-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Integrate govulncheck to reduce false positives #2845
Comments
This issue is stale because it has been labeled with inactivity. |
govulncheck has now hit 1.0.0 and the API should be stable to integrate |
When govulncheck was intially introduced I spent some time looking whether I could provide a PR for this, sadly the architecture of trivy seems to very strongly assume the "Every use of a dependency is vulnerable" model (Which pre-govulncheck was very reasonable since most vuln databases only keep data at this granularity and code path analysis was hard to do automatically in many contexts). This architecture is great since it allows you to modularize the scanner into distinct parts, specifically :
For govulncheck this model fails. since it needs to consider the artifact (atleast the binary) as a whole rather than sum of components, requiring a special case handling for go binaries that goes directly into govulncheck. It is doable but might require a deeper architecture discussion than just creating another language plugin etc. Edit: This is probably exarcerbated by the fact that current trivy is actually two separate projects under the hood (trivy and fanal). I'm hesitant to put work into a PR before getting some guidance from the maintainers on whether bypassing fanal for go binaries eligble for govulncheck would be ok or whether fanal's db first needs to be extended to handle a more general caching that doesn't map cleanly to dependency versions |
any updates on this? The false positives by the scanner is a real productivity killer. |
I'm using Redis alpine which uses gosu which uses Go and they've even written up a Security doc because they get so many false positives. Please add support for govulncheck! |
after discussing this further we decided to support this use case using VEX. govulncheck will be able to output VEX doc with the information necessary for Trivy to reduce the false positives golang/go#62486. Trivy already supports consuming VEX. we might create a Trivy plugin to streamline this use case. Anyway, govulncheck will not be directly integrated into Trivy. |
@itaysk Do you think that the Trivy Operator or the Harbor integration will be able to make use of what you outlined? 🙂 |
you would have to ask harbor about that. as for trivy (and operator), it will not be be included |
Recently the go team announced govulncheck which can reduce the amount of false positives because it doesn't go purely off of libraries imported
https://go.dev/security/vuln/
currently trivy flags kube-bench as having CVE-2020-8911 when it doesn't actually use the S3 features of the
aws-sdk-go
libraryaquasecurity/kube-bench#1268
This can be helped by libraries being split into features like the new aws-sdk-go-v2 does but govulncheck also tackles this
The text was updated successfully, but these errors were encountered: