bug: false positive: detects unused Go stdlib packages

[benhoyt]

IDs

CVE-2024-34156

Description

Trivy seems to be too loose about how it detects CVEs in Go stdlib packages. For example, there's CVE-2024-34156 in the encoding/gob package, but my binary does not use encoding/gob at all (nor do any of its dependencies). I can verify this with strings <binary> | grep encoding/gob.

It would be much more precise to only flag vulnerabilities if the binary in question was actually using that stdlib package (or if doing source-based detection, if the source or any of its dependencies used the stdlib package in question). Maybe this information (the specific package or packages) is not available in the vulnerability database? But this kind of thing causes a fair bit of noise for our projects. It looks like it's parseable from the title, at least, for example, from -f json:

"Title": "encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion"

Reproduction Steps

1. Download Pebble binary [v1.16.0](https://github.com/canonical/pebble/releases/tag/v1.16.0) from https://github.com/canonical/pebble/releases/download/v1.16.0/pebble_v1.16.0_linux_amd64.tar.gz
2. Run Trivy on it: `trivy rootfs --severity HIGH ~/Downloads/pebble_v1.16.0_linux_amd64/pebble`
3. Output flags CVE-2024-34156, which is specific to `encoding/gob`, which this binary does not use

Target

Filesystem

Scanner

Vulnerability

Target OS

No response

Debug Output

2024-09-10T11:21:58+12:00	DEBUG	No plugins loaded
2024-09-10T11:21:58+12:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2024-09-10T11:21:58+12:00	DEBUG	Cache dir	dir="/home/ben/.cache/trivy"
2024-09-10T11:21:58+12:00	DEBUG	Cache dir	dir="/home/ben/.cache/trivy"
2024-09-10T11:21:58+12:00	DEBUG	Parsed severities	severities=[HIGH]
2024-09-10T11:21:58+12:00	DEBUG	Ignore statuses	statuses=[]
2024-09-10T11:21:58+12:00	DEBUG	DB update was skipped because the local DB is the latest
2024-09-10T11:21:58+12:00	DEBUG	DB info	schema=2 updated_at=2024-09-09T18:13:21.79309264Z next_update=2024-09-10T00:13:21.793092199Z downloaded_at=2024-09-09T23:06:05.268483828Z
2024-09-10T11:21:58+12:00	DEBUG	[pkg] Package types	types=[os library]
2024-09-10T11:21:58+12:00	DEBUG	[pkg] Package relationships	relationships=[unknown root direct indirect]
2024-09-10T11:21:58+12:00	INFO	[vuln] Vulnerability scanning is enabled
2024-09-10T11:21:58+12:00	INFO	[secret] Secret scanning is enabled
2024-09-10T11:21:58+12:00	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-10T11:21:58+12:00	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret#recommendation for faster secret detection
2024-09-10T11:21:58+12:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-09-10T11:21:58+12:00	DEBUG	Initializing scan cache...	type="memory"
2024-09-10T11:21:58+12:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2024-09-10T11:21:58+12:00	DEBUG	[gobinary] Unable to detect main module's dependency version - `(devel)` is used	dependency="github.com/canonical/pebble"
2024-09-10T11:21:58+12:00	DEBUG	[gobinary] Parsing dependency's build info settings	dependency="github.com/canonical/pebble" -ldflags=[]
2024-09-10T11:21:58+12:00	DEBUG	[gobinary] Unable to detect dependency version. `-ldflags` build info settings don't contain version flag. Empty version used.	dependency="github.com/canonical/pebble"
2024-09-10T11:21:58+12:00	DEBUG	OS is not detected.
2024-09-10T11:21:58+12:00	DEBUG	Detected OS: unknown
2024-09-10T11:21:58+12:00	INFO	Number of language-specific files	num=1
2024-09-10T11:21:58+12:00	INFO	[gobinary] Detecting vulnerabilities...
2024-09-10T11:21:58+12:00	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="pebble"
2024-09-10T11:21:58+12:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="github.com/canonical/pebble"
2024-09-10T11:21:58+12:00	WARN	Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/dev/docs/scanner/vulnerability#severity-selection for details.
2024-09-10T11:21:58+12:00	DEBUG	[vex] VEX filtering is disabled

pebble (gobinary)

Total: 1 (HIGH: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬───────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                           Title                           │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-34156 │ HIGH     │ fixed  │ 1.22.6            │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message │
│         │                │          │        │                   │                │ which contains deeply nested structures...                │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34156                │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴───────────────────────────────────────────────────────────┘

Version

# I'm using Trivy compiled from source with `go install ./cmd/trivy`
# Repo is at the latest commit: 7a1e8b85b4acf912c6748bf23fee71dda002129d

Version: dev
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-09-09 18:13:21.79309264 +0000 UTC
  NextUpdate: 2024-09-10 00:13:21.793092199 +0000 UTC
  DownloadedAt: 2024-09-09 23:06:05.268483828 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[DmitriyLewen]

Hello @benhoyt
Thanks for your report!

Unfortunately, go.mod files and debug/buildinfo package (package for parsing Go binaries) don't contain information about the standard packages used.
Trivy doesn't check source code, so we have no way of knowing that you are not using vulnerable code.

We believe that it is better to show false positives than to have users miss vulnerabilities.
Trivy support options to skip these vulnerabilities - https://aquasecurity.github.io/trivy/v0.55/docs/configuration/filtering/

We have same problem in Trivy repo - We use VEX to avoid false positives - https://github.com/aquasecurity/trivy/blob/main/.vex/trivy.openvex.json

Regards, Dmitriy

[benhoyt]

Fair enough -- yeah, I wondered if this might be non-trivial. I found strings <binary> | grep encoding/gob quite useful -- we build our binaries with -ldflags '-s -w' (no symbols, no DWARF), and they still contain tons of the string encoding/json (which we do use), so I imagine for specific things just looking in the raw bytes of the binary for the package name is probably enough. But yeah, feels a bit hackish, and you'd still need a mapping of what CVEs affect which stdlib packages.

[knqyf263]

@benhoyt As @DmitriyLewen mentioned, you can publish a VEX document to suppress these vulnerabilities. Trivy will consume it, and all users will not see the vulnerability.
https://aquasecurity.github.io/trivy/v0.55/docs/supply-chain/vex/repo/#for-oss-projects

@DmitriyLewen We may want to mention stdlib detection could lead to false positives in the document.

[itaysk]

added a note here 1218538

[DmitriyLewen]

Great! Thanks!