Trivy not detecting vulnerabilities in out-of-date golang mono-binary scratch-based docker image #1768
Unanswered
tanguy-platsec
asked this question in
Q&A
Replies: 1 comment 3 replies
-
@TanguySeg thanks for your interest in |
Beta Was this translation helpful? Give feedback.
3 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi all :)
I've been working on some weird things lately, and crafted a scratch-based docker image containing only one simple go binary that prints
Hello World
.This binary was compiled (by myself) using an old docker image (golang:1.16) and then copied into my useless docker image.
The main.go code:
My dockerfile:
When scanning this newly created docker image that simply prints Hello World, trivy does not detect anything, as the following outputs shows:
But I also tried scanning the same image with
twistcli
and it detects that the compiler I used was out of date and that the go version 1.16 indeed had one known vulnerability.I quickly tried to scan more complex images based on alpine containing golang binaries and trivy seems to detect all of the vulnerabilities in them, so I am curious to know if you had any idea about that, and why trivy does not detect the vulnerability in this case.
Thank you for your time !
EDIT: just in case you do not know about twistcli, here is the piece of docs I used
-> https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/tools/twistcli_scan_images
Beta Was this translation helpful? Give feedback.
All reactions