Open 51n15t9r opened 2 weeks ago
tatianab
commented
2 weeks ago Hi @51n15t9r, thanks for your report. With repositories like grafana, that are not really intended to be used as libraries, and which use custom versioning, it is not always clear how to create a precise and helpful vulnerability report.
May I ask, how did you come across this issue? Did you notice a false positive report from govulncheck or another security scanner?
51n15t9r
commented
3 days ago Hi @tatianab - This was reported in our Anchore container scan. I had not run govulncheck uptil now, but I can see these reported in govulncheck as well.
There are a bunch of such vulnerabilities on the same go library package, which I believe should be relooked at, since the description and fix version suggests that they affect only the Grafana server.
tatianab
commented
2 days ago Hi again, thanks for the clarification. Would you be willing to share the output from your Anchore container scan or govulncheck? In particular, what version and packages of the grafana library are you using? (If you'd rather share privately, you can send an email to security@golang.org).
Report ID
GO-2024-2856
Suggestion/Comment
This vulnrability impacts Grafana server (>=9.2.0 and < 9.2.4) )and should not be marked against the Grafana go package. The latest Grafana Go package version is v6.1.6+incompatible