feat(go): use toolchain as stdlib version for go.mod files
#7163
Conversation
DmitriyLewen
changed the title
toolchain as stdlib version for go.mod filestoolchain as stdlib version for go.mod files
|
There is one discussion. Technically, However, if the local version is older, the toolchain version is used for forward compatibility. They can be configured through
@DmitriyLewen Do you think we should work in the same way? |
Hmm... I didn't look at that. This seems to be the same case as for the SDK in
Let's start from default logic. |
|
This is how govulncheck works.
But I'm still not sure this is a good approach. If the environment in which Trivy is run is different from the environment in which the project is built, the vulnerability may be overlooked. Also, people can be confused as a vulnerability may be detected or not detected even though they scan the same project. |
|
I thought that we don't want to run other apps in Trivy, even if it's
in this case, users will need to check (or just be mindful) of many things when scanning |
|
OK, it is better to use the toolchain version at the moment for reproducibility. Since it's technically different from how the Go version is selected for compiling a binary, we should document it. |
|
Yeah. I will update docs. |
|
@knqyf263 i updated docs. |
| @@ -83,6 +83,19 @@ func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependenc | |||
| skipIndirect = lessThan117(modFileParsed.Go.Version) | |||
| } | |||
|
|
|||
| // Stdlib | |||
| if toolchain := modFileParsed.Toolchain; toolchain != nil { | |||
There was a problem hiding this comment.
Since Go uses go line if toolchain is omitted, we probably need to check the go line as well.
If the toolchain line is omitted, the module or workspace is considered to have an implicit toolchain goV line, where V is the Go version from the go line.
But we need to consider how to treat a go line omitting a patch version, like go 1.22. I think we can skip stdlib in this case.
There was a problem hiding this comment.
I think we can skip stdlib in this case.
If module uses version without patch (and child modules don't use patch and toolchain) - go doesn't add patch/toolchain:
➜ cat ../greetings/go.mod
module github.com/greetings
go 1.22
➜ cat go.mod
module example.com/hello
go 1.22
replace example.com/greetings => ../greetings
require example.com/greetings v0.0.0-00010101000000-000000000000
➜ go version
go version go1.22.0 darwin/arm64since we say we use minimum required version for stdlib - we can say that v1.x.0 (v1.21.0 for this example) is the minimum required version, no?
I think I'm missing something, but I can't figure out what 😄
There was a problem hiding this comment.
or do you mean that if go version doesn't contain patch - that means it is not a situation where toolchan is omitted?
and we don't need to check for cases where toolchain is not used (or omitted).
But it doesn't work for v1.19 or early: The standard Go toolchains are named goV where V is a Go version denoting a beta release, release candidate, or release. For example, go1.21rc1 and go1.21.0 are toolchain names; go1.21 and go1.22 are not (the initial releases are go1.21.0 and go1.22.0), but go1.20 and go1.19 are.
There was a problem hiding this comment.
we can say that v1.x.0 (v1.21.0 for this example) is the minimum required version, no?
I found answer - 1.21 != 1.21.0:
For example, 1.21 < 1.21rc1 < 1.21rc2 < 1.21.0 < 1.21.1 < 1.21.2.
There was a problem hiding this comment.
@knqyf263 I updated this PR:
- if toolchain is omitted - check
goline- check go version (take only >= 1.21)
- check patch
- check
rcreleases
There was a problem hiding this comment.
Detection using the minimum version may be better enabled when this flag is used. For example, django>=3.0.0 in requirements.txt, we can take 3.0.0 as the version even if the project may use newer than 3.0.0. The toolchain version is the same. From toolchain go1.21.4 in go.mod, we consider it Go 1.21.4 even if the project may actually use Go 1.21.5.
There was a problem hiding this comment.
Detection using the minimum version may be better enabled when this flag is used.
Agree with you.
There was a problem hiding this comment.
OK, I've converted this PR to draft. Let's finalize this proposal first and come back here.
There was a problem hiding this comment.
django>=3.0.0 in requirements.txt, we can take 3.0.0 as the version even if the project may use newer than 3.0.0
this is good idea 👍
There was a problem hiding this comment.
@knqyf263 I updated this PR using --detection-priority flag.
Take a look, when you have time, please.
|
|
||
| // Use minimal required go version from `toolchain` line (or from `go` line if `toolchain` is omitted) as `stdlib`. | ||
| // Show `stdlib` only with `useMinVersion` flag. | ||
| if toolchainVer := toolchainVersion(modFileParsed.Toolchain, modFileParsed.Go); p.useMinVersion && toolchainVer != "" { |
There was a problem hiding this comment.
nit: It's no big deal, but if useMinVersion == false, we don't need to get the toolchain version. We may want to evaluate useMinVersion first before getting the toolchain version.
There was a problem hiding this comment.
It make sense.
Updated in e6411c0
* feat(vm): Support direct filesystem (aquasecurity#7058) Signed-off-by: yusuke.koyoshi <yusuke.koyoshi@bizreach.co.jp> * feat(cli)!: delete deprecated SBOM flags (aquasecurity#7266) Signed-off-by: knqyf263 <knqyf263@gmail.com> * feat(vm): support the Ext2/Ext3 filesystems (aquasecurity#6983) * fix(plugin): do not call GitHub content API for releases and tags (aquasecurity#7274) Signed-off-by: knqyf263 <knqyf263@gmail.com> * fix(java): Return error when trying to find a remote pom to avoid segfault (aquasecurity#7275) Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io> * fix(flag): incorrect behavior for deprected flag `--clear-cache` (aquasecurity#7281) * refactor(misconf): remove file filtering from parsers (aquasecurity#7289) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> * feat(vuln): Add `--detection-priority` flag for accuracy tuning (aquasecurity#7288) Signed-off-by: knqyf263 <knqyf263@gmail.com> * docs: add auto-generated config (aquasecurity#7261) Signed-off-by: knqyf263 <knqyf263@gmail.com> Co-authored-by: knqyf263 <knqyf263@gmail.com> * fix(terraform): add aws_region name to presets (aquasecurity#7184) * perf(misconf): do not convert contents of a YAML file to string (aquasecurity#7292) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> * refactor(misconf): remove unused universal scanner (aquasecurity#7293) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> * perf(misconf): use json.Valid to check validity of JSON (aquasecurity#7308) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> * fix(misconf): load only submodule if it is specified in source (aquasecurity#7112) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> * feat(misconf): support for policy and bucket grants (aquasecurity#7284) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> * fix(misconf): do not set default value for default_cache_behavior (aquasecurity#7234) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> * feat(misconf): iterator argument support for dynamic blocks (aquasecurity#7236) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> Co-authored-by: simar7 <1254783+simar7@users.noreply.github.com> * chore(deps): bump the common group across 1 directory with 7 updates (aquasecurity#7305) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * docs: update client/server docs for misconf and license scanning (aquasecurity#7277) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> Signed-off-by: knqyf263 <knqyf263@gmail.com> Co-authored-by: knqyf263 <knqyf263@gmail.com> * docs: update links to packaging.python.org (aquasecurity#7318) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> * perf(misconf): optimize work with context (aquasecurity#6968) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> * refactor: replace ftypes.Gradle with packageurl.TypeGradle (aquasecurity#7323) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> * docs: update air-gapped docs (aquasecurity#7160) Signed-off-by: knqyf263 <knqyf263@gmail.com> Co-authored-by: knqyf263 <knqyf263@gmail.com> * docs(misconf): Update callsites to use correct naming (aquasecurity#7335) * chore(deps): bump the common group with 9 updates (aquasecurity#7333) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix(misconf): change default TLS values for the Azure storage account (aquasecurity#7345) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> * refactor(misconf): highlight only affected rows (aquasecurity#7310) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> * fix(misconf): wrap Azure PortRange in iac types (aquasecurity#7357) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> * feat(misconf): scanning support for YAML and JSON (aquasecurity#7311) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> * feat(misconf): variable support for Terraform Plan (aquasecurity#7228) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> * fix: safely check if the directory exists (aquasecurity#7353) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> * chore(deps): bump the aws group across 1 directory with 7 updates (aquasecurity#7358) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * feat(server): add internal `--path-prefix` flag for client/server mode (aquasecurity#7321) Signed-off-by: knqyf263 <knqyf263@gmail.com> * chore(deps): bump trivy-checks (aquasecurity#7350) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> * refactor(misconf): use slog (aquasecurity#7295) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> * feat(misconf): ignore duplicate checks (aquasecurity#7317) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> * fix(misconf): init frameworks before updating them (aquasecurity#7376) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> * fix(misconf): support deprecating for Go checks (aquasecurity#7377) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> * feat(python): use minimum version for pip packages (aquasecurity#7348) * docs: add pkg flags to config file page (aquasecurity#7370) * feat(misconf): Add support for using spec from on-disk bundle (aquasecurity#7179) * fix(report): escape `Message` field in `asff.tpl` template (aquasecurity#7401) * fix(misconf): use module to log when metadata retrieval fails (aquasecurity#7405) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> * feat(misconf): support for ignore by nested attributes (aquasecurity#7205) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> * fix(misconf): do not filter Terraform plan JSON by name (aquasecurity#7406) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> * feat(misconf): port and protocol support for EC2 networks (aquasecurity#7146) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> * chore: fix allow rule of ignoring test files to make it case insensitive (aquasecurity#7415) * fix(secret): use only line with secret for long secret lines (aquasecurity#7412) * chore: update CODEOWNERS (aquasecurity#7398) Signed-off-by: knqyf263 <knqyf263@gmail.com> * feat(server): Make Trivy Server Multiplexer Exported (aquasecurity#7389) * feat(report): export modified findings in JSON (aquasecurity#7383) Signed-off-by: knqyf263 <knqyf263@gmail.com> * fix(sbom): use `NOASSERTION` for licenses fields in SPDX formats (aquasecurity#7403) * fix(misconf): do not register Rego libs in checks registry (aquasecurity#7420) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> * chore(deps): Bump trivy-checks (aquasecurity#7417) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> Co-authored-by: nikpivkin <nikita.pivkin@smartforce.io> * fix(misconf): do not recreate filesystem map (aquasecurity#7416) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> * fix(secret): use `.eyJ` keyword for JWT secret (aquasecurity#7410) * fix(misconf): fix infer type for null value (aquasecurity#7424) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> * fix(aws): handle ECR repositories in different regions (aquasecurity#6217) Signed-off-by: Kevin Conner <kev.conner@getupcloud.com> * fix: logger initialization before flags parsing (aquasecurity#7372) Signed-off-by: knqyf263 <knqyf263@gmail.com> Co-authored-by: knqyf263 <knqyf263@gmail.com> * fix(nodejs): check all `importers` to detect dev deps from pnpm-lock.yaml file (aquasecurity#7387) * test: add integration plugin tests (aquasecurity#7299) * feat(sbom): set User-Agent header on requests to Rekor (aquasecurity#7396) Signed-off-by: Bob Callaway <bcallaway@google.com> * fix(helm): explicitly define `kind` and `apiVersion` of `volumeClaimTemplate` element (aquasecurity#7362) * chore(deps): Bump trivy-checks and pin OPA (aquasecurity#7427) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> Co-authored-by: nikpivkin <nikita.pivkin@smartforce.io> * feat(java): add `test` scope support for `pom.xml` files (aquasecurity#7414) * fix(license): add license handling to JUnit template (aquasecurity#7409) * feat(go): use `toolchain` as `stdlib` version for `go.mod` files (aquasecurity#7163) * release: v0.55.0 [main] (aquasecurity#7271) * fix(license): stop spliting a long license text (aquasecurity#7336) Signed-off-by: knqyf263 <knqyf263@gmail.com> Co-authored-by: knqyf263 <knqyf263@gmail.com> * refactor(java): add error/statusCode for logs when we can't get pom.xml/maven-metadata.xml from remote repo (aquasecurity#7451) * chore(helm): bump up Trivy Helm chart (aquasecurity#7441) * chore(deps): bump the common group across 1 directory with 19 updates (aquasecurity#7436) Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: knqyf263 <knqyf263@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: knqyf263 <knqyf263@gmail.com> * chore(deps): bump the aws group with 6 updates (aquasecurity#7468) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix(oracle): Update EOL date for Oracle 7 (aquasecurity#7480) * fix(report): change a receiver of MarshalJSON (aquasecurity#7483) Signed-off-by: knqyf263 <knqyf263@gmail.com> * fix(report): fix error with unmarshal of `ExperimentalModifiedFindings` (aquasecurity#7463) Signed-off-by: knqyf263 <knqyf263@gmail.com> Co-authored-by: knqyf263 <knqyf263@gmail.com> * docs(oci): Add a note About the expected Media Type for the Trivy-DB OCI Artifact (aquasecurity#7449) * feat(license): improve license normalization (aquasecurity#7131) Signed-off-by: knqyf263 <knqyf263@gmail.com> Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io> Co-authored-by: knqyf263 <knqyf263@gmail.com> * docs(db): add a manifest example (aquasecurity#7485) Signed-off-by: knqyf263 <knqyf263@gmail.com> * revert(java): stop supporting of `test` scope for `pom.xml` files (aquasecurity#7488) * docs: refine go docs (aquasecurity#7442) Signed-off-by: knqyf263 <knqyf263@gmail.com> Co-authored-by: knqyf263 <knqyf263@gmail.com> * chore(vex): suppress openssl vulnerabilities (aquasecurity#7500) Signed-off-by: knqyf263 <knqyf263@gmail.com> * chore(deps): bump alpine from 3.20.0 to 3.20.3 (aquasecurity#7508) * chore(vex): add `CVE-2024-34155`, `CVE-2024-34156` and `CVE-2024-34158` in `trivy.openvex.json` (aquasecurity#7510) * fix(java): use `dependencyManagement` from root/child pom's for dependencies from parents (aquasecurity#7497) * refactor: split `.egg` and `packaging` analyzers (aquasecurity#7514) * feat(misconf): Register checks only when needed (aquasecurity#7435) * fix(misconf): Fix logging typo (aquasecurity#7473) * chore(deps): bump go-ebs-file (aquasecurity#7513) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> * fix(sbom): parse type `framework` as `library` when unmarshalling `CycloneDX` files (aquasecurity#7527) * refactor(misconf): pass options to Rego scanner as is (aquasecurity#7529) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> * fix(sbom): export bom-ref when converting a package to a component (aquasecurity#7340) Signed-off-by: knqyf263 <knqyf263@gmail.com> Co-authored-by: amf <amf@macbook.local> Co-authored-by: knqyf263 <knqyf263@gmail.com> * perf(misconf): use port ranges instead of enumeration (aquasecurity#7549) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> * fix(misconf): Fixed scope for China Cloud (aquasecurity#7560) * docs(misconf): Add more info on how to use arbitrary JSON/YAML scan feat (aquasecurity#7458) * chore(deps): remove broken replaces for opa and discovery (aquasecurity#7600) * ci: cache test images for `integration`, `VM` and `module` tests (aquasecurity#7599) * ci: add `workflow_dispatch` trigger for test workflow. (aquasecurity#7606) * chore(deps): bump the common group across 1 directory with 20 updates (aquasecurity#7604) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: knqyf263 <knqyf263@gmail.com> * fix(db): check `DownloadedAt` for `trivy-java-db` (aquasecurity#7592) * fix: allow access to '..' in mapfs (aquasecurity#7575) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> * test: use a local registry for remote scanning (aquasecurity#7607) Signed-off-by: knqyf263 <knqyf263@gmail.com> * fix(misconf): escape all special sequences (aquasecurity#7558) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> * feat(misconf): add ability to disable checks by ID (aquasecurity#7536) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> Co-authored-by: Simar <simar@linux.com> * feat(suse): added SUSE Linux Enterprise Micro support (aquasecurity#7294) Signed-off-by: Marcus Meissner <meissner@suse.de> Signed-off-by: knqyf263 <knqyf263@gmail.com> Co-authored-by: knqyf263 <knqyf263@gmail.com> * fix(misconf): disable DS016 check for image history analyzer (aquasecurity#7540) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> * ci: split `save` and `restore` cache actions (aquasecurity#7614) * refactor: fix auth error handling (aquasecurity#7615) Signed-off-by: knqyf263 <knqyf263@gmail.com> * feat(secret): enhance secret scanning for python binary files (aquasecurity#7223) Signed-off-by: knqyf263 <knqyf263@gmail.com> Co-authored-by: knqyf263 <knqyf263@gmail.com> * feat(java): add empty versions if `pom.xml` dependency versions can't be detected (aquasecurity#7520) Co-authored-by: Teppei Fukuda <knqyf263@gmail.com> * test: use loaded image names (aquasecurity#7617) Signed-off-by: knqyf263 <knqyf263@gmail.com> * ci: don't use cache for `setup-go` (aquasecurity#7622) * feat: support multiple DB repositories for vulnerability and Java DB (aquasecurity#7605) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> * feat(misconf): Support `--skip-*` for all included modules (aquasecurity#7579) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> Co-authored-by: nikpivkin <nikita.pivkin@smartforce.io> * chore: add prefixes to log messages (aquasecurity#7625) Signed-off-by: knqyf263 <knqyf263@gmail.com> Co-authored-by: simar7 <1254783+simar7@users.noreply.github.com> * fix(misconf): Disable deprecated checks by default (aquasecurity#7632) * chore(deps): Bump trivy-checks to v1.1.0 (aquasecurity#7631) * fix(secret): change grafana token regex to find them without unquoted (aquasecurity#7627) * feat: support RPM archives (aquasecurity#7628) Signed-off-by: knqyf263 <knqyf263@gmail.com> * fix(misconf): not to warn about missing selectors of libraries (aquasecurity#7638) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> * release: v0.56.0 [main] (aquasecurity#7447) * fix(db): fix javadb downloading error handling [backport: release/v0.56] (aquasecurity#7646) Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> Co-authored-by: Nikita Pivkin <nikita.pivkin@smartforce.io> * release: v0.56.1 [release/v0.56] (aquasecurity#7648) * fix(sbom): add options for DBs in private registries [backport: release/v0.56] (aquasecurity#7691) Signed-off-by: knqyf263 <knqyf263@gmail.com> Co-authored-by: Teppei Fukuda <knqyf263@gmail.com> * fix(redhat): include arch in PURL qualifiers [backport: release/v0.56] (aquasecurity#7702) Signed-off-by: knqyf263 <knqyf263@gmail.com> Co-authored-by: Teppei Fukuda <knqyf263@gmail.com> * release: v0.56.2 [release/v0.56] (aquasecurity#7694) * Make liveness probe configurable (#3) --------- Signed-off-by: yusuke.koyoshi <yusuke.koyoshi@bizreach.co.jp> Signed-off-by: knqyf263 <knqyf263@gmail.com> Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io> Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Kevin Conner <kev.conner@getupcloud.com> Signed-off-by: Bob Callaway <bcallaway@google.com> Signed-off-by: Marcus Meissner <meissner@suse.de> Co-authored-by: yusuke-koyoshi <92022336+yusuke-koyoshi@users.noreply.github.com> Co-authored-by: Teppei Fukuda <knqyf263@gmail.com> Co-authored-by: Aruneko <yuki.fujita@bizreach.co.jp> Co-authored-by: Colm O hEigeartaigh <coheigea@users.noreply.github.com> Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io> Co-authored-by: afdesk <work@afdesk.com> Co-authored-by: Nikita Pivkin <nikita.pivkin@smartforce.io> Co-authored-by: Alberto Donato <albertodonato@users.noreply.github.com> Co-authored-by: simar7 <1254783+simar7@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Itay Shakury <itay@itaysk.com> Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com> Co-authored-by: aasish-r <aasishrampalli1997@gmail.com> Co-authored-by: Ori <59772293+orizerah@users.noreply.github.com> Co-authored-by: Kevin Conner <kev.conner@gmail.com> Co-authored-by: Bob Callaway <bobcallaway@users.noreply.github.com> Co-authored-by: vhash <29121316+LucasVanHaaren@users.noreply.github.com> Co-authored-by: psibre <psibre@users.noreply.github.com> Co-authored-by: Aqua Security automated builds <54269356+aqua-bot@users.noreply.github.com> Co-authored-by: s-reddy1498 <41355782+s-reddy1498@users.noreply.github.com> Co-authored-by: Squiddim <82903357+Squiddim@users.noreply.github.com> Co-authored-by: Pierre Baumard <pierre.baumard@cnav.fr> Co-authored-by: Lior Kaplan <lior@kaplanopensource.co.il> Co-authored-by: amf <amf@macbook.local> Co-authored-by: bloomadcariad <adam.bloom@cariad.us> Co-authored-by: Sylvain Baubeau <lebauce@gmail.com> Co-authored-by: Simar <simar@linux.com> Co-authored-by: Marcus Meissner <meissner@suse.de> Co-authored-by: Samuel Gaist <samuel.gaist@idiap.ch>
Description
Use
toolchainasstdlibversion.➜ cat ./go.mod module github.com/aquasecurity/trivy go 1.22.0 toolchain go1.22.4 ➜ trivy -q fs ./go.mod go.mod (gomod) Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0) ┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────┤ │ stdlib │ CVE-2024-24791 │ MEDIUM │ fixed │ 1.22.4 │ 1.21.12, 1.22.5 │ net/http: Denial of service due to improper 100-continue │ │ │ │ │ │ │ │ handling in net/http │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24791 │ └─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴──────────────────────────────────────────────────────────┘Related issues
Checklist