Skip to content

feat: add govulcheck to suppress the go cves#361

Open
pohanhuang wants to merge 4 commits into
neuvector:mainfrom
pohanhuang:feat/add-govulcheck-to-suppress-false-positive
Open

feat: add govulcheck to suppress the go cves#361
pohanhuang wants to merge 4 commits into
neuvector:mainfrom
pohanhuang:feat/add-govulcheck-to-suppress-false-positive

Conversation

@pohanhuang
Copy link
Copy Markdown
Contributor

@pohanhuang pohanhuang commented Apr 29, 2026
edited
Loading

Description

Test

  • scan neuvector/scanner:4.097 ensure there is no docker/docker related CVE.

Additional Information

Tradeoff

Potential improvement

@pohanhuang
feat: add govulcheck to suppress the go cves
17cf005 
Signed-off-by: pohanhuang <pohan.huang@suse.com>
@pohanhuang pohanhuang requested a review from a team as a code owner April 29, 2026 06:05
@pohanhuang pohanhuang mentioned this pull request Apr 29, 2026
Closed
holyspectral
holyspectral reviewed Apr 29, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@holyspectral holyspectral left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like this PR is still waiting for neuvector repo's change.

Some high level comments:

  • Please make sure you verify the golang vulndb like what we have here if we end up with keeping the db in AWS.
  • Make sure that you provided a test govulndb like here so scanner can build in developer's side.

@pohanhuang
fix: field name changes
3bbb644 
Signed-off-by: pohanhuang <pohan.huang@suse.com>
@pohanhuang
fix: pr comments
68d474e 
- Add govulndb.zip.local for local build
- improve makefile, .gitignore
- unzip the golvuldb in scanner

Signed-off-by: pohanhuang <pohan.huang@suse.com>
holyspectral
holyspectral reviewed Apr 30, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@holyspectral holyspectral left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for implementing the review comments! Just a few minor comments.

Open question: Do you think there is a way to know the version of govulndb? I think that would be helpful to track the issue back to golang database, but I'm not sure if it's feasible.

Comment thread common/govulndb.go
Comment on lines +17 to +22
if info, err := os.Stat(scanUtils.GovulcheckDBPath); err == nil && info.IsDir() {
if entries, err := os.ReadDir(scanUtils.GovulcheckDBPath); err == nil && len(entries) > 0 {
log.WithFields(log.Fields{"path": scanUtils.GovulcheckDBPath}).Debug("govulndb already exists, skipping extraction")
return nil
}
}
Copy link
Copy Markdown
Contributor

@holyspectral holyspectral Apr 30, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe you can just os.Stat() against the expected path? If the zip file doesn't contain the file it's probably an error too.

Copy link
Copy Markdown
Contributor Author

@pohanhuang pohanhuang May 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will just simply check if the extracted result path exist, what do you think?

Copy link
Copy Markdown
Contributor

@holyspectral holyspectral May 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes that's what I mean. As long as the end result isn't right we should always re-extract.

Comment thread common/govulndb.go
Comment on lines +66 to +68
if !strings.HasPrefix(filePath, filepath.Clean(targetPath)+string(os.PathSeparator)) {
return fmt.Errorf("illegal file path: %s", file.Name)
}
Copy link
Copy Markdown
Contributor

@holyspectral holyspectral Apr 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd hardcode the expected file path and ignore others.

@pohanhuang
Copy link
Copy Markdown
Contributor Author

pohanhuang commented May 1, 2026
edited
Loading

@holyspectral regarding to the version of govulndb
I found there is no version in the .zip folder, the closest information to it is the modified date.

Does this field works for you?

@holyspectral
Copy link
Copy Markdown
Contributor

holyspectral commented May 1, 2026

I found there is no version in the .zip folder, the closest information to it is the modified date.
Does this field for you?

yes that works for me, but please double check if the link of govulndb is valid. It returns 404 now.

@pohanhuang
Copy link
Copy Markdown
Contributor Author

pohanhuang commented May 4, 2026

@holyspectral I create a fix in release https://github.com/neuvector/release/pulls already, please help check when you are available

@pohanhuang
fix: pr comment
457312d 
- simplify the implementation return nil when path is not correct
- only check the folder exist to represent the extract is success

Signed-off-by: pohanhuang <pohan.huang@suse.com>
@pohanhuang
Copy link
Copy Markdown
Contributor Author

pohanhuang commented May 4, 2026

@holyspectral I make some changes in this commits

  • simplify the implementation return nil when path is not correct
  • only check the folder exist to represent the extract is success

@pohanhuang
Copy link
Copy Markdown
Contributor Author

pohanhuang commented May 4, 2026

@holyspectral about the cve version, will add it into report field like the implementation in https://github.com/neuvector/neuvector/pull/2295/changes

WDYT?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@holyspectral holyspectral holyspectral left review comments

@williamlin-suse williamlin-suse Awaiting requested review from williamlin-suse williamlin-suse is a code owner automatically assigned from neuvector/backend

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Include govulncheck to support false positive CVE in go modules.

2 participants

@pohanhuang @holyspectral