-
Notifications
You must be signed in to change notification settings - Fork 502
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependency update - Golang 1.22.5/1.22.7 #3748
Comments
@synergiator thanks for your issue. We did not bump the go dependency prior to our most recent patch releases because upon review these CVEs are not present in the way we use Go. Trivy unfortunately does not do real analysis and this report is incorrect. |
Hello from team Trivy :) Trivy detects Go standard library as a dependency and will report vulnerabilities in it. As @jeremyrickard mentioned, Trivy (or any other SCA scanner) doesn’t do reachability analysis to determine if vulnerabilities are reachable, but even a tool that does, like govulncheck could miss that due to the absence of call graph information in Go binaries. This and more is documented in Trivy’s Go scanning documentation. To address this, we recommend publishing VEX (Vulnerability Exploitability eXchange) documents, that announces this vulnerability as not reachable. This process has just became super easy thanks to Trivy’s built in integration with VEX Hub. |
#3738 Already tracks go update. I don't know that we want to be investing more time in supporting scanners, as-is they consume a lot of our time for questionable benefit to the project. Please remember these binaries are free and you can always contribute to upgrading go versions or build locally That's probably a question for SRC. |
Er:
cc @kubernetes/security-response-committee In this particular case I think we should invest in shipping updated go, we didn't rush it in the most recent patch release because the vulns aren't relevant anyhow, but we continuously invest in staying on stable up to date go releases anyhow. |
Fair enough, I can understand how dealing with all of that could be a burden. FWIW I think the time was already invested, by looking into this report and writing a response. VEX would simply allow you to write the same response in JSON instead of plain english, and then scanners could become aware of it and perhaps even save you time in the future. I'll make the suggestion for SRC, thank you. |
Yeah that's fair, I think there's an additional cost because while one of us can say in plain english "I don't think this is valid don't worry about it" that's not quite the same as publishing official metadata that says the same. IE we either have bureaucratic overhead, or we are kinda YOLO-ing publishing this. We have generally instead invested in not tripping scanners to begin with (e.g. distroless images), and we have more low hanging fruit there (e.g. further streamlining go upgrades, we don't quite have everything just respecting https://github.com/kubernetes/kubernetes/blob/master/.go-version) Personally I think minimizing the false positives is the best approach, like in this case we do want to ultimately upgrade Go regardless, but in the meantime we can tell people "we don't think this is valid, up to you to decide if that's OK or help us update Go". |
xpost kubernetes/kubernetes#121454 and kubernetes/sig-security#116 would be good to continue the discussions there as we hash out details for next steps. |
Superseded by #3778. |
Trivy report with Kubectl 1.31.0:
The text was updated successfully, but these errors were encountered: