Allow users to scan vulnerabilities in the Go binary itself

[oatovar]

IDs

CVE-2023-4822

Description

The Go documentation has a note that Trivy will intentionally not report vulnerabilities that directly affect the binary.

Trivy scans only dependencies of the Go project. Let's say you scan the Docker binary, Trivy doesn't detect vulnerabilities of Docker itself. Also, when you scan go.mod in Kubernetes, the Kubernetes vulnerabilities will not be found.

Unfortunately, this leads to false negatives where you can scan a container that's running a known vulnerable binary, but don't receive the vulnerability in the report. I'm not sure what the historical context was for this from looking at aquasecurity/go-dep-parser#19, but I think detecting vulnerabilities in the project itself is a valid use case.

Reproduction Steps

1. Run trivy image --format cyclonedx --output bom.json grafana/grafana:9.5.1-ubuntu

2. Inspect the generated SBOM and verify that there's not an entry for github.com/grafana/grafana as a component.

3. Run a background container with the same image

   docker run --rm -d --name grafana grafana/grafana:9.5.1-ubuntu

4. Copy the binary from the container

   docker cp grafana:/usr/share/grafana/bin/grafana .
   

5. Run go version -m ./grafana and verify that you can see the vulnerable module name and version (some output omitted for brevity).

   ./grafana: go1.20.3
       path	github.com/grafana/grafana/pkg/cmd/grafana
       mod	github.com/grafana/grafana	(devel)	
           ...
       build	-ldflags="-w -X main.version=9.5.1 -X main.commit=bc353e4b2d -X main.buildstamp=1682353621 -X main.buildBranch=HEAD"
           ...
   

Target

Container Image

Scanner

Vulnerability

Target OS

No response

Debug Output

❯ trivy image --format cyclonedx --output cdx.json grafana/grafana:9.5.1-ubuntu --debug
2024-04-18T16:06:34.702-0400    DEBUG   ["cyclonedx" "spdx" "spdx-json" "github"] automatically enables '--list-all-pkgs'.
2024-04-18T16:06:34.702-0400    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-04-18T16:06:34.703-0400    DEBUG   Ignore statuses {"statuses": null}
2024-04-18T16:06:34.703-0400    INFO    "--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.
2024-04-18T16:06:34.720-0400    DEBUG   cache dir:  /Users/hacks4oats/Library/Caches/trivy
2024-04-18T16:06:34.720-0400    DEBUG   Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-04-18T16:06:34.741-0400    DEBUG   The nuget packages directory couldn't be found. License search disabled
2024-04-18T16:06:34.742-0400    DEBUG   Image ID: sha256:3d767107a2e4771f845e7037d497c5d743a2fa11f24b848ceca67a948eed8b5e
2024-04-18T16:06:34.742-0400    DEBUG   Diff IDs: [sha256:8b61d2f614344df96d63562c4173c250b8bca5cb4b3b07f4c755d731bd02f647 sha256:701b57e1a8fceae23e5d7f22de3884407909a1d7335affffb9e38c2cf4f50dae sha256:a8a9e5c199cdaea15fb9691d295e204ba104b68a03e5ec3c0684a69da2ffebe7 sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef sha256:98c733aca7e59a004454f6aa72a1b23fece441d34d74c0ee2ae8688cfaeaf447 sha256:d6835555ad8bc2751bcb16bd28b4610f4788a7be498eaffe161e22c79a5e8d18 sha256:f65da0fdb7adee92399950e21f8328545a789456ccd07d7b4113cb670dbd33f1 sha256:d3898078c719de924ee0b7b3aa7307f049de273366495d0e3cbd753b9ae88789 sha256:3cac03b35aa18f4ab4881b254779b0de2db1e5651208b6f968116ce3ff6c4e4f]
2024-04-18T16:06:34.742-0400    DEBUG   Base Layers: [sha256:8b61d2f614344df96d63562c4173c250b8bca5cb4b3b07f4c755d731bd02f647]

Version

❯ trivy --version
Version: 0.50.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-04-04 12:11:24.292937837 +0000 UTC
  NextUpdate: 2024-04-04 18:11:24.292937446 +0000 UTC
  DownloadedAt: 2024-04-04 16:12:22.161921 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[DmitriyLewen]

Duplicate of #1837

[oatovar]

@DmitriyLewen Thanks for linking that issue, and I apologize for missing it during my search. The linked issue appears to be closed, but the last answer mentions that this feature is now possible. I'm not sure how to interpret this. Does the closed status indicate that this is a won't do situation?

[DmitriyLewen]

hm... I was sure that we were parsing main modules of Go binaries...
But now we skip them.

I created #6530 to add main module analysis for Go binaries.

But keep in mind that to get the correct version, you need to install the Go binary using go install (if possible), otherwise you will get a(devel) version.