Trivy with go v1.24 parses the version incorreclty

[nabokihms]

Description

Hello, community! We scan Dex using trivy.

trivy image -v dexidp/dex:v2.41.0
The version v2.41.0 is built with go1.23 and trivy shows the correct version in the SBOM

"purl": "pkg:golang/github.com/dexidp/dex@v2.41.0"

trivy image -v dexidp/dex:v2.42.0
However, if we scan the version v2.42.0 which is built with go1.24, trivy shows the incorrect version

"pkg:golang/github.com/dexidp/dex@v0.0.0-20250219130842-7d1a7473c8a0%2Bdirty"

As a result of incorrect version parsing, trivy reports critical CVEs that were already fixed.

Could you guide me on what is wrong and how I can fix the problem?

Desired Behavior

The version is "github.com/dexidp/dex@v2.42.0"

Actual Behavior

The version is "github.com/dexidp/dex@v0.0.0-20250219130842-7d1a7473c8a0%2Bdirty"

Reproduction Steps

`trivy image -v dexidp/dex:v2.41.0`

`trivy image -v dexidp/dex:v2.42.0`

Target

Container Image

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

v2.42.0

2025-02-22T11:36:36+01:00	DEBUG	No plugins loaded
2025-02-22T11:36:36+01:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-02-22T11:36:36+01:00	DEBUG	Cache dir	dir="/Users/maksim.nabokikh/Library/Caches/trivy"
2025-02-22T11:36:36+01:00	DEBUG	Cache dir	dir="/Users/maksim.nabokikh/Library/Caches/trivy"
2025-02-22T11:36:36+01:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-02-22T11:36:36+01:00	DEBUG	Ignore statuses	statuses=[]
2025-02-22T11:36:36+01:00	DEBUG	DB update was skipped because the local DB is the latest
2025-02-22T11:36:36+01:00	DEBUG	DB info	schema=2 updated_at=2025-02-22T06:17:03.031409237Z next_update=2025-02-23T06:17:03.031408997Z downloaded_at=2025-02-22T10:04:01.093784Z
2025-02-22T11:36:36+01:00	DEBUG	[pkg] Package types	types=[os library]
2025-02-22T11:36:36+01:00	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2025-02-22T11:36:36+01:00	INFO	[vuln] Vulnerability scanning is enabled
2025-02-22T11:36:36+01:00	INFO	[secret] Secret scanning is enabled
2025-02-22T11:36:36+01:00	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-22T11:36:36+01:00	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.59/docs/scanner/secret#recommendation for faster secret detection
2025-02-22T11:36:36+01:00	DEBUG	Initializing scan cache...	type="fs"
2025-02-22T11:36:38+01:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2025-02-22T11:36:38+01:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2025-02-22T11:36:38+01:00	DEBUG	[image] Detected image ID	image_id="sha256:31a493f9dc609ff1e660276bab23b73224003f3785471ab6554cadc4991b5d2c"
2025-02-22T11:36:38+01:00	DEBUG	[image] Detected diff ID	diff_ids=[sha256:08000c18d16dadf9553d747a58cf44023423a9ab010aab96cf263d2216b8b350 sha256:0b8dd96c6329500517ca48d354c15086033e3b1389da805c6e892c9bb24c9da5 sha256:196f2ea90b0d46692e92c6f7644438bfbee9113f9decf0563a4399a31f61267a sha256:3e219b60c9f2be12f5d0475c1bd25b3cf7046890f8b0d0039883744632adbd36 sha256:7ce1eb84cd5215373ea39c344a8607fe38905bb74c2b7dd2817e7bcd152d744b sha256:5cc129cb463bd974f09ab23c7b59851bf57d8b6fa2fe1168a7774b22dd42854c sha256:4a99287fd52ac9c493e09655459cf07d0c4f32009e8efd49db3cc42190d146cb sha256:ba18dbe8552dfb85705381ab514f2379e4728e0b3405b88bc31519c9bc7c8cb9 sha256:8e18f22b704ab44f9bcee53008bb92cffdebe8e407e0228859e9cd7d4a1739a1 sha256:2b31071ff2fdeb929e0df7e0a1bf4b68dcb95e66107938ff3cd031344ac23cd7]
2025-02-22T11:36:38+01:00	DEBUG	[image] Detected base layers	diff_ids=[sha256:08000c18d16dadf9553d747a58cf44023423a9ab010aab96cf263d2216b8b350]
2025-02-22T11:36:38+01:00	INFO	Detected OS	family="alpine" version="3.21.3"
2025-02-22T11:36:38+01:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.21" repository="3.21" pkg_num=15
2025-02-22T11:36:38+01:00	INFO	Number of language-specific files	num=3
2025-02-22T11:36:38+01:00	INFO	[gobinary] Detecting vulnerabilities...
2025-02-22T11:36:38+01:00	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="usr/local/bin/gomplate"
2025-02-22T11:36:38+01:00	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="usr/local/bin/dex"
2025-02-22T11:36:38+01:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="./api/v2"
2025-02-22T11:36:38+01:00	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="usr/local/bin/docker-entrypoint"
2025-02-22T11:36:38+01:00	WARN	Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.59/docs/scanner/vulnerability#severity-selection for details.
2025-02-22T11:36:38+01:00	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2025-02-22T11:36:38+01:00	DEBUG	[vex] VEX filtering is disabled

v2.41.0

2025-02-22T11:50:17+01:00	DEBUG	No plugins loaded
2025-02-22T11:50:17+01:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-02-22T11:50:17+01:00	DEBUG	Cache dir	dir="/Users/maksim.nabokikh/Library/Caches/trivy"
2025-02-22T11:50:17+01:00	DEBUG	Cache dir	dir="/Users/maksim.nabokikh/Library/Caches/trivy"
2025-02-22T11:50:17+01:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-02-22T11:50:17+01:00	DEBUG	Ignore statuses	statuses=[]
2025-02-22T11:50:17+01:00	DEBUG	DB update was skipped because the local DB is the latest
2025-02-22T11:50:17+01:00	DEBUG	DB info	schema=2 updated_at=2025-02-22T06:17:03.031409237Z next_update=2025-02-23T06:17:03.031408997Z downloaded_at=2025-02-22T10:04:01.093784Z
2025-02-22T11:50:17+01:00	DEBUG	[pkg] Package types	types=[os library]
2025-02-22T11:50:17+01:00	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2025-02-22T11:50:17+01:00	INFO	[vuln] Vulnerability scanning is enabled
2025-02-22T11:50:17+01:00	INFO	[secret] Secret scanning is enabled
2025-02-22T11:50:17+01:00	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-22T11:50:17+01:00	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.59/docs/scanner/secret#recommendation for faster secret detection
2025-02-22T11:50:17+01:00	DEBUG	Initializing scan cache...	type="fs"
2025-02-22T11:50:18+01:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2025-02-22T11:50:18+01:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2025-02-22T11:50:18+01:00	DEBUG	[image] Detected image ID	image_id="sha256:9ed94de08c9418d02af42b90c9d87bad28c2f9d6109216ede51c7c872a144534"
2025-02-22T11:50:18+01:00	DEBUG	[image] Detected diff ID	diff_ids=[sha256:78561cef0761903dd2f7d09856150a6d4fb48967a8f113f3e33d79effbf59a07 sha256:e2f3b2b95b5e5edd696ed79175fdf8946da390ea4eb97a0787e794b3f792238c sha256:40583e3f9762bf1b0c95c83108f28dcf58c3cd17208c1c862fe885e38599290a sha256:ff063bede384d8b7a778831f5d0463e535dc90764a680b4ced8809b97271f988 sha256:b55eb8a3a4767872b3bedac81ff955c2de18c528703ab9d9347edb1a414d6fe3 sha256:e344e8897bb8dc1e42025db15a5ad96d0f1e50e440792dd46388070cfb31a901 sha256:1346f72195a6b9c239cc0e8782679392864b5184c2eb6f6d7bc511e2d610b000 sha256:c9131e8f270d3002bdbe3599cd559f893f3eb08f258ad3f6c4a64b46cc041918 sha256:e33d3cb6cd6d8901f41ad0c49a9d2a682dbe3f467e9866d389b58923410814fa sha256:fa105c82385a2d3d0175242d13a8617a35b990d1adb1ce3ce0390cc551717fed]
2025-02-22T11:50:18+01:00	DEBUG	[image] Detected base layers	diff_ids=[sha256:78561cef0761903dd2f7d09856150a6d4fb48967a8f113f3e33d79effbf59a07]
2025-02-22T11:50:18+01:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:ff063bede384d8b7a778831f5d0463e535dc90764a680b4ced8809b97271f988"
2025-02-22T11:50:18+01:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:e2f3b2b95b5e5edd696ed79175fdf8946da390ea4eb97a0787e794b3f792238c"
2025-02-22T11:50:18+01:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:78561cef0761903dd2f7d09856150a6d4fb48967a8f113f3e33d79effbf59a07"
2025-02-22T11:50:18+01:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:b55eb8a3a4767872b3bedac81ff955c2de18c528703ab9d9347edb1a414d6fe3"
2025-02-22T11:50:18+01:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:40583e3f9762bf1b0c95c83108f28dcf58c3cd17208c1c862fe885e38599290a"
2025-02-22T11:50:18+01:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:e344e8897bb8dc1e42025db15a5ad96d0f1e50e440792dd46388070cfb31a901"
2025-02-22T11:50:18+01:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:1346f72195a6b9c239cc0e8782679392864b5184c2eb6f6d7bc511e2d610b000"
2025-02-22T11:50:18+01:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:c9131e8f270d3002bdbe3599cd559f893f3eb08f258ad3f6c4a64b46cc041918"
2025-02-22T11:50:18+01:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:e33d3cb6cd6d8901f41ad0c49a9d2a682dbe3f467e9866d389b58923410814fa"
2025-02-22T11:50:18+01:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:fa105c82385a2d3d0175242d13a8617a35b990d1adb1ce3ce0390cc551717fed"
2025-02-22T11:50:19+01:00	DEBUG	[gobinary] Unable to detect main module's dependency version - `(devel)` is used	dependency="github.com/dexidp/dex"
2025-02-22T11:50:19+01:00	DEBUG	[gobinary] Parsing dependency's build info settings	dependency="github.com/dexidp/dex" -ldflags=[-w -X main.version=v2.41.0 -extldflags "-static"]
2025-02-22T11:50:19+01:00	DEBUG	[gobinary] Unable to detect main module's dependency version - `(devel)` is used	dependency="./api/v2"
2025-02-22T11:50:19+01:00	DEBUG	[gobinary] Unable to detect main module's dependency version - `(devel)` is used	dependency="github.com/dexidp/dex"
2025-02-22T11:50:19+01:00	DEBUG	[gobinary] Parsing dependency's build info settings	dependency="github.com/dexidp/dex" -ldflags=[-w -X main.version=v2.41.0 -extldflags "-static"]
2025-02-22T11:50:20+01:00	DEBUG	[gobinary] Unable to detect main module's dependency version - `(devel)` is used	dependency="github.com/hairyhenderson/gomplate/v4"
2025-02-22T11:50:20+01:00	DEBUG	[gobinary] Parsing dependency's build info settings	dependency="github.com/hairyhenderson/gomplate/v4" -ldflags=[-w -s -X github.com/hairyhenderson/gomplate/v4/version.GitCommit=07382703 -X github.com/hairyhenderson/gomplate/v4/version.Version=4.0.1-17-g07382703]
2025-02-22T11:50:20+01:00	INFO	Detected OS	family="alpine" version="3.20.2"
2025-02-22T11:50:20+01:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.20" repository="3.20" pkg_num=14
2025-02-22T11:50:20+01:00	INFO	Number of language-specific files	num=3
2025-02-22T11:50:20+01:00	INFO	[gobinary] Detecting vulnerabilities...
2025-02-22T11:50:20+01:00	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="usr/local/bin/gomplate"
2025-02-22T11:50:20+01:00	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="usr/local/bin/dex"
2025-02-22T11:50:20+01:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="./api/v2"
2025-02-22T11:50:20+01:00	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="usr/local/bin/docker-entrypoint"
2025-02-22T11:50:20+01:00	WARN	Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.59/docs/scanner/vulnerability#severity-selection for details.
2025-02-22T11:50:20+01:00	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2025-02-22T11:50:20+01:00	DEBUG	[vex] VEX filtering is disabled

Operating System

Doesn't matter

Version

Version: 0.59.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-02-22 06:17:03.031409237 +0000 UTC
  NextUpdate: 2025-02-23 06:17:03.031408997 +0000 UTC
  DownloadedAt: 2025-02-22 10:04:01.093784 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-12-10 02:50:36.32311274 +0000 UTC
  NextUpdate: 2024-12-13 02:50:36.32311262 +0000 UTC
  DownloadedAt: 2024-12-10 07:23:15.622441 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[nabokihms]

We use the -X main.version=$(VERSION) ldflag, and it is passed correctly to the binary (I checked). Maybe trivy cannot parse it correctly for golang v1.24?

[nabokihms]

It seems like trivy does not try to parse ldflags for gov1.24

[nabokihms]

I think I figured it out.

For go 1.23, buildinfo returns:

Go version: go1.23.6
Main module:
  Path:    github.com/dexidp/dex
  Version: (devel)

But for go 1.24 it returns:

Go version: go1.24.0
Main module:
  Path:    github.com/dexidp/dex
  Version: v0.0.0-20240807174518-43956db7fd75+dirty

Trivy doesn't consider (devel) as a version, so if there is a version no warning and no version are added to the packages list.

The check version method here in the code returns the v0.0.0-20240807174518-43956db7fd75+dirty version and ignores ldflags.

[nabokihms]

https://go-review.googlesource.com/c/go/+/596035
https://github.com/golang/go/blob/f062d7b10b276c1b698819f492e4b4754e160ee3/src/cmd/go/internal/load/pkg.go#L2558-L2570

[nabokihms]

As a fix, I think it is safe to make versions like v0.0.0-* have less priority than those from ldfalgs.

[nabokihms]

opened a PR #8433