Comments (3)
@kevin-niland thanks for the issue!
Here are some more details regarding your request and steps I tried to reproduce. When consul is installed as a go module on my local I do not see the v0.0.0-<pseudo-version>
behavior.
grype dir:.
<-- In this case scanning a go project with consul installed
github.com/hashicorp/consul v1.18.1 go-module
When I run go install github.com/hashicorp/consul
I also don't see the FP when scanning against the binary
grype ~/go/bin/consul
2024/05/15 12:11:48 profile: memory profiling enabled (rate 4096), /var/folders/l0/_71m09512ss7lv9c64ldzld80000gn/T/profile1991174059/mem.pprof
✔ Vulnerability DB [no update available]
✔ Indexed file system /Users/hal/go/bin
✔ Cataloged contents 845ea22333829145c1064244883fd66d011c502f16b0a774c20f2a6243d23c82
├── ✔ Packages [253 packages]
└── ✔ Executables [1 executables]
✔ Scanned for vulnerabilities [4 vulnerability matches]
├── by severity: 0 critical, 0 high, 1 medium, 0 low, 0 negligible (3 unknown)
└── by status: 1 fixed, 3 not-fixed, 0 ignored
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
golang.org/x/net v0.19.0 0.23.0 go-module GHSA-4v7x-pqxf-cx7m Medium
stdlib go1.22.1 go-module CVE-2024-24788 Unknown
stdlib go1.22.1 go-module CVE-2024-24787 Unknown
stdlib go1.22.1 go-module CVE-2023-45288 Unknown
If I run syft against the binary I see:
github.com/hashicorp/consul v1.18.1 go-module
I also copied this binary into a docker container built it and also do not see the behavior you're seeing.
Is there more information about the binary you're using? We should be able to extract the version here given the LD flags and how it's compiled.
Can you show me the match json
from the grype -o json
output?
from grype.
Hi @spiffcs , what version of grype did you use? I see there was a revert recently for something: #1815
from grype.
@kevin-niland my grype version v0.77.4
from grype.
Related Issues (20)
- Can you control the internal format used by Syft when scanning a directory? HOT 3
- grype db is not being downloaded HOT 7
- Grype appears to be writing v1.6 spec cyclonedx files that grype itself cannot read (affects 0.79.0+) HOT 10
- False positive: GHSA-v845-jxx5-vc9f (CVE-2023-43804) python3-urllib3 in SLES 15.5 Ecosystem
- Possible FP - CVE-2019-10222 ceph in ec2 linux HOT 4
- False positive: GHSA-v5h6-c2hv-hv3r (CVE-2024-27280) ruby2.5-stdlib in SLES 15.5 Ecosystem
- support cvss 4.0
- epss score in grype results
- `db status` does not validate `vulnerability.db` HOT 2
- False Positive: GHSA-5mj6-643f-2g85 (CVE-2013-2256),.... python3-nova Openstack
- False positive: GHSA-j8r2-6x86-q33q (CVE-2023-32681) python3-requests GHSA-5xp3-jfq3-5q8x (CVE-2021-3572) python3-pip
- feature: table output for --fail-on should only print vulnerabilities equal to or above the severity passed
- False positive: GHSA-g3rq-g295-4j3m (CVE-2020-28493) python3-Jinja2 in SLES 15.5 Ecosystem HOT 2
- Does grype support openeuler system? HOT 2
- Grype report showing wrong installed version for commons-beanutils jar. HOT 3
- Convenient support for db downloads from artifactory. HOT 2
- Filter output by severity HOT 3
- Merge Configuration Files HOT 6
- False Positive: GHSA-248v-346w-9cwc/(CVE-2024-39689) reported for certifi library in python HOT 2
- False negatives on Java org.webjars/bootstrap and org.webjars/jquery HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from grype.