8000 Vulnerabilities in go packages without go modules are not detected · Issue #1581 · anchore/grype · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
Vulnerabilities in go packages without go modules are not detected #1581
New issue
New issue
Closed
#1599
Closed
Vulnerabilities in go packages without go modules are not detected#1581
#1599
Assignees
willmurphyscode
Labels
bugSomething isn't workingecosystem:gorelating to the golang ecosystem
@akpsgit

Description

@akpsgit
akpsgit
opened on Oct 30, 2023

What happened:
When scanning an image that contains a Go binary with a dependency of a package that doesn't use go modules (appears as +incompatible in go.mod), the expected vulnerability wasn't not detected by Grype (github.com/dgrijalva/jwt-go in my case).

What you expected to happen:
The expected vulnerability is detected. e.g, for github.com/dgrijalva/jwt-go:

NAME                         INSTALLED  FIXED-IN  TYPE       VULNERABILITY        SEVERITY
github.com/dgrijalva/jwt-go  v3.2.0               go-module  GHSA-w73w-5m7g-f7qc  High

How to reproduce it (as minimally and precisely as possible):

  1. Create a minimal go program that uses only one dependency that has no go modules:
package main

import (
	"github.com/dgrijalva/jwt-go"
)

func main() {
	jwt.EncodeSegment(nil)
}
  1. Run go mod init and go mod tidy and the following go.mod should be created:
module github.com/test

go 1.21.1

require github.com/dgrijalva/jwt-go v3.2.0+incompatible
  1. Scan the directory with the Go program with Grype:
grype dir:./test
 ✔ Vulnerability DB                [no update available]
 ✔ Indexed file system                                                                                                                                                                                                                                                  test
 ✔ Cataloged packages              [1 packages]
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 0 not-fixed, 0 ignored
[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
No vulnerabilities found

Anything else we need to know?:
When I tried to create an SBOM using Syft first and to scan with Grype I got:


syft dir:./test -o json > test.sbom

cat test.sbom
{
 "artifacts": [
  {
   "id": "89592a8d9d48cbdf",
   "name": "github.com/dgrijalva/jwt-go",
   "version": "v3.2.0+incompatible",
   "type": "go-module",
   "foundBy": "go-mod-file-cataloger",
   "locations": [
    {
     "path": "/go.mod",
     "annotations": {
      "evidence": "primary"
     }
    }
   ],
   "licenses": [],
   "language": "go",
   "cpes": [
    "cpe:2.3:a:dgrijalva:jwt-go:v3.2.0\\+incompatible:*:*:*:*:*:*:*",
    "cpe:2.3:a:dgrijalva:jwt_go:v3.2.0\\+incompatible:*:*:*:*:*:*:*"
   ],
   "purl": "pkg:golang/github.com/dgrijalva/jwt-go@v3.2.0+incompatible",
   "metadataType": "GolangModMetadata",
   "metadata": {
    "h1Digest": "h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM="
   }
  }
 ],
...

grype sbom:./test.sbom
 ✔ Vulnerability DB                [no update available]
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 0 not-fixed, 0 ignored
No vulnerabilities found

I modified the SBOM to remove the incompetible:

cat test.sbom
{
 "artifacts": [
  {
   "id": "89592a8d9d48cbdf",
   "name": "github.com/dgrijalva/jwt-go",
   "version": "v3.2.0",
   "type": "go-module",
   "foundBy": "go-mod-file-cataloger",
   "locations": [
    {
     "path": "/go.mod",
     "annotations": {
      "evidence": "primary"
     }
    }
   ],
   "licenses": [],
   "language": "go",
   "cpes": [
    "cpe:2.3:a:dgrijalva:jwt-go:v3.2.0:*:*:*:*:*:*:*",
    "cpe:2.3:a:dgrijalva:jwt_go:v3.2.0:*:*:*:*:*:*:*"
   ],
   "purl": "pkg:golang/github.com/dgrijalva/jwt-go@v3.2.0",
   "metadataType": "GolangModMetadata",
   "metadata": {
    "h1Digest": "h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM="
   }
  }
 ],
...

Then, ran Grype and the expected vulnerability was found:

grype sbom:./test.sbom
 ✔ Vulnerability DB                [no update available]
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]
   ├── by severity: 0 critical, 1 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 1 not-fixed, 0 ignored
NAME                         INSTALLED  FIXED-IN  TYPE       VULNERABILITY        SEVERITY
github.com/dgrijalva/jwt-go  v3.2.0               go-module  GHSA-w73w-5m7g-f7qc  High

Environment:

  • Output of grype version:
grype version
Application:         grype
Version:             0.72.0
BuildDate:           2023-10-20T18:17:05Z
GitCommit:           04df28051b7694a5e4a28fc5b2ea2068f24ef213
GitDescription:      v0.72.0
Platform:            darwin/amd64
GoVersion:           go1.21.3
Compiler:            gc
Syft Version:        v0.94.0
Supported DB Schema: 5

syft version
Application: syft
Version:    0.94.0
BuildDate:  2023-10-20T17:00:15Z
GitCommit:  Homebrew
GitDescription: [not provided]
Platform:   darwin/amd64
GoVersion:  go1.21.3
Compiler:   gc
  • OS (e.g: cat /etc/os-release or similar):
sw_vers
ProductName:		macOS
ProductVersion:		14.0
BuildVersion:		23A344

Metadata

Metadata

Assignees

Labels

bugSomething isn't workingecosystem:gorelating to the golang ecosystem

Type

No type

Projects

OSS

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions
    0