Open twixthehero opened 4 months ago
I don't think we will fix this. istio/istio not intended to be used as a supported library (istio/api and istio/client-go are), much like kubernetes/kubernetes is. You may do so (and you are far from the first), but at your own risk -- there may be massive breaking changes, rough edges, CVE false positives, "incorrect" tagging, etc.
istio.io/istio needs to fix their version tags so that they are recognized by the Go toolchain properly
We will not do this as we are intentionally not Go-versioned and are permanently pre-release
they need to report vulnerabilities to the Github Advisory DB using the pre-release versioning scheme
We will also not do this, as our vulnerabilities are in the Istio product (which spans beyond this repo, too), not the istio.io/istio go package
What we could maybe do is not report them as "Go" CVEs though. Not sure if we retroactively do so
Is this the right place to submit this?
Bug Description
Problem
Our team uses istio directly as a dependency in Golang. Our
go.mod
contains the following:Vulnerability scanners like TwistLock and the one from GCP Container Registry report the following CVEs:
These scanners seem to be comparing against the version
0.0.0
because this is what is listed ingo.mod
. In reality, the SHA50e191c183e2
is associated with version1.17
:A member of the GCP Container Registry scanner team did some investigation and explained the following:
They suggested the two following solutions:
Ask
Are either of these two solutions feasible? Is there a reason why the
v
prefix is not currently being used?Personally, I think adding the
v
prefix makes more sense since it would allow proper recognition by the Go toolchain.Version
Additional Information
I found #14770 which includes a doc mentioning the versioning would include
vX.Y.Z
(noticev
prefix) but the tags don't seem to be using this--only the "Main development work on the master branch" section does not use av
prefix.