False positive scanning purl pkg:golang/github.com/hashicorp/[email protected]#api/auth/kubernetes #2838
Description
What happened:
grype 'pkg:golang/github.com/hashicorp/[email protected]#api/auth/kubernetes'It does not handle the subpath, interpreted it as name github.com/hashicorp/vault and version v0.9.0, therefore report vulnerabilities such as CVE-2020-16250.
However https://pkg.go.dev/github.com/hashicorp/vault/api/auth/[email protected] is a seperate module from https://pkg.go.dev/github.com/hashicorp/[email protected] and has no vulnerability.
What you expected to happen:
no cve found
How to reproduce it (as minimally and precisely as possible):
# init a minimal go dir
go mod init app
go get github.com/hashicorp/vault/api/auth/[email protected]
# use syft to scan the dir
syft . -o json | jq '.artifacts[].purl' -r | grep 'pkg:golang/github.com/hashicorp/vault'
✔ Indexed file system .
✔ Cataloged contents cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
├── ✔ Packages [20 packages]
├── ✔ Executables [0 executables]
├── ✔ File metadata [1 locations]
└── ✔ File digests [1 files]
[0000] WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
pkg:golang/github.com/hashicorp/[email protected]#api
pkg:golang/github.com/hashicorp/[email protected]#api/auth/kubernetes
# use grype to scan the purl
grype 'pkg:golang/github.com/hashicorp/[email protected]#api/auth/kubernetes'
✔ Scanned for vulnerabilities [0 vulnerability matches]
├── by severity: 0 critical, 7 high, 10 medium, 1 low, 0 negligible
└── by status: 18 fixed, 0 not-fixed, 0 ignored
NAME INSTALLED FIXED IN TYPE VULNERABILITY SEVERITY EPSS RISK
github.com/hashicorp/vault v0.9.0 1.2.5 go-module GHSA-fp52-qw33-mfmw High 1.0% (76th) 0.8
github.com/hashicorp/vault v0.9.0 1.2.5 go-module GHSA-4mp7-2m29-gqxf High 0.9% (74th) 0.7
github.com/hashicorp/vault v0.9.0 1.6.6 go-module GHSA-6239-28c2-9mrm Medium 0.6% (68th) 0.3
github.com/hashicorp/vault v0.9.0 1.13.5 go-module GHSA-9v3w-w2jh-4hff Medium 0.6% (67th) 0.3
github.com/hashicorp/vault v0.9.0 1.11.11 go-module GHSA-gq98-53rq-qr5h Medium 0.5% (64th) 0.2
github.com/hashicorp/vault v0.9.0 1.13.10 go-module GHSA-4qhc-v8r6-8vwm High 0.3% (51st) 0.2
github.com/hashicorp/vault v0.9.0 1.18.0 go-module GHSA-rr8j-7w34-xp5j High 0.2% (37th) 0.1
github.com/hashicorp/vault v0.9.0 1.3.4 go-module GHSA-m979-w9wj-qfj9 Medium 0.2% (44th) 0.1
github.com/hashicorp/vault v0.9.0 1.13.0 go-module GHSA-86c6-3g63-5w64 High 0.1% (34th) 0.1
github.com/hashicorp/vault v0.9.0 1.10.11 go-module GHSA-wmg5-g953-qqfw High 0.1% (29th) < 0.1
github.com/hashicorp/vault v0.9.0 1.11.9 go-module GHSA-v3hp-mcj5-pg39 Medium < 0.1% (26th) < 0.1
github.com/hashicorp/vault v0.9.0 1.9.10 go-module GHSA-9mh8-9j64-443f Medium < 0.1% (27th) < 0.1
github.com/hashicorp/vault v0.9.0 1.7.5 go-module GHSA-qv95-g3gm-x542 Low 0.1% (36th) < 0.1
github.com/hashicorp/vault v0.9.0 1.11.9 go-module GHSA-hwc3-3qh6-r4gg Medium < 0.1% (18th) < 0.1
github.com/hashicorp/vault v0.9.0 1.11.9 go-module GHSA-vq4h-9ghm-qmrr Medium < 0.1% (7th) < 0.1
github.com/hashicorp/vault v0.9.0 1.16.0 go-module GHSA-j2rp-gmqv-frhv Medium < 0.1% (5th) < 0.1
github.com/hashicorp/vault v0.9.0 1.14.10 go-module GHSA-r3w7-mfpm-c2vw High < 0.1% (2nd) < 0.1
github.com/hashicorp/vault v0.9.0 1.19.3 go-module GHSA-gcqf-f89c-68hv Medium < 0.1% (1st) < 0.1`Anything else we need to know?:
Environment:
- Output of
grype version: 0.96.1 - OS (e.g:
cat /etc/os-releaseor similar): macos arm64 m4