-
Notifications
You must be signed in to change notification settings - Fork 331
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
golang stdlib
scan inconsistency for fresh go toolchain versions: bare metal vs docker
#679
Comments
This seems to be a result of: #453. The assumption is made that the go binary found on the PATH will be the version that is building the go package, which might not always be the case. I think we want to do a couple of things here:
|
I don't know of osv-scanner internals, but this would definetely break golang stdlib checks mentioned in #453, here's the quick demo: docker run -it alpine:latest
apk add curl
cd /tmp
curl -OL https://github.com/google/osv-scanner/releases/download/v1.4.3/osv-scanner_1.4.3_linux_amd64
chmod +x osv-scanner_1.4.3_linux_amd64
printf "module test\ngo 1.121\n" > go.mod
./osv-scanner_1.4.3_linux_amd64 -L go.mod This will emit the following:
So, I guess, providing some way to switch to a desired go toolchain version is prefered. However I understood from #453 that as of now, there's no clear way to do this. UPD: As an alternative, not suitable for everyone though, one can use |
This error has been converted into a warning in the next release (#622) (v1.5.0 is currently planned to release next week), and as long as there is a package in the go.mod file, it should successfully scan. |
After discussing this with the team, we are going to change the implementation to read the It looks like after 1.21, go version in go.mod is enforced as the minimum version. |
I was playing around with this when trying out Go call analysis. The toy project uses an old version of Go intentionally. package main
import (
"log"
"net/http"
)
func main() {
err := http.ListenAndServe(":8080", nil)
if err != nil {
log.Fatal(err)
}
} the example
But $ go version
go version go1.22.0 linux/amd64
$ osv-scanner -r .
Scanning dir .
Scanned /tmp/go/go.mod file and found 1 package
Uncalled vulnerabilities
│ https://osv.dev/GO-2023-2375 │ │ Go │ stdlib │ 1.19 │ go.mod │
│ https://osv.dev/GO-2023-2041 │ │ Go │ stdlib │ 1.19 │ go.mod │
│ https://osv.dev/GO-2023-2043 │ │ Go │ stdlib │ 1.19 │ go.mod │
│ https://osv.dev/GO-2023-2102 │ │ Go │ stdlib │ 1.19 │ go.mod │
│ https://osv.dev/GO-2023-2185 │ │ Go │ stdlib │ 1.19 │ go.mod │
│ https://osv.dev/GO-2023-2186 │ │ Go │ stdlib │ 1.19 │ go.mod │
│ https://osv.dev/GO-2023-2382 │ │ Go │ stdlib │ 1.19 │ go.mod │ Vs if I use an older Go toolchain (example go.mod is still 1.19). $ go version
go version go1.21.2 linux/amd64
$ osv-scanner -r .
Scanning dir .
Scanned /tmp/go/go.mod file and found 1 package
(called vulnerabilities section)
│ https://osv.dev/GO-2023-2102 │ │ Go │ stdlib │ 1.19 │ go.mod │
│ https://osv.dev/GO-2023-2185 │ │ Go │ stdlib │ 1.19 │ go.mod │
│ https://osv.dev/GO-2023-2382 │ │ Go │ stdlib │ 1.19 │ go.mod │
Uncalled vulnerabilities
│ https://osv.dev/GO-2023-2375 │ │ Go │ stdlib │ 1.19 │ go.mod │
│ https://osv.dev/GO-2023-2041 │ │ Go │ stdlib │ 1.19 │ go.mod │
│ https://osv.dev/GO-2023-2043 │ │ Go │ stdlib │ 1.19 │ go.mod │
│ https://osv.dev/GO-2023-2186 │ │ Go │ stdlib │ 1.19 │ go.mod │ Am I misunderstanding what #704 did? I'm trying to understand this behavior before enabling it for Scorecard because our weekly scan runs with the latest version of the Go toolchain. So I don't want to dismiss everything as uncalled based on the Go toolchain version we use. |
Thanks @spencerschrock for reporting this. As expected, osv-scanner should not care what the local Go version is when determining reachability. It should only checks Go version that is defined in I think the issue here is because when we run govulncheck, we didn't set To fix it, I will raise a PR to assign
|
Ah I didn't know about |
GoVulncheck uses local installed GO version to determine vulnerabilities if the env `GOVERSION` is not defined. Set the `GOVERSION` value to the one defined in go.mod. detail: #679 --------- Co-authored-by: Rex P <106129829+another-rex@users.noreply.github.com>
I've recently faced a weird issue in our CI process – it reports some vulnerabilities for go v1.20, while the go.mod file claims
go 1.21.4
. At the same time, my local version on a dev machine reports "no vulnerabilities found".So, given this
/tmp/osv-issue/go.mod
file (not much to see here, the original one is way bigger, but the issue persists even with a minimal one):I have the following results:
[MacOS v14.1.1] [clean] bare metal binary, installed via homebrew:
[MacOS v14.1.1] [clean] bare metal binary, manual download darwin_amd64 from github releases:
[vulnerable] official docker way (copypasted some commands from docs)
docker run -it -v ${PWD}:/src ghcr.io/google/osv-scanner:v1.4.3 -v osv-scanner version: 1.4.3 commit: 6316373e47d7e3e4b4fd3630c4bbc10987738de6 built at: 2023-11-02T00:53:14Z docker run -it -v /tmp/osv-issue:/src ghcr.io/google/osv-scanner:v1.4.3 -L /src/go.mod Scanned /src/go.mod file and found 1 package ╭──────────────────────────────┬──────┬───────────┬─────────┬─────────┬────────────╮ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │ ├──────────────────────────────┼──────┼───────────┼─────────┼─────────┼────────────┤ │ https://osv.dev/GO-2023-2185 │ │ Go │ stdlib │ 1.20.10 │ src/go.mod │ │ │ │ │ │ │ │ │ https://osv.dev/GO-2023-2186 │ │ Go │ stdlib │ 1.20.10 │ src/go.mod │ │ │ │ │ │ │ │ ╰──────────────────────────────┴──────┴───────────┴─────────┴─────────┴────────────╯
As you can see, the result in docker is quite different, while it runs binaries compiled against exactly the same codebase (based on the commit hash) – it reports vulnerabilities for go stdlib v.1.20.10.
It seems that
osv-scanner
uses the original golang toolchain to get the report (it fails to run if go is not installed), so I've tried to install golang in a clean container ofalpine:latest
and indeed it emitsVulnerabilities above are actually already fixed in v1.20.11 but the
ghcr.io/google/osv-scanner:v1.4.3
image was built three weeks ago, probably before the patch had become available.The bottom line here is: in my case our CI reports false positives.
P.S. TBH I have no idea how one could solve that with the official image, since it's on the
alpine
side to provide the latest go toolchain version, so I expect this issue will be closed as "won't fix", just wanted to bring the problem to maintainers attention.The text was updated successfully, but these errors were encountered: