Skip to content

Integrate govulncheck to reduce false positives #2845

Description

@06kellyjac

Recently the go team announced govulncheck which can reduce the amount of false positives because it doesn't go purely off of libraries imported

https://go.dev/security/vuln/

Integrations with pkg.go.dev and govulncheck to enable developers to find vulnerabilities in their projects. The govulncheck command analyzes your codebase and only surfaces vulnerabilities that actually affect you, based on which functions in your code are transitively calling vulnerable functions. Govulncheck provides a low-noise, reliable way to find known vulnerabilities in your projects.

currently trivy flags kube-bench as having CVE-2020-8911 when it doesn't actually use the S3 features of the aws-sdk-go library

aquasecurity/kube-bench#1268

This can be helped by libraries being split into features like the new aws-sdk-go-v2 does but govulncheck also tackles this

Metadata

Metadata

Assignees

Labels

kind/featureCategorizes issue or PR as related to a new feature.priority/important-soonMust be staffed and worked on either currently, or very soon, ideally in time for the next release.scan/vulnerabilityIssues relating to vulnerability scanning

Type

No type

Fields

No fields configured for issues without a type.

Projects

Status
No status

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions