Closed emosbaugh closed 2 years ago
Hello @emosbaugh
Thanks four your interest to Trivy!
Trivy works correctly:
Your go.sum
file contains github.com/dexidp/dex v0.0.0-20220520043505-5fe1647fc73c
. This version < v2.27.0
.
Perhaps you can contact dexidp
developers and report problem with semver in their repository.
For now, you can skip this CVE or create module to check github.com/dexidp/dex
versions.
Best Regards, Dmitriy
Hello,
Appreciate the reply.
Agree the semver is lower here but this version does not contain the CVE. The issue I have with the module approach is that as the Trivy tool become more ubiquitous this does not solve third parties scanning published binaries and container images. Additionally it doesn't sound like the Dex project plans to fix this issue.
Best, Ethan
Hello @emosbaugh
Advisory databases currently only contain information about packages and their versions. We have no way to compare semver and non-semver versions. If you have ideas on how to implement this, we are always glad to new members!
Advisory databases currently only contain information about packages and their versions. We haven't way to compare semver and non-semver versions. If you have ideas on how to implement this, we are always glad to new contributors!
Regrads, Dmitriy
I understand. I will take it up with the Dex folks.
I close this issue. Please, reopen issue if you still have questions.
Best Regards, Dmitriy
Checklist
-f json
that shows data sources and make sure that the security advisory is correct.Description
The scan shows a false positive for CVE-2020-27847.
This CVE is for versions of github.com/dexidp/dex "Up to (excluding) 2.27.0".
Unfortunately dex project does not conform to go mod semantic import versioning.
JSON Output of run with
-debug
:Output of
trivy -v
:Additional details (base image name, container registry info...):
go.mod
go.sum