Open kevin-niland opened 4 months ago
@kevin-niland thanks for the issue!
Here are some more details regarding your request and steps I tried to reproduce. When consul is installed as a go module on my local I do not see the v0.0.0-<pseudo-version>
behavior.
grype dir:.
<-- In this case scanning a go project with consul installed
github.com/hashicorp/consul v1.18.1 go-module
When I run go install github.com/hashicorp/consul
I also don't see the FP when scanning against the binary
grype ~/go/bin/consul
2024/05/15 12:11:48 profile: memory profiling enabled (rate 4096), /var/folders/l0/_71m09512ss7lv9c64ldzld80000gn/T/profile1991174059/mem.pprof
✔ Vulnerability DB [no update available]
✔ Indexed file system /Users/hal/go/bin
✔ Cataloged contents 845ea22333829145c1064244883fd66d011c502f16b0a774c20f2a6243d23c82
├── ✔ Packages [253 packages]
└── ✔ Executables [1 executables]
✔ Scanned for vulnerabilities [4 vulnerability matches]
├── by severity: 0 critical, 0 high, 1 medium, 0 low, 0 negligible (3 unknown)
└── by status: 1 fixed, 3 not-fixed, 0 ignored
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
golang.org/x/net v0.19.0 0.23.0 go-module GHSA-4v7x-pqxf-cx7m Medium
stdlib go1.22.1 go-module CVE-2024-24788 Unknown
stdlib go1.22.1 go-module CVE-2024-24787 Unknown
stdlib go1.22.1 go-module CVE-2023-45288 Unknown
If I run syft against the binary I see:
github.com/hashicorp/consul v1.18.1 go-module
I also copied this binary into a docker container built it and also do not see the behavior you're seeing.
Is there more information about the binary you're using? We should be able to extract the version here given the LD flags and how it's compiled.
Can you show me the match json
from the grype -o json
output?
Hi @spiffcs , what version of grype did you use? I see there was a revert recently for something: https://github.com/anchore/grype/pull/1815
@kevin-niland my grype version v0.77.4
grype is reporting the installed consul version as v0.0.0, regardless of the actual version installed
Tested with a docker image which has consul v1.17.3 installed:
Output of grype:
I have seen other issues already raised pertaining to how go provides versions - does this fall under this issue/is it something that is already being addressed? In regards to the image I tested, the consul binary is downloaded from a specified location (this binary is already built) and the binary is then moved to /usr/bin/consul, if that makes any difference.