Skip to content

Commit

Permalink
note about stdlib FP
Browse files Browse the repository at this point in the history
  • Loading branch information
@itaysk
itaysk committed Sep 11, 2024
1 parent e708970 commit 1218538
Showing 1 changed file with 7 additions and 2 deletions.
9 changes: 7 additions & 2 deletions docs/docs/coverage/language/golang.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,15 +65,20 @@ such as `go mod download`, `go mod tidy`, etc.
Trivy traverses `$GOPATH/pkg/mod` and collects those extra information.

#### Standard Library
Detecting the version of Go used in the project can be tricky. The go.mod file include hints that allows Trivy to guess the Go version but it eventually depends on the Go tool version in the build environment. Since this strategy is not fully deterministic and accurate, it is enabled only in [--detection-priority comprehensive][detection-priority] mode.
Detecting the version of Go used in the project can be tricky. The go.mod file include hints that allows Trivy to guess the Go version but it eventually depends on the Go tool version in the build environment. Since this strategy is not fully deterministic and accurate, it is enabled only in [--detection-priority comprehensive][detection-priority] mode.
When enabled, Trivy detects stdlib version as the minimum between the `go` and the [toolchain][^6] directives in the `go.mod` file.
To obtain reproducible scan results Trivy doesn't check the locally installed version of `Go`.

!!! note
Trivy detects `stdlib` only for `Go` 1.21 or higher.

The version from the `go` line (for `Go` 1.20 or early) is not a minimum required version.
For details, see [this](https://go.googlesource.com/proposal/+/master/design/57001-gotoolchain.md).
For details, see [this](https://go.googlesource.com/proposal/+/master/design/57001-gotoolchain.md).

Trivy does not know if or how you use stdlib functions, therefore it is possible that stdlib vulnerabilities are not applicable to your use case. There are a few ways to mitigate this:
1. set `--detection-priority precise` to disable stdlib detection.
2. Analyze vulnerability reachability using a tool such as [govulncheck](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck). This will ensure that reported vulnerabilities are applicable to your project.
3. Suppress non-applicable vulnerabilities using either [ignore file](../../configuration/ignore.md) for self-use or [VEX Hub](../../supply-chain/vex/repo.md) for public use.

### Go binaries
Trivy scans Go binaries when it encounters them during scans such as container images or file systems.
Expand Down

0 comments on commit 1218538

Please sign in to comment.