Replies: 1 comment 1 reply
-
Nevermind, I after a bit more searching it does not affect 1.21. Sorry. |
Beta Was this translation helpful? Give feedback.
1 reply
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Description
The new feature to check CVEs on the go runtime only seem to work if the app is built on the latest minor go version (e.g. go1.22). If built on a vulnerable version of go1.21, the check passes.
Note: I do not know if this only affects this particular CVE / maybe database issue? CVE-2024-24788
(Seems 1.21.9 IS vulnerable)
Desired Behavior
It should detect the vulnerable older versions as well
Actual Behavior
It did not
Reproduction Steps
2a. Build using go 1.21.9 (Affected by CVE-2024-24788)
2b. Run trivy
3a. Build using go1.22.2 (affected by CVE-2024-24788)
3b. Run trivy
???
Profit
(Ok sorry 4 & 5 are a joke)
Target
Filesystem
Scanner
Vulnerability
Output Format
Table
Mode
Standalone
Debug Output
Operating System
Version
Checklist
trivy image --reset
Beta Was this translation helpful? Give feedback.
All reactions