trivy can't detect older binary #6147
-
DescriptionFirst extract contents of a image: Run trivy scan: It reports no lang-specific files: If I build the same code version with current golang SDK and scan it, then it shows some vulnerabilities. Desired BehaviorTrivy should be able to scan even older binaries, or in worst case at least report some warning (if possible?). Actual BehaviorSIlent failure Reproduction Steps1. `docker export $(docker create quay.io/uswitch/vault-creds:v0.14.0) | tar -xC .`
2. `trivy fs vaultcreds` TargetFilesystem ScannerVulnerability Output FormatNone ModeNone Debug Output❯ trivy fs vaultcreds --debug
2024-02-16T09:44:56.219+0100 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-02-16T09:44:56.220+0100 DEBUG Ignore statuses {"statuses": null}
2024-02-16T09:44:56.235+0100 DEBUG cache dir: REDACTED/trivy
2024-02-16T09:44:56.235+0100 DEBUG DB update was skipped because the local DB is the latest
2024-02-16T09:44:56.235+0100 DEBUG DB Schema: 2, UpdatedAt: 2024-02-16 06:12:10.483953515 +0000 UTC, NextUpdate: 2024-02-16 12:12:10.483953215 +0000 UTC, DownloadedAt: 2024-02-16 07:22:51.381622 +0000 UTC
2024-02-16T09:44:56.257+0100 INFO Vulnerability scanning is enabled
2024-02-16T09:44:56.257+0100 DEBUG Vulnerability type: [os library]
2024-02-16T09:44:56.257+0100 INFO Secret scanning is enabled
2024-02-16T09:44:56.257+0100 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-02-16T09:44:56.257+0100 INFO Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2024-02-16T09:44:56.257+0100 DEBUG Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2024-02-16T09:44:56.258+0100 DEBUG No secret config detected: trivy-secret.yaml
2024-02-16T09:44:56.258+0100 DEBUG The nuget packages directory couldn't be found. License search disabled
2024-02-16T09:44:56.258+0100 DEBUG Walk the file tree rooted at 'vaultcreds' in parallel
2024-02-16T09:44:56.270+0100 DEBUG OS is not detected.
2024-02-16T09:44:56.270+0100 DEBUG Detected OS: unknown
2024-02-16T09:44:56.270+0100 INFO Number of language-specific files: 0 Operating Systemmacos Sonoma 14.2.1 Version❯ trivy --version
Version: 0.48.3
Vulnerability DB:
Version: 2
UpdatedAt: 2024-02-16 06:12:10.483953515 +0000 UTC
NextUpdate: 2024-02-16 12:12:10.483953215 +0000 UTC
DownloadedAt: 2024-02-16 07:22:51.381622 +0000 UTC
Java DB:
Version: 1
UpdatedAt: 2024-02-12 00:45:04.687521318 +0000 UTC
NextUpdate: 2024-02-15 00:45:04.687521198 +0000 UTC
DownloadedAt: 2024-02-12 09:02:10.615217 +0000 UTC Checklist
|
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 5 replies
-
Hello @camaeel We use
Regards, Dmitriy |
Beta Was this translation helpful? Give feedback.
I'm not sure if this is possible.
We can't differentiate this binary from a non-golang binary.
e.g.:
Therefore, we will show this warning for every binary file.
I think this is a rare case. Support for 1.12 has also been completed.
I think we can ignore this case.
If we get more problems like this with the current version of Go, we will return to this problem (add a warning, write to the Go developers, etc.).