": true,
"validate-by-hash-on-start": false,
"validate-age": true,
"max-allowed-built-age": 432000000000000
},
"externalSources": {
"enable": false,
"maven": {
"searchUpstreamBySha1": true,
"baseUrl": "https://search.maven.org/solrsearch/select"
}
},
"match": {
"java": {
"using-cpes": false
},
"dotnet": {
"using-cpes": false
},
"golang": {
"using-cpes": false,
"always-use-cpe-for-stdlib": true
},
"javascript": {
"using-cpes": false
},
"python": {
"using-cpes": false
},
"ruby": {
"using-cpes": false
},
"rust": {
"using-cpes": false
},
"stock": {
"using-cpes": true
}
},
"fail-on-severity": "",
"registry": {
"insecure-skip-tls-verify": false,
"insecure-use-http": false,
"auth": null,
"ca-cert": ""
},
"show-suppressed": false,
"by-cve": false,
"name": "",
"default-image-pull-source": "",
"vex-documents": [],
"vex-add": []
},
"db": {
"built": "2024-01-19T01:27:49Z",
"schemaVersion": 5,
"location": "/home/ec2-user/.cache/grype/db/5",
"checksum": "sha256:0dabe98d1b63ae614672cf44a055b9480e900c459f66d5e688ef4c2e31626cd0",
"error": null
},
"timestamp": "2024-01-19T19:50:47.237129204Z"
}
}
$ k3s -v
k3s version v1.28.6-rc2+k3s1 (39a00015)
go version go1.20.13
$ grype /usr/local/bin/k3s --add-cpes-if-none
✔ Vulnerability DB [no update available]
✔ Indexed file system /usr/local/bin
✔ Cataloged contents 74c0a49904f4e6a801b866d93f5f949428f8f2ae667d1ae07f8004d04f2f6c5b
└── ✔ Packages [32 packages]
✔ Scanned for vulnerabilities [0 vulnerability matches]
├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
└── by status: 0 fixed, 0 not-fixed, 0 ignored
No vulnerabilities found
$ grype -vvv /usr/local/bin/k3s -o json
[0000] INFO grype version: 0.74.1
[0000] DEBUG config:
log:
quiet: false
level: trace
file: ""
dev:
profile: none
output:
- json
file: ""
distro: ""
add-cpes-if-none: false
output-template-file: ""
check-for-app-update: true
only-fixed: false
only-notfixed: false
ignore-states: ""
platform: ""
search:
scope: squashed
unindexed-archives: false
indexed-archives: true
ignore: []
exclude: []
db:
cache-dir: /home/ec2-user/.cache/grype/db
update-url: https://toolbox-data.anchore.io/grype/databases/listing.json
ca-cert: ""
auto-update: true
validate-by-hash-on-start: false
validate-age: true
max-allowed-built-age: 120h0m0s
external-sources:
enable: false
maven:
search-upstream: true
base-url: https://search.maven.org/solrsearch/select
match:
java:
using-cpes: false
dotnet:
using-cpes: false
golang:
using-cpes: false
always-use-cpe-for-stdlib: true
javascript:
using-cpes: false
python:
using-cpes: false
ruby:
using-cpes: false
rust:
using-cpes: false
stock:
using-cpes: true
fail-on-severity: ""
registry:
insecure-skip-tls-verify: false
insecure-use-http: false
auth: []
ca-cert: ""
show-suppressed: false
by-cve: false
name: ""
default-image-pull-source: ""
vex-documents: []
vex-add: []
[0000] DEBUG gathering packages
[0000] DEBUG loading DB
[0000] DEBUG looking for updates on vulnerability database
[0000] DEBUG checking for available database updates
[0000] DEBUG found database update candidate: Listing(url=https://toolbox-data.anchore.io/grype/databases/vulnerability-db_v5_2024-01-19T01:27:49Z_f87f267de31b0a1fde9d.tar.gz)
[0000] DEBUG existing database is already up to date
[0000] DEBUG no database update available
[0000] DEBUG no new grype update available
[0000] TRACE unable to open mod cache directory: /home/ec2-user/go/pkg/mod, skipping mod cache resolver
[0000] TRACE unable to open mod cache directory: /home/ec2-user/go/pkg/mod, skipping mod cache resolver
[0000] TRACE indexing filetree path=/usr/local/bin
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE starting package cataloger name=alpm-db-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/var/lib/pacman/local/**/desc
[0000] TRACE searching filetree by glob glob=**/var/lib/pacman/local/**/desc
[0000] DEBUG discovered 0 packages cataloger=alpm-db-cataloger
[0000] TRACE package cataloger completed name=alpm-db-cataloger
[0000] TRACE starting package cataloger name=apk-db-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/lib/apk/db/installed
[0000] TRACE searching filetree by glob glob=**/lib/apk/db/installed
[0000] DEBUG discovered 0 packages cataloger=apk-db-cataloger
[0000] TRACE package cataloger completed name=apk-db-cataloger
[0000] TRACE starting package cataloger name=dpkg-db-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/var/lib/dpkg/status
[0000] TRACE searching filetree by glob glob=**/var/lib/dpkg/status
[0000] TRACE searching for paths matching glob glob=**/var/lib/dpkg/status.d/*
[0000] TRACE searching filetree by glob glob=**/var/lib/dpkg/status.d/*
[0000] TRACE searching for paths matching glob glob=**/lib/opkg/info/*.control
[0000] TRACE searching filetree by glob glob=**/lib/opkg/info/*.control
[0000] TRACE searching for paths matching glob glob=**/lib/opkg/status
[0000] TRACE searching filetree by glob glob=**/lib/opkg/status
[0000] DEBUG discovered 0 packages cataloger=dpkg-db-cataloger
[0000] TRACE package cataloger completed name=dpkg-db-cataloger
[0000] TRACE starting package cataloger name=portage-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/var/db/pkg/*/*/CONTENTS
[0000] TRACE searching filetree by glob glob=**/var/db/pkg/*/*/CONTENTS
[0000] DEBUG discovered 0 packages cataloger=portage-cataloger
[0000] TRACE package cataloger completed name=portage-cataloger
[0000] TRACE starting package cataloger name=rpm-db-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/{var/lib,usr/share,usr/lib/sysimage}/rpm/{Packages,Packages.db,rpmdb.sqlite}
[0000] TRACE searching filetree by glob glob=**/{var/lib,usr/share,usr/lib/sysimage}/rpm/{Packages,Packages.db,rpmdb.sqlite}
[0000] TRACE searching for paths matching glob glob=**/var/lib/rpmmanifest/container-manifest-2
[0000] TRACE searching filetree by glob glob=**/var/lib/rpmmanifest/container-manifest-2
[0000] DEBUG discovered 0 packages cataloger=rpm-db-cataloger
[0000] TRACE package cataloger completed name=rpm-db-cataloger
[0000] TRACE starting package cataloger name=rpm-archive-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/*.rpm
[0000] TRACE searching filetree by glob glob=**/*.rpm
[0000] DEBUG discovered 0 packages cataloger=rpm-archive-cataloger
[0000] TRACE package cataloger completed name=rpm-archive-cataloger
[0000] TRACE starting package cataloger name=conan-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/conanfile.txt
[0000] TRACE searching filetree by glob glob=**/conanfile.txt
[0000] TRACE searching for paths matching glob glob=**/conan.lock
[0000] TRACE searching filetree by glob glob=**/conan.lock
[0000] DEBUG discovered 0 packages cataloger=conan-cataloger
[0000] TRACE package cataloger completed name=conan-cataloger
[0000] TRACE starting package cataloger name=dart-pubspec-lock-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/pubspec.lock
[0000] TRACE searching filetree by glob glob=**/pubspec.lock
[0000] DEBUG discovered 0 packages cataloger=dart-pubspec-lock-cataloger
[0000] TRACE package cataloger completed name=dart-pubspec-lock-cataloger
[0000] TRACE starting package cataloger name=dotnet-deps-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/*.deps.json
[0000] TRACE searching filetree by glob glob=**/*.deps.json
[0000] DEBUG discovered 0 packages cataloger=dotnet-deps-cataloger
[0000] TRACE package cataloger completed name=dotnet-deps-cataloger
[0000] TRACE starting package cataloger name=elixir-mix-lock-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/mix.lock
[0000] TRACE searching filetree by glob glob=**/mix.lock
[0000] DEBUG discovered 0 packages cataloger=elixir-mix-lock-cataloger
[0000] TRACE package cataloger completed name=elixir-mix-lock-cataloger
[0000] TRACE starting package cataloger name=erlang-rebar-lock-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/rebar.lock
[0000] TRACE searching filetree by glob glob=**/rebar.lock
[0000] DEBUG discovered 0 packages cataloger=erlang-rebar-lock-cataloger
[0000] TRACE package cataloger completed name=erlang-rebar-lock-cataloger
[0000] TRACE starting package cataloger name=haskell-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/stack.yaml
[0000] TRACE searching filetree by glob glob=**/stack.yaml
[0000] TRACE searching for paths matching glob glob=**/stack.yaml.lock
[0000] TRACE searching filetree by glob glob=**/stack.yaml.lock
[0000] TRACE searching for paths matching glob glob=**/cabal.project.freeze
[0000] TRACE searching filetree by glob glob=**/cabal.project.freeze
[0000] DEBUG discovered 0 packages cataloger=haskell-cataloger
[0000] TRACE package cataloger completed name=haskell-cataloger
[0000] TRACE starting package cataloger name=go-module-file-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/go.mod
[0000] TRACE searching filetree by glob glob=**/go.mod
[0000] DEBUG discovered 0 packages cataloger=go-module-file-cataloger
[0000] TRACE package cataloger completed name=go-module-file-cataloger
[0000] TRACE starting package cataloger name=java-gradle-lockfile-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/gradle.lockfile*
[0000] TRACE searching filetree by glob glob=**/gradle.lockfile*
[0000] DEBUG discovered 0 packages cataloger=java-gradle-lockfile-cataloger
[0000] TRACE package cataloger completed name=java-gradle-lockfile-cataloger
[0000] TRACE starting package cataloger name=java-pom-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/pom.xml
[0000] TRACE searching filetree by glob glob=**/pom.xml
[0000] DEBUG discovered 0 packages cataloger=java-pom-cataloger
[0000] TRACE package cataloger completed name=java-pom-cataloger
[0000] TRACE starting package cataloger name=javascript-lock-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/package-lock.json
[0000] TRACE searching filetree by glob glob=**/package-lock.json
[0000] TRACE searching for paths matching glob glob=**/yarn.lock
[0000] TRACE searching filetree by glob glob=**/yarn.lock
[0000] TRACE searching for paths matching glob glob=**/pnpm-lock.yaml
[0000] TRACE searching filetree by glob glob=**/pnpm-lock.yaml
[0000] DEBUG discovered 0 packages cataloger=javascript-lock-cataloger
[0000] TRACE package cataloger completed name=javascript-lock-cataloger
[0000] TRACE starting package cataloger name=php-composer-lock-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/composer.lock
[0000] TRACE searching filetree by glob glob=**/composer.lock
[0000] DEBUG discovered 0 packages cataloger=php-composer-lock-cataloger
[0000] TRACE package cataloger completed name=php-composer-lock-cataloger
[0000] TRACE starting package cataloger name=python-package-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/*requirements*.txt
[0000] TRACE searching filetree by glob glob=**/*requirements*.txt
[0000] TRACE searching for paths matching glob glob=**/poetry.lock
[0000] TRACE searching filetree by glob glob=**/poetry.lock
[0000] TRACE searching for paths matching glob glob=**/Pipfile.lock
[0000] TRACE searching filetree by glob glob=**/Pipfile.lock
[0000] TRACE searching for paths matching glob glob=**/setup.py
[0000] TRACE searching filetree by glob glob=**/setup.py
[0000] DEBUG discovered 0 packages cataloger=python-package-cataloger
[0000] TRACE package cataloger completed name=python-package-cataloger
[0000] TRACE starting package cataloger name=ruby-gemfile-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/Gemfile.lock
[0000] TRACE searching filetree by glob glob=**/Gemfile.lock
[0000] DEBUG discovered 0 packages cataloger=ruby-gemfile-cataloger
[0000] TRACE package cataloger completed name=ruby-gemfile-cataloger
[0000] TRACE starting package cataloger name=ruby-gemspec-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/*.gemspec
[0000] TRACE searching filetree by glob glob=**/*.gemspec
[0000] DEBUG discovered 0 packages cataloger=ruby-gemspec-cataloger
[0000] TRACE package cataloger completed name=ruby-gemspec-cataloger
[0000] TRACE starting package cataloger name=rust-cargo-lock-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/Cargo.lock
[0000] TRACE searching filetree by glob glob=**/Cargo.lock
[0000] DEBUG discovered 0 packages cataloger=rust-cargo-lock-cataloger
[0000] TRACE package cataloger completed name=rust-cargo-lock-cataloger
[0000] TRACE starting package cataloger name=cocoapods-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/Podfile.lock
[0000] TRACE searching filetree by glob glob=**/Podfile.lock
[0000] DEBUG discovered 0 packages cataloger=cocoapods-cataloger
[0000] TRACE package cataloger completed name=cocoapods-cataloger
[0000] TRACE starting package cataloger name=swift-package-manager-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/Package.resolved
[0000] TRACE searching filetree by glob glob=**/Package.resolved
[0000] TRACE searching for paths matching glob glob=**/.package.resolved
[0000] TRACE searching filetree by glob glob=**/.package.resolved
[0000] DEBUG discovered 0 packages cataloger=swift-package-manager-cataloger
[0000] TRACE package cataloger completed name=swift-package-manager-cataloger
[0000] TRACE starting package cataloger name=dotnet-portable-executable-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/*.dll
[0000] TRACE searching filetree by glob glob=**/*.dll
[0000] TRACE searching for paths matching glob glob=**/*.exe
[0000] TRACE searching filetree by glob glob=**/*.exe
[0000] DEBUG discovered 0 packages cataloger=dotnet-portable-executable-cataloger
[0000] TRACE package cataloger completed name=dotnet-portable-executable-cataloger
[0000] TRACE starting package cataloger name=python-installed-package-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/*.egg-info
[0000] TRACE searching filetree by glob glob=**/*.egg-info
[0000] TRACE searching for paths matching glob glob=**/*dist-info/METADATA
[0000] TRACE searching filetree by glob glob=**/*dist-info/METADATA
[0000] TRACE searching for paths matching glob glob=**/*egg-info/PKG-INFO
[0000] TRACE searching filetree by glob glob=**/*egg-info/PKG-INFO
[0000] TRACE searching for paths matching glob glob=**/*DIST-INFO/METADATA
[0000] TRACE searching filetree by glob glob=**/*DIST-INFO/METADATA
[0000] TRACE searching for paths matching glob glob=**/*EGG-INFO/PKG-INFO
[0000] TRACE searching filetree by glob glob=**/*EGG-INFO/PKG-INFO
[0000] DEBUG discovered 0 packages cataloger=python-installed-package-cataloger
[0000] TRACE package cataloger completed name=python-installed-package-cataloger
[0000] TRACE starting package cataloger name=go-module-binary-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching mimetype mimetypes=[application/x-executable application/x-mach-binary application/x-elf application/x-sharedlib application/vnd.microsoft.portable-executable]
[0000] TRACE searching filetree by MIME types types=[application/x-executable application/x-mach-binary application/x-elf application/x-sharedlib application/vnd.microsoft.portable-executable]
[0000] TRACE parsing file contents path=/k3s
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/github.com/containerd/stargz-snapshotter/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/github.com/go-logr/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/github.com/gogo/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/github.com/google/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/github.com/google/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/github.com/json-iterator/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/github.com/klauspost/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/github.com/modern-go/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/github.com/modern-go/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/github.com/opencontainers/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/github.com/opencontainers/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/github.com/pierrec/[email protected]+incompatible/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/github.com/pkg/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/github.com/rancher/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/github.com/rancher/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/github.com/sirupsen/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/github.com/spf13/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/github.com/urfave/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/github.com/vbatts/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/golang.org/x/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/golang.org/x/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/golang.org/x/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/golang.org/x/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/gopkg.in/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/gopkg.in/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/github.com/k3s-io/kubernetes/staging/src/k8s.io/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/github.com/k3s-io/klog/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/k8s.io/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/sigs.k8s.io/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/sigs.k8s.io/structured-merge-diff/[email protected]/*
[0000] TRACE searching filetree by glob glob=**/go/pkg/mod/github.com/k3s-io/k3s@(devel)/*
[0000] DEBUG discovered 32 packages cataloger=go-module-binary-cataloger
[0000] TRACE package cataloger completed name=go-module-binary-cataloger
[0000] TRACE starting package cataloger name=java-archive-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/*.jar
[0000] TRACE searching filetree by glob glob=**/*.jar
[0000] TRACE searching for paths matching glob glob=**/*.war
[0000] TRACE searching filetree by glob glob=**/*.war
[0000] TRACE searching for paths matching glob glob=**/*.ear
[0000] TRACE searching filetree by glob glob=**/*.ear
[0000] TRACE searching for paths matching glob glob=**/*.par
[0000] TRACE searching filetree by glob glob=**/*.par
[0000] TRACE searching for paths matching glob glob=**/*.sar
[0000] TRACE searching filetree by glob glob=**/*.sar
[0000] TRACE searching for paths matching glob glob=**/*.nar
[0000] TRACE searching filetree by glob glob=**/*.nar
[0000] TRACE searching for paths matching glob glob=**/*.jpi
[0000] TRACE searching filetree by glob glob=**/*.jpi
[0000] TRACE searching for paths matching glob glob=**/*.hpi
[0000] TRACE searching filetree by glob glob=**/*.hpi
[0000] TRACE searching for paths matching glob glob=**/*.lpkg
[0000] TRACE searching filetree by glob glob=**/*.lpkg
[0000] TRACE searching for paths matching glob glob=**/*.zip
[0000] TRACE searching filetree by glob glob=**/*.zip
[0000] DEBUG discovered 0 packages cataloger=java-archive-cataloger
[0000] TRACE package cataloger completed name=java-archive-cataloger
[0000] TRACE starting package cataloger name=graalvm-native-image-cataloger
[0000] TRACE searching filetree by MIME types types=[application/x-executable application/x-mach-binary application/x-elf application/x-sharedlib application/vnd.microsoft.portable-executable]
[0000] TRACE unable to extract SBOM from possible java native-image /k3s: no symbols found in binary: no symbol section
[0000] TRACE not a MachO binary error=invalid magic number in record at byte 0x0 filename=/k3s
[0000] TRACE not a PE binary error=unrecognized PE machine: 0x457f filename=/k3s
[0000] DEBUG discovered 0 packages cataloger=graalvm-native-image-cataloger
[0000] TRACE package cataloger completed name=graalvm-native-image-cataloger
[0000] TRACE starting package cataloger name=nix-store-cataloger
[0000] DEBUG discovered 0 packages cataloger=nix-store-cataloger
[0000] TRACE package cataloger completed name=nix-store-cataloger
[0000] TRACE starting package cataloger name=binary-cataloger
[0000] TRACE cataloging binaries classifier=python-binary
[0000] TRACE searching filetree by glob glob=**/python*
[0000] TRACE cataloging binaries classifier=python-binary-lib
[0000] TRACE searching filetree by glob glob=**/libpython*.so*
[0000] TRACE cataloging binaries classifier=pypy-binary-lib
[0000] TRACE searching filetree by glob glob=**/libpypy*.so*
[0000] TRACE cataloging binaries classifier=go-binary
[0000] TRACE searching filetree by glob glob=**/go
[0000] TRACE cataloging binaries classifier=julia-binary
[0000] TRACE searching filetree by glob glob=**/libjulia-internal.so
[0000] TRACE cataloging binaries classifier=helm
[0000] TRACE searching filetree by glob glob=**/helm
[0000] TRACE cataloging binaries classifier=redis-binary
[0000] TRACE searching filetree by glob glob=**/redis-server
[0000] TRACE cataloging binaries classifier=java-binary-openjdk
[0000] TRACE searching filetree by glob glob=**/java
[0000] TRACE cataloging binaries classifier=java-binary-ibm
[0000] TRACE searching filetree by glob glob=**/java
[0000] TRACE cataloging binaries classifier=java-binary-oracle
[0000] TRACE searching filetree by glob glob=**/java
[0000] TRACE cataloging binaries classifier=nodejs-binary
[0000] TRACE searching filetree by glob glob=**/node
[0000] TRACE cataloging binaries classifier=go-binary-hint
[0000] TRACE searching filetree by glob glob=**/VERSION
[0000] TRACE cataloging binaries classifier=busybox-binary
[0000] TRACE searching filetree by glob glob=**/busybox
[0000] TRACE cataloging binaries classifier=haproxy-binary
[0000] TRACE searching filetree by glob glob=**/haproxy
[0000] TRACE cataloging binaries classifier=perl-binary
[0000] TRACE searching filetree by glob glob=**/perl
[0000] TRACE cataloging binaries classifier=php-cli-binary
[0000] TRACE searching filetree by glob glob=**/php*
[0000] TRACE cataloging binaries classifier=php-fpm-binary
[0000] TRACE searching filetree by glob glob=**/php-fpm*
[0000] TRACE cataloging binaries classifier=php-apache-binary
[0000] TRACE searching filetree by glob glob=**/libphp*.so
[0000] TRACE cataloging binaries classifier=php-composer-binary
[0000] TRACE searching filetree by glob glob=**/composer*
[0000] TRACE cataloging binaries classifier=httpd-binary
[0000] TRACE searching filetree by glob glob=**/httpd
[0000] TRACE cataloging binaries classifier=memcached-binary
[0000] TRACE searching filetree by glob glob=**/memcached
[0000] TRACE cataloging binaries classifier=traefik-binary
[0000] TRACE searching filetree by glob glob=**/traefik
[0000] TRACE cataloging binaries classifier=postgresql-binary
[0000] TRACE searching filetree by glob glob=**/postgres
[0000] TRACE cataloging binaries classifier=mysql-binary
[0000] TRACE searching filetree by glob glob=**/mysql
[0000] TRACE cataloging binaries classifier=mysql-binary
[0000] TRACE searching filetree by glob glob=**/mysql
[0000] TRACE cataloging binaries classifier=mysql-binary
[0000] TRACE searching filetree by glob glob=**/mysql
[0000] TRACE cataloging binaries classifier=xtrabackup-binary
[0000] TRACE searching filetree by glob glob=**/xtrabackup
[0000] TRACE cataloging binaries classifier=mariadb-binary
[0000] TRACE searching filetree by glob glob=**/mariadb
[0000] TRACE cataloging binaries classifier=rust-standard-library-linux
[0000] TRACE searching filetree by glob glob=**/libstd-????????????????.so
[0000] TRACE cataloging binaries classifier=rust-standard-library-macos
[0000] TRACE searching filetree by glob glob=**/libstd-????????????????.dylib
[0000] TRACE cataloging binaries classifier=ruby-binary
[0000] TRACE searching filetree by glob glob=**/ruby
[0000] TRACE cataloging binaries classifier=erlang-binary
[0000] TRACE searching filetree by glob glob=**/erlexec
[0000] TRACE cataloging binaries classifier=consul-binary
[0000] TRACE searching filetree by glob glob=**/consul
[0000] TRACE cataloging binaries classifier=nginx-binary
[0000] TRACE searching filetree by glob glob=**/nginx
[0000] TRACE cataloging binaries classifier=bash-binary
[0000] TRACE searching filetree by glob glob=**/bash
[0000] TRACE cataloging binaries classifier=openssl-binary
[0000] TRACE searching filetree by glob glob=**/openssl
[0000] TRACE cataloging binaries classifier=gcc-binary
[0000] TRACE searching filetree by glob glob=**/gcc
[0000] TRACE cataloging binaries classifier=wordpress-cli-binary
[0000] TRACE searching filetree by glob glob=**/wp
[0000] DEBUG discovered 0 packages cataloger=binary-cataloger
[0000] TRACE package cataloger completed name=binary-cataloger
[0000] TRACE starting package cataloger name=github-actions-usage-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/.github/workflows/*.yaml
[0000] TRACE searching filetree by glob glob=**/.github/workflows/*.yaml
[0000] TRACE searching for paths matching glob glob=**/.github/workflows/*.yml
[0000] TRACE searching filetree by glob glob=**/.github/workflows/*.yml
[0000] TRACE searching for paths matching glob glob=**/.github/actions/*/action.yml
[0000] TRACE searching filetree by glob glob=**/.github/actions/*/action.yml
[0000] TRACE searching for paths matching glob glob=**/.github/actions/*/action.yaml
[0000] TRACE searching filetree by glob glob=**/.github/actions/*/action.yaml
[0000] DEBUG discovered 0 packages cataloger=github-actions-usage-cataloger
[0000] TRACE package cataloger completed name=github-actions-usage-cataloger
[0000] TRACE starting package cataloger name=github-action-workflow-usage-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/.github/workflows/*.yaml
[0000] TRACE searching filetree by glob glob=**/.github/workflows/*.yaml
[0000] TRACE searching for paths matching glob glob=**/.github/workflows/*.yml
[0000] TRACE searching filetree by glob glob=**/.github/workflows/*.yml
[0000] DEBUG discovered 0 packages cataloger=github-action-workflow-usage-cataloger
[0000] TRACE package cataloger completed name=github-action-workflow-usage-cataloger
[0000] TRACE starting package cataloger name=sbom-cataloger
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/usr/lib/os-release
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/system-release-cpe
[0000] TRACE searching filetree by path path=/usr/local/bin/etc/redhat-release
[0000] TRACE searching filetree by path path=/usr/local/bin/bin/busybox
[0000] TRACE searching for paths matching glob glob=**/*.syft.json
[0000] TRACE searching filetree by glob glob=**/*.syft.json
[0000] TRACE searching for paths matching glob glob=**/*.bom.*
[0000] TRACE searching filetree by glob glob=**/*.bom.*
[0000] TRACE searching for paths matching glob glob=**/*.bom
[0000] TRACE searching filetree by glob glob=**/*.bom
[0000] TRACE searching for paths matching glob glob=**/bom
[0000] TRACE searching filetree by glob glob=**/bom
[0000] TRACE searching for paths matching glob glob=**/*.sbom.*
[0000] TRACE searching filetree by glob glob=**/*.sbom.*
[0000] TRACE searching for paths matching glob glob=**/*.sbom
[0000] TRACE searching filetree by glob glob=**/*.sbom
[0000] TRACE searching for paths matching glob glob=**/sbom
[0000] TRACE searching filetree by glob glob=**/sbom
[0000] TRACE searching for paths matching glob glob=**/*.cdx.*
[0000] TRACE searching filetree by glob glob=**/*.cdx.*
[0000] TRACE searching for paths matching glob glob=**/*.cdx
[0000] TRACE searching filetree by glob glob=**/*.cdx
[0000] TRACE searching for paths matching glob glob=**/*.spdx.*
[0000] TRACE searching filetree by glob glob=**/*.spdx.*
[0000] TRACE searching for paths matching glob glob=**/*.spdx
[0000] TRACE searching filetree by glob glob=**/*.spdx
[0000] DEBUG discovered 0 packages cataloger=sbom-cataloger
[0000] TRACE package cataloger completed name=sbom-cataloger
[0000] DEBUG no CPEs for package: Pkg(name="gopkg.in/inf.v0" version="v0.9.1" type="go-module" id="c18955394e2e88b3")
[0000] DEBUG no CPEs for package: Pkg(name="gopkg.in/yaml.v2" version="v2.4.0" type="go-module" id="41aa3fc6e13b5446")
[0000] DEBUG no CPEs for package: Pkg(name="k8s.io/utils" version="v0.0.0-20230406110748-d93618cff8a2" type="go-module" id="2e1ddc648eaebf40")
[0000] DEBUG no CPEs for package: Pkg(name="sigs.k8s.io/json" version="v0.0.0-20221116044647-bc3834ca7abd" type="go-module" id="95a7f56d3f28299f")
[0000] WARN some package(s) are missing CPEs. This may result in missing vulnerabilities. You may autogenerate these using: --add-cpes-if-none
[0000] TRACE finding matches against DB
[0000] DEBUG adding matcher: deb
[0000] DEBUG adding matcher: gem
[0000] DEBUG adding matcher: python
[0000] DEBUG adding matcher: dotnet
[0000] DEBUG adding matcher: rpm
[0000] DEBUG adding matcher: java-archive
[0000] DEBUG adding matcher: jenkins-plugin
[0000] DEBUG adding matcher: npm
[0000] DEBUG adding matcher: apk
[0000] DEBUG adding matcher: go-module
[0000] DEBUG adding matcher: msrc-kb
[0000] DEBUG adding matcher: portage
[0000] DEBUG adding matcher: rust-crate
[0000] TRACE searching for vulnerability matches package=pkg:golang/github.com/containerd/stargz-snapshotter/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/github.com/go-logr/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/github.com/gogo/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/github.com/google/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/github.com/google/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/github.com/json-iterator/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/github.com/k3s-io/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/github.com/k3s-io/klog/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/github.com/k3s-io/kubernetes/staging/src/k8s.io/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/github.com/klauspost/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/github.com/modern-go/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/github.com/modern-go/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/github.com/opencontainers/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/github.com/opencontainers/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/github.com/pierrec/[email protected]+incompatible
[0000] TRACE searching for vulnerability matches package=pkg:golang/github.com/pkg/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/github.com/rancher/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/github.com/rancher/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/github.com/sirupsen/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/github.com/spf13/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/github.com/urfave/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/github.com/vbatts/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/golang.org/x/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/golang.org/x/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/golang.org/x/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/golang.org/x/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/gopkg.in/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/gopkg.in/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/k8s.io/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/sigs.k8s.io/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/sigs.k8s.io/structured-merge-diff/[email protected]
[0000] TRACE searching for vulnerability matches package=pkg:golang/[email protected]
[0000] TRACE finding matches against available VEX documents
[0000] INFO found 0 vulnerability matches across 32 packages
[0000] DEBUG ├── fixed: 0
[0000] DEBUG ├── ignored: 0 (due to user-provided rule)
[0000] DEBUG ├── dropped: 0 (due to hard-coded correction)
[0000] DEBUG └── matched: 0
[0000] DEBUG ├── unknown severity: 0
[0000] DEBUG ├── negligible: 0
[0000] DEBUG ├── low: 0
[0000] DEBUG ├── medium: 0
[0000] DEBUG ├── high: 0
[0000] DEBUG └── critical: 0
[0000] TRACE worker stopped component=eventloop
[0000] TRACE signal exit component=eventloop
{
"matches": [],
"source": {
"type": "file",
"target": "/usr/local/bin/k3s"
},
"distro": {
"name": "",
"version": "",
"idLike": null
},
"descriptor": {
"name": "grype",
"version": "0.74.1",
"configuration": {
"output": [
"json"
],
"file": "",
"distro": "",
"add-cpes-if-none": false,
"output-template-file": "",
"check-for-app-update": true,
"only-fixed": false,
"only-notfixed": false,
"ignore-wontfix": "",
"platform": "",
"search": {
"scope": "squashed",
"unindexed-archives": false,
"indexed-archives": true
},
"ignore": null,
"exclude": [],
"db": {
"cache-dir": "/home/ec2-user/.cache/grype/db",
"update-url": "https://toolbox-data.anchore.io/grype/databases/listing.json",
"ca-cert": "",
"auto-update": true,
"validate-by-hash-on-start": false,
"validate-age": true,
"max-allowed-built-age": 432000000000000
},
"externalSources": {
"enable": false,
"maven": {
"searchUpstreamBySha1": true,
"baseUrl": "https://search.maven.org/solrsearch/select"
}
},
"match": {
"java": {
"using-cpes": false
},
"dotnet": {
"using-cpes": false
},
"golang": {
"using-cpes": false,
"always-use-cpe-for-stdlib": true
},
"javascript": {
"using-cpes": false
},
"python": {
"using-cpes": false
},
"ruby": {
"using-cpes": false
},
"rust": {
"using-cpes": false
},
"stock": {
"using-cpes": true
}
},
"fail-on-severity": "",
"registry": {
"insecure-skip-tls-verify": false,
"insecure-use-http": false,
"auth": null,
"ca-cert": ""
},
"show-suppressed": false,
"by-cve": false,
"name": "",
"default-image-pull-source": "",
"vex-documents": [],
"vex-add": []
},
"db": {
"built": "2024-01-19T01:27:49Z",
"schemaVersion": 5,
"location": "/home/ec2-user/.cache/grype/db/5",
"checksum": "sha256:0dabe98d1b63ae614672cf44a055b9480e900c459f66d5e688ef4c2e31626cd0",
"error": null
},
"timestamp": "2024-01-19T19:47:22.700068568Z"
}
}
@VestigeJ can you have it list the packages that it has found? I'm curious if the version detection has been fixed; unfortunately by default it only shows the version if there are vulns found.