Skip to content

Ignore Go compiler affecting CVE when Docker image only contains a binary compiled with Go #1782

Description

@sunwhawhang

What happened:
Related to bug reported in #1370, quay.io/calico/kube-controllers:v3.20.0 image does not have Go compiler but only contains a binary that was compiled with the Go compiler and statically linked against the Go runtime library.

The issue was fixed in anchore/syft#2195, however, now it's reporting false positive CVE's that only affect to Go compiler itself: CVE-2023-29402, CVE-2023-29404 and CVE-2023-29405:

❯ grype quay.io/calico/kube-controllers:v3.20.0 -q | grep -E '29402|29403|29404|29405'
stdlib                               go1.15.2                                                                               go-module  CVE-2023-29405       Critical  
stdlib                               go1.15.2                                                                               go-module  CVE-2023-29404       Critical  
stdlib                               go1.15.2                                                                               go-module  CVE-2023-29402       Critical  
stdlib                               go1.15.2                                                                               go-module  CVE-2023-29403       High    

What you expected to happen:
It should only report CVE-2023-29403 since that's the only vulnerability that affects the runtime library:

❯ grype quay.io/calico/kube-controllers:v3.20.0 -q | grep -E '29402|29403|29404|29405'
stdlib                               go1.15.2                                                                               go-module  CVE-2023-29403       High    

How to reproduce it (as minimally and precisely as possible):
Run

grype quay.io/calico/kube-controllers:v3.20.0 -q | grep -E '29402|29403|29404|29405'

Anything else we need to know?:

Environment:

  • Output of grype version:
    Application:         grype
    Version:             0.74.7
    BuildDate:           2024-02-26T18:24:14Z
    GitCommit:           987238519b8d6e302130ab715f20daed6634da68
    GitDescription:      v0.74.7
    Platform:            linux/amd64
    GoVersion:           go1.21.7
    Compiler:            gc
    Syft Version:        v0.105.1
    Supported DB Schema: 5
    
  • OS (e.g: cat /etc/os-release or similar):
    NAME="Ubuntu"
    VERSION="18.04.5 LTS (Bionic Beaver)"
    ID=ubuntu
    ID_LIKE=debian
    PRETTY_NAME="Ubuntu 18.04.5 LTS"
    VERSION_ID="18.04"
    HOME_URL="https://www.ubuntu.com/"
    SUPPORT_URL="https://help.ubuntu.com/"
    BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
    PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
    VERSION_CODENAME=bionic
    UBUNTU_CODENAME=bionic
    

Metadata

Metadata

Labels

bugSomething isn't workingecosystem:gorelating to the golang ecosystem

Type

No type

Fields

No fields configured for issues without a type.

Projects

Status
Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions