Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Integrate govulncheck to reduce false positives #2845

Closed
06kellyjac opened this issue Sep 8, 2022 · 8 comments
Closed

Integrate govulncheck to reduce false positives #2845

06kellyjac opened this issue Sep 8, 2022 · 8 comments
Assignees
Labels
kind/feature Categorizes issue or PR as related to a new feature. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. scan/vulnerability Issues relating to vulnerability scanning

Comments

@06kellyjac
Copy link
Contributor

06kellyjac commented Sep 8, 2022

Recently the go team announced govulncheck which can reduce the amount of false positives because it doesn't go purely off of libraries imported

https://go.dev/security/vuln/

Integrations with pkg.go.dev and govulncheck to enable developers to find vulnerabilities in their projects. The govulncheck command analyzes your codebase and only surfaces vulnerabilities that actually affect you, based on which functions in your code are transitively calling vulnerable functions. Govulncheck provides a low-noise, reliable way to find known vulnerabilities in your projects.

currently trivy flags kube-bench as having CVE-2020-8911 when it doesn't actually use the S3 features of the aws-sdk-go library

aquasecurity/kube-bench#1268

This can be helped by libraries being split into features like the new aws-sdk-go-v2 does but govulncheck also tackles this

@06kellyjac 06kellyjac added the kind/feature Categorizes issue or PR as related to a new feature. label Sep 8, 2022
@github-actions
Copy link

github-actions bot commented Nov 8, 2022

This issue is stale because it has been labeled with inactivity.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Nov 8, 2022
@afdesk afdesk removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Nov 10, 2022
@knqyf263 knqyf263 added priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. scan/vulnerability Issues relating to vulnerability scanning labels Nov 23, 2022
@knqyf263 knqyf263 added priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. and removed priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. labels Dec 12, 2022
@knqyf263 knqyf263 added this to the v0.37.0 milestone Jan 3, 2023
@knqyf263 knqyf263 self-assigned this Jan 3, 2023
@knqyf263 knqyf263 modified the milestones: v0.37.0, v0.38.0 Jan 30, 2023
@knqyf263 knqyf263 removed this from the v0.38.0 milestone Feb 21, 2023
@06kellyjac
Copy link
Contributor Author

govulncheck has now hit 1.0.0 and the API should be stable to integrate

https://go.dev/blog/govulncheck

@BronzeDeer
Copy link

BronzeDeer commented Jul 14, 2023

When govulncheck was intially introduced I spent some time looking whether I could provide a PR for this, sadly the architecture of trivy seems to very strongly assume the "Every use of a dependency is vulnerable" model (Which pre-govulncheck was very reasonable since most vuln databases only keep data at this granularity and code path analysis was hard to do automatically in many contexts). This architecture is great since it allows you to modularize the scanner into distinct parts, specifically :

  1. parsing an artifact into a list of dependencies
  2. lookup of vulnerability state of each dependency/component.

For govulncheck this model fails. since it needs to consider the artifact (atleast the binary) as a whole rather than sum of components, requiring a special case handling for go binaries that goes directly into govulncheck. It is doable but might require a deeper architecture discussion than just creating another language plugin etc.

Edit: This is probably exarcerbated by the fact that current trivy is actually two separate projects under the hood (trivy and fanal). I'm hesitant to put work into a PR before getting some guidance from the maintainers on whether bypassing fanal for go binaries eligble for govulncheck would be ok or whether fanal's db first needs to be extended to handle a more general caching that doesn't map cleanly to dependency versions

@tamalsaha
Copy link

any updates on this? The false positives by the scanner is a real productivity killer.

@jmthomas
Copy link

jmthomas commented May 9, 2024

I'm using Redis alpine which uses gosu which uses Go and they've even written up a Security doc because they get so many false positives. Please add support for govulncheck!

@itaysk
Copy link
Contributor

itaysk commented May 12, 2024

after discussing this further we decided to support this use case using VEX. govulncheck will be able to output VEX doc with the information necessary for Trivy to reduce the false positives golang/go#62486. Trivy already supports consuming VEX. we might create a Trivy plugin to streamline this use case. Anyway, govulncheck will not be directly integrated into Trivy.

@elchenberg
Copy link
Contributor

@itaysk Do you think that the Trivy Operator or the Harbor integration will be able to make use of what you outlined? 🙂

@itaysk
Copy link
Contributor

itaysk commented Jul 4, 2024

you would have to ask harbor about that. as for trivy (and operator), it will not be be included

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/feature Categorizes issue or PR as related to a new feature. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. scan/vulnerability Issues relating to vulnerability scanning
Projects
Status: No status
Development

No branches or pull requests

8 participants