apply OS-level CVE data to OS-provided go and rust binaries #2012
Labels
kind/feature
Categorizes issue or PR as related to a new feature.
Comments
kaniini
added
the
kind/feature
|
We already extract installed files by package managers, then skip scanning those files. If a python package is installed by apk, it should be skipped. But it skips Ruby, Python and Node.js packages for now. I've added Go binaries as well in #481. We don't support Rust binaries currently. |
7 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I am working on using Trivy to scan Alpine-provided Go and Rust packages for vulnerabilities. This has already proven to be very useful, we have already mitigated a few CVEs that we had no visibility into.
However, the security team may choose to issue "true negative" secfixes data for some packages.
The problem is that Trivy does not consider OS-level security fix data when listing vulnerabilities in these binaries themselves. It would be nice to do so if the binary is "owned" by the package manager (
/lib/apk/db/installedcontains all the registered paths a package should have).Would it be possible to correlate this data?
The text was updated successfully, but these errors were encountered: