Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Go module false positives #1973

Closed
mattfarina opened this issue Apr 11, 2022 · 3 comments · Fixed by #1985
Closed

Go module false positives #1973

mattfarina opened this issue Apr 11, 2022 · 3 comments · Fixed by #1985
Labels
kind/feature Categorizes issue or PR as related to a new feature.

Comments

@mattfarina
Copy link

Description

Trivy is reporting false positives for Go modules.

Specifically, there can be modules referenced/imported by dependencies that are not included in an application that have vulnerabilities. The application isn't using them so they are a false positive. There are several projects that currently show false positives including Helm and containerd, the CNCF projects.

This appears to be happening because the go.sum file is used to find dependencies. This file can have more dependencies listed than those in use.

Go 1.17 and newer makes the modules in use more clear. From the release notes for Go 1.17...

If a module specifies go 1.17 or higher in its go.mod file, its go.mod file now contains an explicit require directive for every module that provides a transitively-imported package.

This appears to be happening because of aquasecurity/go-dep-parser#75.

What did you expect to happen?

I expect Trivy to provide an accurate list of the CVEs affecting a Go codebase. False positives are problematic for people who use it to review a codebase.

What happened instead?

Trivy is reporting CVEs for modules not being imported by an application written in Go.

Output of run with -debug:

So as not to clutter up the issue, I put it into a gist... https://gist.github.com/mattfarina/f74d71cd180da77fcb323dd053e4e6cb

Output of trivy -v:

$ trivy --version
Version: 0.25.3
Vulnerability DB:
  Version: 1
  UpdatedAt: 2022-04-07 12:51:48.85111898 +0000 UTC
  NextUpdate: 2022-04-07 18:51:48.85111828 +0000 UTC
  DownloadedAt: 2022-04-07 16:49:09.194916 +0000 UTC

Additional details (base image name, container registry info...): N/A
@mattfarina mattfarina added the kind/bug Categorizes issue or PR as related to a bug. label Apr 11, 2022
@knqyf263
Copy link
Collaborator

Thanks for the report. Yes, Go 1.17 added the information and we can support it now. We needed to depend on go.sum before Go 1.17. It makes sense to support go.mod for Go 1.17+ projects.

This was referenced Apr 12, 2022
Merged
Merged
@knqyf263 knqyf263 added kind/feature Categorizes issue or PR as related to a new feature. and removed kind/bug Categorizes issue or PR as related to a bug. labels Apr 13, 2022
@knqyf263
Copy link
Collaborator

We just added support for go.mod in Go 1.17+. It will be released this week. Thanks for your great help, @jerbob92!

@knqyf263
Copy link
Collaborator

v0.26.0 is out.
#2001

@msau42 msau42 mentioned this issue Nov 30, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(go): support go.mod in Go 1.17+ aquasecurity/trivy
2 participants
@mattfarina @knqyf263