Trivy reporting Golang CVE as belonging to stdlib

[sicarie]

IDs

CVE-2024-24790

Description

Currently when I run Trivy, I get an issue with CVE-2024-24790: "The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms." When I look up this issue, I find it is related to Golang (https://nvd.nist.gov/vuln/detail/CVE-2024-24790), not stdlib.

This may be related to #7111.

Part of the Jenkins file I'm using is:

pipeline {
    agent {
     kubernetes {
      yaml """
        apiVersion: v1
        kind: Pod
        spec:
          containers:
          - name: trivy
            image: 'google/cloud-sdk:latest'
            command: 
            - cat
            tty: true
        """
      defaultContainer 'trivy'
      cloud 'mycloud'
    }
  }
    stages {

        stage('Initiation') {
            steps {
                  /* install trivy */
                sh 'apt-get -y install curl wget'
                sh 'wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v"$version"/trivy_"$version"_Linux-64bit.deb'
                sh 'dpkg -i trivy_"$version"_Linux-64bit.deb'
                sh 'echo "Trivy installation is done. Starting the scan."'
            }
        }
       
        stage('Scan with Trivy') {
            steps {
               /*Google service account for login*/
                withCredentials([file(credentialsId: 'jenkins-builder',variable: 'GOOGLE_APPLICATION_CREDENTIALS')]) {
                    sh "gcloud auth activate-service-account --key-file '${GOOGLE_APPLICATION_CREDENTIALS}'"    
                    sh 'wget --no-verbose https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl'
                    sh 'trivy image --format template --template "@html.tpl" -o results.html ${Image_url}'
                    sh "trivy image -f json -o results.json ${Image_url}"
                }            
                recordIssues(tools: [trivy(pattern: 'results.json')])
            }
        }
[...]

And the version specified in Jenkins is 0.54.1

Reproduction Steps

1. Run Trivy 0.54.1 against Eclipse Temurin (https://hub.docker.com/_/eclipse-temurin)
2. Output is 
stdlib (1.22.1)	CVE-2024-24790	CRITICAL	The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.
3. Review CVE to confirm that issue is not part of stdlib.

Target

Container Image

Scanner

Vulnerability

Target OS

Eclipse tamurin (latest)

Debug Output

yep

Version

Version: 0.54.1

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[knqyf263]

I'm not sure if I get your point, but the Go official database says this is a vulnerability in stdlib (net/netip).
https://vuln.go.dev/ID/GO-2024-2887.json

[sicarie]

I think net/netip is still a Golang package: https://pkg.go.dev/net/netip

[knqyf263]

As shown, it's under "Standard library". That's why Trivy calls it "stdlib", meaning Go standard libraries.

[sicarie]

Every language has 'stdlib' - shouldn't this clarify Go's stdlib? Or does this relate to Linux's https://man7.org/linux/man-pages/man0/stdlib.h.0p.html? Or https://www.google.com/search?q=stdlib C's or CPPs or Nodes or ....

[knqyf263]

It's Go's stdlib.