Comments (2)
@sunwhawhang - If we know that the binary was compiled with a version of Golang that was vulnerable to the listed CVE, how can we prove this is a false positive?
The go command may execute arbitrary code at build time when using cgo.
This may occur when running "go get" on a malicious module, or when running any other command
which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive.
The arguments for a number of flags which are non-optional are incorrectly considered optional,
allowing disallowed flags to be smuggled through the LDFLAGS sanitization.
I think a prudent security team would want the binary to be recompiled with a version of go that was not susceptible to this kind of LDFLAG injection.
We believe it's correct to include a package in the SBOM representing the go stdlibrary when we have detected a binary built with that version of the std lib.
NVD labeling does not distinct between the std library vs the toolchain used to compile the binary.
We don't think this is definitely a false positive and believe the default case should be to include this package when detecting a binary built by go vx.x.x
cc @joshbressers for more thoughts on if we should even include an option that allows users to drop this package entirely
Grype should be able to add an ignore rule for this vulnerability if a security team review the compilation process to guarantee that no arbitrary code execution could have happened at build time.
from syft.
Not saying this is the right thing to do, but we could start filtering out cmd/*
related CVEs from the go source repo based on affected package information within the go vulnerability report linked to the CVE in question (in this case CVE-2023-29402).
from syft.
Related Issues (20)
- Install Issue - Ubuntu Image on Mac M1 Pro HOT 3
- SBOM generated for JAR doesn't parsing all pom.xml HOT 2
- SBOM generation is missing a few Python packages listed in the requirements.txt file HOT 1
- Option in parameter or configuration to set value in metadata > authors in SBOM (CycloneDX) HOT 3
- Syft incorrectly identifying jruby jar files HOT 1
- Parameter confirmation of docker _registry scanning HOT 1
- install.sh: check checksums file's signature HOT 2
- Reverse conversion of metadata mode is broken HOT 4
- syft does not find anything in archives if /tmp is a tmpfs HOT 1
- Support cataloging dlopen ELF metadata
- Syft Directory Source: Git Tag and Metadata Information
- syft outputs incorrect license LicenseRef-AND HOT 1
- Detect fluent-bit binaries
- Binary detection workflow enhancements
- SYFT_PACKAGE_EXCLUDE_BINARY_OVERLAP_BY_OWNERSHIP=false is not working HOT 2
- syft-table option adds escape chars at the end of each row HOT 2
- python cataloger: adding a support additionally to classify licenses by `License-File` field in metadata file HOT 1
- Add additional image tags to source metadata
- Very High Memory Usage Using Syft HOT 1
- Poetry's multiple constraints seems to break the parser
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from syft.