wrong version compare?

[fragolinux]

Description

testing trivy v0.21.2 on a custom build of the "img" tool, it reports a vulnerability in docker cli library:

github.com/docker/cli | CVE-2021-41092 | HIGH | v0.0.0-20211117234946-dea9396e1842 | v20.10.9 | docker: cli leaks private registry

but that v0.0.0-20211117234946-dea9396e1842 is actually the pseudo-version format of the v20.10.11 library (had to put that in this format because otherwise it does not compile, i'm no "go" expert to fix this), so NEWER than v20.10.9 version that trivy says fixed the issue...

What did you expect to happen?

all vulnerability fixed

What happened instead?

still a vulnerability active, even if on a newer version than the one which fixes the issue reported

Output of run with -debug:

trivy -d image  img48903222
2021-12-11T18:30:19.605+0100    DEBUG   Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2021-12-11T18:30:19.649+0100    DEBUG   cache dir:  /Users/fragolinux/Library/Caches/trivy
2021-12-11T18:30:19.653+0100    DEBUG   DB update was skipped because DB is the latest
2021-12-11T18:30:19.654+0100    DEBUG   DB Schema: 1, Type: 1, UpdatedAt: 2021-12-11 12:44:15.626906127 +0000 UTC, NextUpdate: 2021-12-11 18:44:15.626905527 +0000 UTC, DownloadedAt: 2021-12-11 13:13:50.640299 +0000 UTC
2021-12-11T18:30:19.657+0100    DEBUG   Vulnerability type:  [os library]
2021-12-11T18:30:19.670+0100    DEBUG   Image ID: sha256:e91ad63b22141c4d93136d4bf6a0197ea203f3d60e0fdba4da8129c05646919e
2021-12-11T18:30:19.670+0100    DEBUG   Diff IDs: [sha256:7fcb75871b2101082203959c83514ac8a9f4ecfee77a0fe9aa73bbe56afdf1b4 sha256:eadfd7216f743014b3261d9918872fd8fcb13e3e4bb447ac39bcc717a7a11136 sha256:913ced6fe2bcf6f40af30ad88b960d318a50b4ff52456f687cf8429a7e38fd06 sha256:351e48903ccdeba98c4b3e9b0d6336ded6aaf3eae26cbeb4f8bf713afc3ff833 sha256:7b85b5981137767bdd519327d22fdcf7e4fbeaa2296f8b8f5df1a9d8347d32bc sha256:25dbb2b4125bd17ee92cd02d25f435d7841a75e437304a173d2b334b32865bd2]
2021-12-11T18:30:19.675+0100    INFO    Detected OS: alpine
2021-12-11T18:30:19.675+0100    INFO    Detecting Alpine vulnerabilities...
2021-12-11T18:30:19.675+0100    DEBUG   alpine: os version: 3.13
2021-12-11T18:30:19.675+0100    DEBUG   alpine: the number of packages: 22
2021-12-11T18:30:19.682+0100    INFO    Number of language-specific files: 1
2021-12-11T18:30:19.682+0100    INFO    Detecting gobinary vulnerabilities...
2021-12-11T18:30:19.682+0100    DEBUG   Detecting library vulnerabilities, type: gobinary, path: usr/bin/img

img48903222 (alpine 3.13.7)
===========================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


usr/bin/img (gobinary)
======================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

+-----------------------+------------------+----------+------------------------------------+---------------+---------------------------------------+
|        LIBRARY        | VULNERABILITY ID | SEVERITY |         INSTALLED VERSION          | FIXED VERSION |                 TITLE                 |
+-----------------------+------------------+----------+------------------------------------+---------------+---------------------------------------+
| github.com/docker/cli | CVE-2021-41092   | HIGH     | v0.0.0-20211117234946-dea9396e1842 | v20.10.9      | docker: cli leaks private registry    |
|                       |                  |          |                                    |               | credentials to registry-1.docker.io   |
|                       |                  |          |                                    |               | -->avd.aquasec.com/nvd/cve-2021-41092 |
+-----------------------+------------------+----------+------------------------------------+---------------+---------------------------------------+

Output of trivy -v:

Version: 0.21.2
Vulnerability DB:
  Type: Full
  Version: 1
  UpdatedAt: 2021-12-11 12:44:15.626906127 +0000 UTC
  NextUpdate: 2021-12-11 18:44:15.626905527 +0000 UTC
  DownloadedAt: 2021-12-11 13:13:50.640299 +0000 UTC

Additional details (base image name, container registry info...):

pushed my mods in this feature branch: https://github.com/EcoMind/img/tree/feature/CVE-2021-41092
just clone it, go in its folder and run
docker build -t CVE-2021-41092 .
then
trivy image CVE-2021-41092

[fragolinux]

to test, use this commit id: 914096f3e97090bb0dd0106b2d8e8c85cf33448a, i then solved my issues in other ways, but this bug is still there if trivy compares pseudo-versions with versions

[afdesk]

Hi @fragolinux! thanks for your report!
I'll try to reproduce and resolve it.

[afdesk]

@fragolinux sorry for waiting.
we discussed about this issue and it seems that trivy works correctly, so installed version v0.0.0-20211117234946-dea9396e1842 is less than 20.10.9. also you can check it here: https://go.dev/play/p/EZknUNuBtOq

more details about pseudo versions in go are here: https://go.dev/ref/mod#pseudo-versions

[fragolinux]

but as that second link says, "Pseudo-versions may refer to revisions for which no semantic version tags are available"... so, actually comparing semver tags AND pseudo-versions ones IS wrong, they CAN'T be compared... this is the problem...

[knqyf263]

No, it says "no semantic version tags are available". If there is no tag, Go generates pseudo-semantic versions.

[fragolinux]

ok, understood, but what to do with images i've no control on, but i need them deployed on my cluster, having trivy blocking them because it compares versions this strange way? Don't want to disable trivy checks, but this is halting PATCHED and NEWER images from being deployed

[github-actions]

This issue is stale because it has been labeled with inactivity.