Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

False positives on multiple Golang libraries

See original GitHub issue

In my trials of scanning some Go-based projects I noticed that I’m getting many false positives for Go packages that aren’t about the packages themselves, but about the servers they are a client package for.

I can’t share the projects or their go.mod/go.sum files, but I did set up an example repository with three dependencies that shows the kind of reports I’m getting: https://github.com/Terr/dependencycheck-golang-false-positives

In each of these three example cases the client libraries are matched to a CPE of the servers they’re a client library for:

go-sql-driver/mysql

<identifiers>
  <package confidence="HIGHEST">
    <id>pkg:golang/github.com/go-sql-driver/mysql@1.6.0</id>
    <url>https://ossindex.sonatype.org/component/pkg:golang/github.com/go-sql-driver/mysql@1.6.0?utm_source=dependency-check&amp;utm_medium=integration&amp;utm_content=6.4.1</url>
  </package>
  <vulnerabilityIds confidence="HIGH">
    <id>cpe:2.3:a:mysql:mysql:1.6.0:*:*:*:*:*:*:*</id>
    <url>https://nvd.nist.gov/vuln/search/results?form_type=Advanced&amp;results_type=overview&amp;search_type=all&amp;cpe_vendor=cpe%3A%2F%3Amysql&amp;cpe_product=cpe%3A%2F%3Amysql%3Amysql&amp;cpe_version=cpe%3A%2F%3Amysql%3Amysql%3A1.6.0</url>
  </vulnerabilityIds>
</identifiers>

Vulnerabilities are about MySQL server.

prometheus/client_golang

<identifiers>
  <package confidence="HIGHEST">
    <id>pkg:golang/github.com/prometheus/client_golang@1.11.0</id>
    <url>https://ossindex.sonatype.org/component/pkg:golang/github.com/prometheus/client_golang@1.11.0?utm_source=dependency-check&amp;utm_medium=integration&amp;utm_content=6.4.1</url>
  </package>
  <vulnerabilityIds confidence="LOW">
    <id>cpe:2.3:a:prometheus:prometheus:1.11.0:*:*:*:*:*:*:*</id>
  </vulnerabilityIds>
</identifiers>

Vulnerabilities are about Prometheus server.

minio/minio-go/v7

<identifiers>
  <package confidence="HIGHEST">
    <id>pkg:golang/github.com/minio/minio-go/v7@7.0.15</id>
    <url>https://ossindex.sonatype.org/component/pkg:golang/github.com/minio/minio-go/v7@7.0.15?utm_source=dependency-check&amp;utm_medium=integration&amp;utm_content=6.4.1</url>
  </package>
  <vulnerabilityIds confidence="LOW">
    <id>cpe:2.3:a:minio:minio:7.0.15:*:*:*:*:*:*:*</id>
  </vulnerabilityIds>
</identifiers>

Vulnerabilies are about “Minio S3 server”

I’m wondering if there is a bug at play here instead of just some false positives, since I’m getting more similar cases in the “real” projects that I’m scanning. With other languages (Python, PHP) this doesn’t seem to happen.

Issue Analytics

  • State:open
  • Created 2 years ago
  • Comments:7 (2 by maintainers)

github_iconTop GitHub Comments

1reaction
ncolecommented, Jan 21, 2022

I would highly recommend allowing to specify the binary for golang testing. If it’s compiled, you can run go tool nm <binary> and will list the specific libraries that are linked (and therefore, require actual scanning). You can then correlate that to the static go.mod analysis you’re doing now. Otherwise you’ll see HUNDREDS of false positives.

0reactions
jeremylongcommented, Jan 12, 2022

Nope - these would be false positives. Read up on how dependency-check works: https://jeremylong.github.io/DependencyCheck/general/internals.html

Also - the go analyzer is still experimental and one of the main reasons is the number of FP.

With other tech stacks we’ve been able to generate a sufficient amount of base suppression rules and modifications to the data collected to make the process more accurate - we just haven’t done this for go yet.

Read more comments on GitHub >

github_iconTop Results From Across the Web

False Positives - golangci-lint
Most of the linters has a configuration, sometimes false-positives can be related to a bad configuration of a linter. So it's recommended to...
Read more >
found several packages and main redeclared as the imported ...
False -positives: found several packages and main redeclared as the imported package name with go 1.18. It happens on the 2021.1. 3 version...
Read more >
False-positive Go code coverage - DEV Community ‍ ‍
For example purposes I created repo arxeiss/go-false-positive-coverage, which contains 2 completely separated packages unary and binary .
Read more >
Incorrect usage of go.sum in go dependency scanning - GitLab
When using the scanner, we often get false-positives, because the scanner does not recognize updated dependencies in the go.mod file. When ...
Read more >
False-positive in the Golang Race Detector? [repost]
A data race happens when two goroutines access the same variable concurrently, and at least one of the accesses is a write.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

OWASP Dependency Check fails while accessing not found URL from Azure CI

Next page

Are SWIFT Package.resolved files supported?