-
Notifications
You must be signed in to change notification settings - Fork 404
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Integrate with Go vuln db #679
Comments
This issue is stale because it has been open for 90 days with no |
Played around with the For example, running it on v0.25.0 of Tekton's main packages:
This took 43 seconds to complete, for all main packages. Just This is pretty cool, since it not only shows you what vulns you have, but how you (could) end up hitting it. This would help a lot if the vuln only shows up in cases where some environment variable is set, and you know it's never set that way, or you can at least clearly document not to set it to remain safe. But, running it on the built binary:
And it's been running for 13 minutes with no output 🐌 |
After ~21 minutes:
This seems like less useful output, since it includes more false positives, and no callstack explaining how we use it. Weirdly, the output from scanning the binary doesn't include the vuln reported when scanning the source... 🤔 |
new blog post https://go.dev/blog/vuln |
govulncheck seems to have gotten a lot faster. Running against Tekton:
So that's nice. Integrating it in Attaching signed attestations probably looks like most of the work necessary for #357 which we want to do anyway. |
It means that ko will require |
Possibly. Or, if |
^ https://go.dev/blog/vuln#vulnerability-detection-using-govulncheck |
kindly ping @imjasonh, let's implement this 👋 |
I'd love to! I think we'd want to have govulncheck's findings end up in an attestation attached to the built image, and likely signed. This would make it blocked on existing signing work that's been long-awaited (#357) |
golang.org/x/vuln/vulncheck.Binary
"detects presence of vulnerable symbols in exe."Unlike scanned source code, imports and callstacks aren't available, only the presence of a vulnerable symbol.
There's also a standalone CLI tool to vulncheck a binary,
govulncheck
However, it's got this warning at this time:
Similar to how
ko deps
fetches and extracts the binary from an image,ko vuln
(orscan
or something) could fetch and extract the binary then runvulncheck
on it to find Go vulnerability database entries.This
ko
surface could either simply report on detected vulns, or push a scan result to the registry in whatever form that should take, so other consumers can consume it.The text was updated successfully, but these errors were encountered: