8000 Vulnerabilities in go packages without go modules are not detected · Issue #1581 · anchore/grype · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Vulnerabilities in go packages without go modules are not detected #1581

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
akpsgit opened this issue Oct 30, 2023 · 0 comments · Fixed by #1599
Closed

Vulnerabilities in go packages without go modules are not detected #1581

akpsgit opened this issue Oct 30, 2023 · 0 comments · Fixed by #1599
Assignees
@willmurphyscode
Labels
bug Something isn't working ecosystem:go relating to the golang ecosystem

Comments

@akpsgit
Copy link
akpsgit commented Oct 30, 2023

What happened:
When scanning an image that contains a Go binary with a dependency of a package that doesn't use go modules (appears as +incompatible in go.mod), the expected vulnerability wasn't not detected by Grype (github.com/dgrijalva/jwt-go in my case).

What you expected to happen:
The expected vulnerability is detected. e.g, for github.com/dgrijalva/jwt-go:

NAME                         INSTALLED  FIXED-IN  TYPE       VULNERABILITY        SEVERITY
github.com/dgrijalva/jwt-go  v3.2.0               go-module  GHSA-w73w-5m7g-f7qc  High

How to reproduce it (as minimally and precisely as possible):

  1. Create a minimal go program that uses only one dependency that has no go modules:
package main

import (
	"github.com/dgrijalva/jwt-go"
)

func main() {
	jwt.EncodeSegment(nil)
}
  1. Run go mod init and go mod tidy and the following go.mod should be created:
module github.com/test

go 1.21.1

require github.com/dgrijalva/jwt-go v3.2.0+incompatible
  1. Scan the directory with the Go program with Grype:
grype dir:./test
 ✔ Vulnerability DB                [no update available]
 ✔ Indexed file system                                                                                                                                                                                                                                                  test
 ✔ Cataloged packages              [1 packages]
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 0 not-fixed, 0 ignored
[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
No vulnerabilities found

Anything else we need to know?:
When I tried to create an SBOM using Syft first and to scan with Grype I got:


syft dir:./test -o json > test.sbom

cat test.sbom
{
 "artifacts": [
  {
   "id": "89592a8d9d48cbdf",
   "name": "github.com/dgrijalva/jwt-go",
   "version": "v3.2.0+incompatible",
   "type": "go-module",
   "foundBy": "go-mod-file-cataloger",
   "locations": [
    {
     "path": "/go.mod",
     "annotations": {
      "evidence": "primary"
     }
    }
   ],
   "licenses": [],
   "language": "go",
   "cpes": [
    "cpe:2.3:a:dgrijalva:jwt-go:v3.2.0\\+incompatible:*:*:*:*:*:*:*",
    "cpe:2.3:a:dgrijalva:jwt_go:v3.2.0\\+incompatible:*:*:*:*:*:*:*"
   ],
   "purl": "pkg:golang/github.com/dgrijalva/jwt-go@v3.2.0+incompatible",
   "metadataType": "GolangModMetadata",
   "metadata": {
    "h1Digest": "h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM="
   }
  }
 ],
...

grype sbom:./test.sbom
 ✔ Vulnerability DB                [no update available]
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 0 not-fixed, 0 ignored
No vulnerabilities found

I modified the SBOM to remove the incompetible:

cat test.sbom
{
 "artifacts": [
  {
   "id": "89592a8d9d48cbdf",
   "name": "github.com/dgrijalva/jwt-go",
   "version": "v3.2.0",
   "type": "go-module",
   "foundBy": "go-mod-file-cataloger",
   "locations": [
    {
     "path": "/go.mod",
     "annotations": {
      "evidence": "primary"
     }
    }
   ],
   "licenses": [],
   "language": "go",
   "cpes": [
    "cpe:2.3:a:dgrijalva:jwt-go:v3.2.0:*:*:*:*:*:*:*",
    "cpe:2.3:a:dgrijalva:jwt_go:v3.2.0:*:*:*:*:*:*:*"
   ],
   "purl": "pkg:golang/github.com/dgrijalva/jwt-go@v3.2.0",
   "metadataType": "GolangModMetadata",
   "metadata": {
    "h1Digest": "h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM="
   }
  }
 ],
...

Then, ran Grype and the expected vulnerability was found:

grype sbom:./test.sbom
 ✔ Vulnerability DB                [no update available]
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]
   ├── by severity: 0 critical, 1 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 1 not-fixed, 0 ignored
NAME                         INSTALLED  FIXED-IN  TYPE       VULNERABILITY        SEVERITY
github.com/dgrijalva/jwt-go  v3.2.0               go-module  GHSA-w73w-5m7g-f7qc  High

Environment:

  • Output of grype version:
grype version
Application:         grype
Version:             0.72.0
BuildDate:           2023-10-20T18:17:05Z
GitCommit:           04df28051b7694a5e4a28fc5b2ea2068f24ef213
GitDescription:      v0.72.0
Platform:            darwin/amd64
GoVersion:           go1.21.3
Compiler:            gc
Syft Version:        v0.94.0
Supported DB Schema: 5

syft version
Application: syft
Version:    0.94.0
BuildDate:  2023-10-20T17:00:15Z
GitCommit:  Homebrew
GitDescription: [not provided]
Platform:   darwin/amd64
GoVersion:  go1.21.3
Compiler:   gc
  • OS (e.g: cat /etc/os-release or similar):
sw_vers
ProductName:		macOS
ProductVersion:		14.0
BuildVersion:		23A344
@akpsgit akpsgit added the bug Something isn't working label Oct 30, 2023
@willmurphyscode willmurphyscode added the ecosystem:go relating to the golang ecosystem label Nov 9, 2023
@willmurphyscode willmurphyscode moved this to Backlog in OSS Nov 9, 2023
@willmurphyscode willmurphyscode mentioned this issue Nov 10, 2023
Merged
1 task
@willmurphyscode willmurphyscode moved this from Backlog to In Progress in OSS Nov 10, 2023
@github-project-automation github-project-automation bot moved this from In Progress to Done in OSS Nov 15, 2023
@chenrui333 chenrui333 mentioned this issue Nov 17, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@willmurphyscode willmurphyscode

Labels
bug Something isn't working ecosystem:go relating to the golang ecosystem
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: golang version parsing anchore/grype
2 participants
@willmurphyscode @akpsgit
0