Go module dependency false positive CVE-2020-27847

[emosbaugh]

Checklist

• [x] I've read the documentation regarding wrong detection.
• [x] I've confirmed that a security advisory in data sources was correct.
  • Run Trivy with -f json that shows data sources and make sure that the security advisory is correct.

Description

The scan shows a false positive for CVE-2020-27847.

This CVE is for versions of github.com/dexidp/dex "Up to (excluding) 2.27.0".

Unfortunately dex project does not conform to go mod semantic import versioning.

$ go get -u github.com/dexidp/dex@v2.32.0
go get: github.com/dexidp/dex@v2.32.0: invalid version: module contains a go.mod file, so major version must be compatible: should be v0 or v1, not v2
$ go get -u github.com/dexidp/dex/v2@v2.32.0
go get github.com/dexidp/dex/v2@v2.32.0: github.com/dexidp/dex@v2.32.0: invalid version: module contains a go.mod file, so major version must be compatible: should be v0 or v1, not v2
$ go get -u github.com/dexidp/dex@v2.32.0+incompatible
go get: github.com/dexidp/dex@v2.32.0+incompatible: invalid version: +incompatible suffix not allowed: module contains a go.mod file, so semantic import versioning is required

JSON Output of run with -debug:

$ trivy -d fs -f json .
2022-06-30T21:46:24.573Z        DEBUG   Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2022-06-30T21:46:24.575Z        DEBUG   cache dir:  /home/ethan/.cache/trivy
2022-06-30T21:46:24.575Z        DEBUG   DB update was skipped because the local DB is the latest
2022-06-30T21:46:24.575Z        DEBUG   DB Schema: 2, UpdatedAt: 2022-06-30 18:07:22.156844219 +0000 UTC, NextUpdate: 2022-07-01 00:07:22.156843519 +0000 UTC, DownloadedAt: 2022-06-30 20:59:03.213582791 +0000 UTC
2022-06-30T21:46:24.575Z        INFO    Vulnerability scanning is enabled
2022-06-30T21:46:24.575Z        DEBUG   Vulnerability type:  [os library]
2022-06-30T21:46:24.575Z        INFO    Secret scanning is enabled
2022-06-30T21:46:24.575Z        INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-06-30T21:46:24.575Z        INFO    Please see also https://aquasecurity.github.io/trivy/v0.29.2/docs/secret/scanning/#recommendation for faster secret detection
2022-06-30T21:46:24.575Z        DEBUG   No secret config detected: trivy-secret.yaml
2022-06-30T21:46:24.579Z        DEBUG   OS is not detected.
2022-06-30T21:46:24.579Z        DEBUG   Detected OS: unknown
2022-06-30T21:46:24.579Z        INFO    Number of language-specific files: 1
2022-06-30T21:46:24.579Z        INFO    Detecting gomod vulnerabilities...
2022-06-30T21:46:24.579Z        DEBUG   Detecting library vulnerabilities, type: gomod, path: go.mod
{
  "SchemaVersion": 2,
  "ArtifactName": ".",
  "ArtifactType": "filesystem",
  "Metadata": {
    "ImageConfig": {
      "architecture": "",
      "created": "0001-01-01T00:00:00Z",
      "os": "",
      "rootfs": {
        "type": "",
        "diff_ids": null
      },
      "config": {}
    }
  },
  "Results": [
    {
      "Target": "go.mod",
      "Class": "lang-pkgs",
      "Type": "gomod",
      "Vulnerabilities": [
        {
          "VulnerabilityID": "CVE-2020-27847",
          "PkgName": "github.com/dexidp/dex",
          "InstalledVersion": "0.0.0-20220520043505-5fe1647fc73c",
          "FixedVersion": "v2.27.0",
          "Layer": {},
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-27847",
          "DataSource": {
            "ID": "glad",
            "Name": "GitLab Advisory Database Community",
            "URL": "https://gitlab.com/gitlab-org/advisories-community"
          },
          "Title": "dexidp/dex: authentication bypass in saml authentication",
          "Description": "A vulnerability exists in the SAML connector of the github.com/dexidp/dex library used to process SAML Signature Validation. This flaw allows an attacker to bypass SAML authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. This flaw affects dex versions before 2.27.0.",
          "Severity": "CRITICAL",
          "CweIDs": [
            "CWE-228",
            "CWE-290"
          ],
          "CVSS": {
            "nvd": {
              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "V2Score": 7.5,
              "V3Score": 9.8
            },
            "redhat": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "V3Score": 9.8
            }
          },
          "References": [
            "https://access.redhat.com/security/cve/CVE-2020-27847",
            "https://bugzilla.redhat.com/show_bug.cgi?id=1907732",
            "https://github.com/dexidp/dex/security/advisories/GHSA-m9hp-7r99-94h5",
            "https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/",
            "https://nvd.nist.gov/vuln/detail/CVE-2020-27847"
          ],
          "PublishedDate": "2021-05-28T11:15:00Z",
          "LastModifiedDate": "2021-06-02T16:32:00Z"
        }
      ]
    }
  ]
}

Output of trivy -v:

$ trivy -v
Version: 0.29.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2022-06-30 18:07:22.156844219 +0000 UTC
  NextUpdate: 2022-07-01 00:07:22.156843519 +0000 UTC
  DownloadedAt: 2022-06-30 20:59:03.213582791 +0000 UTC

Additional details (base image name, container registry info...):

go.mod

module github.com/myorg/myproject

go 1.17

require github.com/dexidp/dex v0.0.0-20220520043505-5fe1647fc73c

require (
    github.com/coreos/go-oidc/v3 v3.1.0 // indirect
    github.com/golang/protobuf v1.5.2 // indirect
    golang.org/x/crypto v0.0.0-20220208050332-20e1d8d225ab // indirect
    golang.org/x/net v0.0.0-20220325170049-de3da57026de // indirect
    golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a // indirect
    google.golang.org/appengine v1.6.7 // indirect
    google.golang.org/protobuf v1.28.0 // indirect
    gopkg.in/square/go-jose.v2 v2.6.0 // indirect
)

go.sum

...
github.com/dexidp/dex v0.0.0-20220520043505-5fe1647fc73c h1:HlIqlWeFjLyxhjqyPFogp53ZoISoF6V4wKHrj9JhWEU=
github.com/dexidp/dex v0.0.0-20220520043505-5fe1647fc73c/go.mod h1:tVN6Wx5zVXTCkLezrGUw0bvr2paPLJZrRih4s/hkndE=
github.com/dexidp/dex/api/v2 v2.1.0/go.mod h1:s91/6CI290JhYN1F8aiRifLF71qRGLVZvzq68uC6Ln4=
...
github.com/russellhaering/goxmldsig v1.2.0/go.mod h1:gM4MDENBQf7M+V824SGfyIUVFWydB7n0KkEubVJl+Tw=
...

[DmitriyLewen]

Hello @emosbaugh

Thanks four your interest to Trivy!

Trivy works correctly: Your go.sum file contains github.com/dexidp/dex v0.0.0-20220520043505-5fe1647fc73c. This version < v2.27.0.

Perhaps you can contact dexidp developers and report problem with semver in their repository.

For now, you can skip this CVE or create module to check github.com/dexidp/dex versions.

Best Regards, Dmitriy

[emosbaugh]

Hello,

Appreciate the reply.

Agree the semver is lower here but this version does not contain the CVE. The issue I have with the module approach is that as the Trivy tool become more ubiquitous this does not solve third parties scanning published binaries and container images. Additionally it doesn't sound like the Dex project plans to fix this issue.

Best, Ethan

[DmitriyLewen]

Hello @emosbaugh

Advisory databases currently only contain information about packages and their versions. We have no way to compare semver and non-semver versions. If you have ideas on how to implement this, we are always glad to new members!

Advisory databases currently only contain information about packages and their versions. We haven't way to compare semver and non-semver versions. If you have ideas on how to implement this, we are always glad to new contributors!

Regrads, Dmitriy

[emosbaugh]

I understand. I will take it up with the Dex folks.

[DmitriyLewen]

I close this issue. Please, reopen issue if you still have questions.

Best Regards, Dmitriy