False positive warnings from trivy and dependabot #223
Description
This project imports the go module istio.io/istio which uses unadorned semver tags rather than the go standard v prefixed release tags. The consequence is that go mod tidy always replaced the go.mod entry with a pseudo version and this version is then misinterpreted by trivy and by dependabot:
- go.mod: Support updating non-release git dependencies dependabot/dependabot-core#2028
- https://github.com/cert-manager/istio-csr/security/dependabot/21
- [Question]: Why istio tags are not prefixed with a
vistio/istio#41702 - wrong version compare? aquasecurity/trivy#1456
- f4da319
In #222 I upgrading istio.io/istio to the latest version and still trivy reports the same false positive vulnerabilities:
$ trivy repo .
2023-12-05T15:42:33.816Z INFO Vulnerability scanning is enabled
2023-12-05T15:42:33.816Z INFO Secret scanning is enabled
2023-12-05T15:42:33.816Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-12-05T15:42:33.817Z INFO Please see also https://aquasecurity.github.io/trivy/v0.47/docs/scanner/secret/#recommendation for faster secret detection
2023-12-05T15:42:38.475Z INFO Number of language-specific files: 2
2023-12-05T15:42:38.475Z INFO Detecting gomod vulnerabilities...
go.mod (gomod)
Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 4, CRITICAL: 0)
┌────────────────┬────────────────┬──────────┬────────┬───────────────────────────────────┬─────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├────────────────┼────────────────┼──────────┼────────┼───────────────────────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ istio.io/istio │ CVE-2019-14993 │ HIGH │ fixed │ 0.0.0-20231205100254-0ebec17e00ab │ 1.1.13, 1.2.4 │ istio/envoy: mishandling regular expressions for long URIs │
│ │ │ │ │ │ │ leading to DoS │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-14993 │
│ ├────────────────┤ │ │ ├─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-39155 │ │ │ │ 1.9.8, 1.10.4, 1.11.1 │ HTTP request can bypass authorization mechanisms due to case │
│ │ │ │ │ │ │ insensitive host comparison... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39155 │
│ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-39156 │ │ │ │ │ HTTP request with fragment in URI can bypass authorization │
│ │ │ │ │ │ │ mechanisms │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39156 │
│ ├────────────────┤ │ │ ├─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-23635 │ │ │ │ 1.13.1, 1.12.4, 1.11.7 │ unauthenticated control plane denial of service attack │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-23635 │
│ ├────────────────┼──────────┤ │ ├─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-31045 │ MEDIUM │ │ │ 1.12.18, 1.13.5, 1.14.1 │ Unsafe memory access in metadata exchange. │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-31045 │
└────────────────┴────────────────┴──────────┴────────┴───────────────────────────────────┴─────────────────────────┴──────────────────────────────────────────────────────────────┘