Go stdlib only seems to check latest minor version

[ckcr4lyf]

Description

The new feature to check CVEs on the go runtime only seem to work if the app is built on the latest minor go version (e.g. go1.22). If built on a vulnerable version of go1.21, the check passes.

Note: I do not know if this only affects this particular CVE / maybe database issue? CVE-2024-24788

• https://nvd.nist.gov/vuln/detail/CVE-2024-24788
• https://groups.google.com/g/golang-announce/c/wkkO4P9stm0

(Seems 1.21.9 IS vulnerable)

Desired Behavior

It should detect the vulnerable older versions as well

Actual Behavior

It did not

Reproduction Steps

1. Have a golang hello world project

2a. Build using go 1.21.9 (Affected by CVE-2024-24788)

$ go version -m hello
hello: go1.21.9
	path	command-line-arguments
	build	-buildmode=exe
	build	-compiler=gc
	build	CGO_ENABLED=1
	build	CGO_CFLAGS=
	build	CGO_CPPFLAGS=
	build	CGO_CXXFLAGS=
	build	CGO_LDFLAGS=
	build	GOARCH=amd64
	build	GOOS=linux
	build	GOAMD64=v1

2b. Run trivy

$ trivy rootfs ./hello --clear-cache
2024-05-10T12:31:01+08:00	INFO	Removing artifact caches...

$ trivy rootfs ./hello --debug
2024-05-10T12:31:04+08:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-05-10T12:31:04+08:00	DEBUG	Ignore statuses	statuses=[]
2024-05-10T12:31:04+08:00	DEBUG	Cache dir	dir="/home/raghu/.cache/trivy"
2024-05-10T12:31:04+08:00	DEBUG	DB update was skipped because the local DB is the latest
2024-05-10T12:31:04+08:00	DEBUG	DB info	schema=2 updated_at=2024-05-10T00:16:11.078834969Z next_update=2024-05-10T06:16:11.078834738Z downloaded_at=2024-05-10T03:20:37.29657457Z
2024-05-10T12:31:04+08:00	INFO	Vulnerability scanning is enabled
2024-05-10T12:31:04+08:00	DEBUG	Vulnerability type	type=[os library]
2024-05-10T12:31:04+08:00	INFO	Secret scanning is enabled
2024-05-10T12:31:04+08:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-10T12:31:04+08:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-10T12:31:04+08:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-05-10T12:31:04+08:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2024-05-10T12:31:04+08:00	DEBUG	[nuget] The nuget packages directory couldn't be found. License search disabled
2024-05-10T12:31:04+08:00	DEBUG	[gobinary] Parsing dependency's build info settings	dependency="" -ldflags=[]
2024-05-10T12:31:04+08:00	DEBUG	[gobinary] Unable to detect dependency version used in `-ldflags` build info settings. Empty version used.	dependency=""
2024-05-10T12:31:04+08:00	DEBUG	OS is not detected.
2024-05-10T12:31:04+08:00	DEBUG	Detected OS: unknown
2024-05-10T12:31:04+08:00	INFO	Number of language-specific files	num=1
2024-05-10T12:31:04+08:00	INFO	[gobinary] Detecting vulnerabilities...
2024-05-10T12:31:04+08:00	DEBUG	[gobinary] Scanning packages from the file	file_path="hello"
2024-05-10T12:31:04+08:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name=""

3a. Build using go1.22.2 (affected by CVE-2024-24788)

$ go version -m hello
hello: go1.22.2
	path	command-line-arguments
	build	-buildmode=exe
	build	-compiler=gc
	build	DefaultGODEBUG=httplaxcontentlength=1,httpmuxgo121=1,tls10server=1,tlsrsakex=1,tlsunsafeekm=1
	build	CGO_ENABLED=1
	build	CGO_CFLAGS=
	build	CGO_CPPFLAGS=
	build	CGO_CXXFLAGS=
	build	CGO_LDFLAGS=
	build	GOARCH=amd64
	build	GOOS=linux
	build	GOAMD64=v1

3b. Run trivy

$ trivy rootfs ./hello --clear-cache
2024-05-10T12:33:13+08:00	INFO	Removing artifact caches...

$ trivy rootfs ./hello --debug
2024-05-10T12:33:18+08:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-05-10T12:33:18+08:00	DEBUG	Ignore statuses	statuses=[]
2024-05-10T12:33:18+08:00	DEBUG	Cache dir	dir="/home/raghu/.cache/trivy"
2024-05-10T12:33:18+08:00	DEBUG	DB update was skipped because the local DB is the latest
2024-05-10T12:33:18+08:00	DEBUG	DB info	schema=2 updated_at=2024-05-10T00:16:11.078834969Z next_update=2024-05-10T06:16:11.078834738Z downloaded_at=2024-05-10T03:20:37.29657457Z
2024-05-10T12:33:18+08:00	INFO	Vulnerability scanning is enabled
2024-05-10T12:33:18+08:00	DEBUG	Vulnerability type	type=[os library]
2024-05-10T12:33:18+08:00	INFO	Secret scanning is enabled
2024-05-10T12:33:18+08:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-10T12:33:18+08:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-10T12:33:18+08:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-05-10T12:33:18+08:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2024-05-10T12:33:18+08:00	DEBUG	[nuget] The nuget packages directory couldn't be found. License search disabled
2024-05-10T12:33:18+08:00	DEBUG	[gobinary] Parsing dependency's build info settings	dependency="" -ldflags=[]
2024-05-10T12:33:18+08:00	DEBUG	[gobinary] Unable to detect dependency version used in `-ldflags` build info settings. Empty version used.	dependency=""
2024-05-10T12:33:18+08:00	DEBUG	OS is not detected.
2024-05-10T12:33:18+08:00	DEBUG	Detected OS: unknown
2024-05-10T12:33:18+08:00	INFO	Number of language-specific files	num=1
2024-05-10T12:33:18+08:00	INFO	[gobinary] Detecting vulnerabilities...
2024-05-10T12:33:18+08:00	DEBUG	[gobinary] Scanning packages from the file	file_path="hello"
2024-05-10T12:33:18+08:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name=""

hello (gobinary)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24788 │ HIGH     │ fixed  │ 1.22.2            │ 1.22.3        │ golang: net: malformed DNS message can cause infinite loop │
│         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-24788                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

4. ???

5. Profit

(Ok sorry 4 & 5 are a joke)

Target

Filesystem

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

2024-05-10T12:31:04+08:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-05-10T12:31:04+08:00	DEBUG	Ignore statuses	statuses=[]
2024-05-10T12:31:04+08:00	DEBUG	Cache dir	dir="/home/raghu/.cache/trivy"
2024-05-10T12:31:04+08:00	DEBUG	DB update was skipped because the local DB is the latest
2024-05-10T12:31:04+08:00	DEBUG	DB info	schema=2 updated_at=2024-05-10T00:16:11.078834969Z next_update=2024-05-10T06:16:11.078834738Z downloaded_at=2024-05-10T03:20:37.29657457Z
2024-05-10T12:31:04+08:00	INFO	Vulnerability scanning is enabled
2024-05-10T12:31:04+08:00	DEBUG	Vulnerability type	type=[os library]
2024-05-10T12:31:04+08:00	INFO	Secret scanning is enabled
2024-05-10T12:31:04+08:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-10T12:31:04+08:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-10T12:31:04+08:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-05-10T12:31:04+08:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2024-05-10T12:31:04+08:00	DEBUG	[nuget] The nuget packages directory couldn't be found. License search disabled
2024-05-10T12:31:04+08:00	DEBUG	[gobinary] Parsing dependency's build info settings	dependency="" -ldflags=[]
2024-05-10T12:31:04+08:00	DEBUG	[gobinary] Unable to detect dependency version used in `-ldflags` build info settings. Empty version used.	dependency=""
2024-05-10T12:31:04+08:00	DEBUG	OS is not detected.
2024-05-10T12:31:04+08:00	DEBUG	Detected OS: unknown
2024-05-10T12:31:04+08:00	INFO	Number of language-specific files	num=1
2024-05-10T12:31:04+08:00	INFO	[gobinary] Detecting vulnerabilities...
2024-05-10T12:31:04+08:00	DEBUG	[gobinary] Scanning packages from the file	file_path="hello"
2024-05-10T12:31:04+08:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name=""

Operating System

Arch Linux (Linux arch 6.8.9-arch1-1 #1 SMP PREEMPT_DYNAMIC Thu, 02 May 2024 17:49:46 +0000 x86_64 GNU/Linux)

Version

$ trivy --version
Version: 0.51.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-05-10 00:16:11.078834969 +0000 UTC
  NextUpdate: 2024-05-10 06:16:11.078834738 +0000 UTC
  DownloadedAt: 2024-05-10 03:20:37.29657457 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[ckcr4lyf]

Nevermind, I after a bit more searching it does not affect 1.21. Sorry.

[ckcr4lyf]

golang/go#67039 (comment)