trivy: false positive for CVE-2019-3826

Description

Prometheus publishes v2 as v0.x due to Go dependency versioning for using Prometheus as a library https://github.com/prometheus/prometheus#prometheus-code-base

Trivy finds vulnerabilities in go.mod dependencies for v0.35. However, this corresponds to Prometheus v2.35 which does not have this vulnerability https://github.com/open-policy-agent/gatekeeper/blob/master/go.mod#L99

What did you expect to happen?

No vulnerabilities reported

What happened instead?

Report for

│ github.com/prometheus/prometheus │ CVE-2019-3826  │ MEDIUM   │ 0.35.0                            │ v2.7.1                            │ prometheus: Stored DOM cross-site scripting (XSS) attack via │
│                                  │                │          │                                   │                                   │ crafted URL                                                  │
│                                  │                │          │                                   │                                   │ https://avd.aquasec.com/nvd/cve-2019-3826                    │

example CI run: https://github.com/open-policy-agent/gatekeeper/actions/runs/3178090518/jobs/5179239860

Output of run with -debug:

(paste your output here)

Output of trivy -v:

v0.32.1

Additional details (base image name, container registry info…):

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 31

Most upvoted comments

not stale but i am not sure if there is a fix for this

+1
sozercan on Dec 6, 2022
Read more comments on GitHub
← trivy: failed to download vulnerability DB using the docker image
trivy: False positive on jar scanning on fixed older minor version than latest →