Add CVE-2024-34156 to VEX

[knqyf263]

Description

Trivy is not using encoding/gob, so CVE-2024-34156 should not affect us. We should update our VEX.

To ensure that, we can first run govulncheck and see the result. However, if the local Go version is newer, govulncheck will not detect CVE-2024-34156 in the first place, so we will need to install the affected Go version.

[DmitriyLewen]

@knqyf263 govulncheck marks CVE-2024-13156 as affected:

➜ git checkout v0.55.1
...

HEAD is now at 8c6a4a64c release: v0.55.1 [release/v0.55] (#7491)

➜ go version      
go version go1.22.4 darwin/arm64

➜ cat go.mod | grep toolchain  
toolchain go1.22.4

➜  govulncheck -format openvex ./... 
{
  "vulnerability": {
    "@id": "https://pkg.go.dev/vuln/GO-2024-3106",
    "name": "GO-2024-3106",
    "description": "Stack exhaustion in Decoder.Decode in encoding/gob",
    "aliases": [
      "CVE-2024-34156"
    ]
  },
  "products": [
    {
      "@id": "Unknown Product"
    }
  ],
  "status": "affected"
}

IIUC this means one of the child dependencies uses encoding/gob.
Correct me if I'm wrong.

[knqyf263]

If I understand correctly, it's a false positive as commented here. I'm still trying to understand the problem.

[knqyf263]

I carefully reviewed it again, but I don't think this vulnerability affects Trivy as we don't use encoding/gob and DefaultSource.

[DmitriyLewen]

@knqyf263 Got it.
I created #7510.
I added link to your issue in the vex file::

trivy/.vex/trivy.openvex.json

Line 484 in 7d7b836

"impact_statement": "Govulncheck incorrectly marks this vulnerability as affected. The vulnerable code isn't called. See https://github.com/golang/go/issues/69446"

[knqyf263]

Thanks. Can we also suppress CVE-2024-34155 and CVE-2024-34158?

[DmitriyLewen]

govulncheck doesn't find any usage of vulnerable code, so I think we can add them.
I'll update #7510.