What happened:
Related to bug reported in #1370, quay.io/calico/kube-controllers:v3.20.0 image does not have Go compiler but only contains a binary that was compiled with the Go compiler and statically linked against the Go runtime library.
The issue was fixed in anchore/syft#2195, however, now it's reporting false positive CVE's that only affect to Go compiler itself: CVE-2023-29402, CVE-2023-29404 and CVE-2023-29405:
❯ grype quay.io/calico/kube-controllers:v3.20.0 -q | grep -E '29402|29403|29404|29405'
stdlib go1.15.2 go-module CVE-2023-29405 Critical
stdlib go1.15.2 go-module CVE-2023-29404 Critical
stdlib go1.15.2 go-module CVE-2023-29402 Critical
stdlib go1.15.2 go-module CVE-2023-29403 High
What you expected to happen:
It should only report CVE-2023-29403 since that's the only vulnerability that affects the runtime library:
❯ grype quay.io/calico/kube-controllers:v3.20.0 -q | grep -E '29402|29403|29404|29405'
stdlib go1.15.2 go-module CVE-2023-29403 High
How to reproduce it (as minimally and precisely as possible):
Run
grype quay.io/calico/kube-controllers:v3.20.0 -q | grep -E '29402|29403|29404|29405'
Anything else we need to know?:
Environment:
- Output of
grype version:
Application: grype
Version: 0.74.7
BuildDate: 2024-02-26T18:24:14Z
GitCommit: 987238519b8d6e302130ab715f20daed6634da68
GitDescription: v0.74.7
Platform: linux/amd64
GoVersion: go1.21.7
Compiler: gc
Syft Version: v0.105.1
Supported DB Schema: 5
- OS (e.g:
cat /etc/os-release or similar):
NAME="Ubuntu"
VERSION="18.04.5 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.5 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
What happened:
Related to bug reported in #1370,
quay.io/calico/kube-controllers:v3.20.0image does not have Go compiler but only contains a binary that was compiled with the Go compiler and statically linked against the Go runtime library.The issue was fixed in anchore/syft#2195, however, now it's reporting false positive CVE's that only affect to Go compiler itself: CVE-2023-29402, CVE-2023-29404 and CVE-2023-29405:
What you expected to happen:
It should only report CVE-2023-29403 since that's the only vulnerability that affects the runtime library:
How to reproduce it (as minimally and precisely as possible):
Run
Anything else we need to know?:
Environment:
grype version:cat /etc/os-releaseor similar):