Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Report Go runtime vulnerabilities based on the runtime detected in a Go binary #1370

Closed
dbrugman opened this issue Jun 29, 2023 · 6 comments
Closed
Labels
bug Something isn't working false-negative

Comments

@dbrugman
Copy link

What happened:
While scanning a Docker image that contains a binary that was compiled with the Go compiler and statically linked against the Go runtime library version 1.19.9, this binary was correctly found and identified by the go-module-binary-cataloger. However, it was not flagged as impacted by CVE-2023-29403, which impacts the Go runtime library for versions < 1.19.10. Note that this binary was compiled with debug symbols (not stripped)

What you expected to happen:
I would have expected this binary to be flagged as impacted by CVE-2023-29403, since it was statically linked against a vulnerable runtime library.

How to reproduce it (as minimally and precisely as possible):
Scan a Docker image that contains a Go binary with debug symbols that has been compiled with Go version 1.19.9 or below, and is statically linked against the Go runtime library.

Anything else we need to know?:

Environment:

@dbrugman dbrugman added the bug Something isn't working label Jun 29, 2023
@kzantow kzantow moved this to Awaiting Response in OSS Jun 29, 2023
@tgerla
Copy link
Contributor

tgerla commented Jun 29, 2023

Hi @dbrugman, thanks for the report. Do you happen to have a publicly available image or a relevant go binary that exhibits this behavior that we can use to reproduce? We'll take a look. Thanks!

@dbrugman
Copy link
Author

Thanks for looking into this @tgerla! I detected this on a proprietary image, but after a little searching I found a public image where this can be reproduced: quay.io/calico/kube-controllers:v3.20.0.

That image has a Go-compiled binary: /usr/bin/kube-controllers. This binary is compiled with Go version 1.15.2, so the Go runtime library should be vulnerable to CVE-2023-29403. This binary does get detected by Grype, and it reports several vulnerabilities for this binary, but not the CVE in question.

Note that CVE-2023-29403 was released with a few other related CVE's: CVE-2023-29402, CVE-2023-29404 and CVE-2023-29405. The other three CVE's affect the Go compiler itself, but CVE-2023-29403 affects the runtime library. When I look in the Grype vulnerability DB, it seems like all four of these CVE's have been defined as impacting the Go compiler. I think that's the reason it doesn't get detected. Also: the component list generated by Grype for kube-controllers lists a dozen or so Go libraries, but there is no entry for the OOTB 'runtime' library. Without such an entry it might be hard to define a 'target' for the vulnerability.

@willmurphyscode
Copy link
Contributor

Thanks for the repro steps! I wanted to add some additional context to this issue:

Root cause: The reason Grype isn't finding this is because, although syft reports the go compiler version of each go binary in the package metadata, syft does not report the go runtime library as its own package, so vulnerabilities against the go runtime library are not reported.

We could update the go binary cataloger in syft to report the runtime library as its own package, as we do with other dependencies built into the go binary. There are a couple of considerations here:

  1. As you mentioned above, some vulnerabilities reported against Go itself are compile time vulnerabilities, and shouldn't be reported here. This might be solved by Add support for package dependency relationships syft#572, which would let syft write down the distinction between runtime and compile time dependencies, for example.
  2. Syft currently deduplicates the SBOM artifacts by path, so every go binary would report its version of the go runtime library at the path where the library was, so an image with lots of go binaries built with the same go version would have a lot of noise in the SBOM. This might be solved by adding custom deduplication logic to the go cataloger itself.

That said, I do think this behavior (missing a CVE reported against the go runtime lib) is good evidence we should make this change in syft.

@dbrugman
Copy link
Author

@willmurphyscode thanks for the detailed analysis! I think your suggestions make sense, even though my understanding of Syft internals is limited. I’ll start following syft#572 as well.

@tgerla tgerla removed the status in OSS Aug 10, 2023
@spiffcs spiffcs moved this to Backlog in OSS Aug 24, 2023
@kzantow kzantow changed the title Grype doesn't detect CVE-2023-29403 for binary linked against a vulnerable Go runtime version Report Go runtime vulnerabilities based on the runtime detected in a Go binary Aug 24, 2023
@westonsteimel
Copy link
Contributor

westonsteimel commented Feb 16, 2024

@tgerla - I believe this has been addressed awhile ago by the syft changes in anchore/syft#2195

@kzantow
Copy link
Contributor

kzantow commented Feb 16, 2024

Good catch! I just retested this on the latest grype and it works as expected:

$ grype quay.io/calico/kube-controllers:v3.20.0 -q | grep 29403
stdlib               go1.15.2              go-module  CVE-2023-29403       High      

I'm going to close this, since it has been implemented but please reopen if there's a misunderstanding!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working false-negative
Projects
Archived in project
Development

No branches or pull requests

5 participants