False positives for github.com/hashicorp/consul: Installed version reported as v0.0.0

[kevin-niland]

grype is reporting the installed consul version as v0.0.0, regardless of the actual version installed

Tested with a docker image which has consul v1.17.3 installed:

234156@mypod-0:/> /usr/bin/consul --version
Consul v1.17.3
Revision 009041f807
Build Date 2024-02-13T18:30:29Z
Protocol 2 spoken by default, understands 2 to 3 (agent will automatically use protocol >2 when speaking to compatible agents)

Output of grype:

grype <myimage>:latest
 ✔ Vulnerability DB                [updated]  
 ✔ Loaded image                                                                                                              <myimage>:latest
 ✔ Parsed image                                                                                                                 sha256:a6c8200996df90f783d94cf2c6c044893db042b76877358bac55466a11bc6023
 ✔ Cataloged contents                                                                                                                  5390fb88ce3154afa998e26bf67386373adf5b945aadec07be17864452608367
   ├── ✔ Packages                        [432 packages]  
   ├── ✔ File digests                    [4,357 files]  
   ├── ✔ File metadata                   [4,357 locations]  
   └── ✔ Executables                     [1,060 executables]  
 ✔ Scanned for vulnerabilities     [24 vulnerability matches]  
   ├── by severity: 0 critical, 6 high, 8 medium, 0 low, 0 negligible (10 unknown)
   └── by status:   14 fixed, 10 not-fixed, 0 ignored 
NAME                         INSTALLED                           FIXED-IN                 TYPE       VULNERABILITY        SEVERITY 
github.com/coredns/coredns   v1.10.1                             1.11.2                   go-module  GHSA-m9w6-wp3h-vq8g  Medium    
github.com/hashicorp/consul  v0.0.0-20240213183029-009041f807ba  1.4.4                    go-module  GHSA-q7fx-wm2p-qfj8  High      
github.com/hashicorp/consul  v0.0.0-20240213183029-009041f807ba  1.9.17                   go-module  GHSA-q6h7-4qgw-2j9p  High      
github.com/hashicorp/consul  v0.0.0-20240213183029-009041f807ba  1.8.15                   go-module  GHSA-ccw8-7688-vqx4  High      
github.com/hashicorp/consul  v0.0.0-20240213183029-009041f807ba  1.10.1                   go-module  GHSA-8h2g-r292-j8xh  High      
github.com/hashicorp/consul  v0.0.0-20240213183029-009041f807ba  1.10.1                   go-module  GHSA-25gf-8qrr-g78r  High      
github.com/hashicorp/consul  v0.0.0-20240213183029-009041f807ba  1.6.3                    go-module  GHSA-23jv-v6qj-3fhh  High      
github.com/hashicorp/consul  v0.0.0-20240213183029-009041f807ba  1.11.9                   go-module  GHSA-m69r-9g56-7mv8  Medium    
github.com/hashicorp/consul  v0.0.0-20240213183029-009041f807ba  1.14.5                   go-module  GHSA-c57c-7hrj-6q6v  Medium    
github.com/hashicorp/consul  v0.0.0-20240213183029-009041f807ba  1.7.14                   go-module  GHSA-8xmx-h8rq-h94j  Medium    
github.com/hashicorp/consul  v0.0.0-20240213183029-009041f807ba  1.8.15                   go-module  GHSA-6hw5-6gcx-phmw  Medium    
golang.org/x/net             v0.17.0                             0.23.0                   go-module  GHSA-4v7x-pqxf-cx7m  Medium    
google.golang.org/protobuf   v1.31.0                             1.33.0                   go-module  GHSA-8r3f-844c-mc37  Medium    
rpm                          4.14.3-150400.59.13.1               0:4.14.3-150400.59.16.1  rpm        CVE-2021-3521        Medium    
stdlib                       go1.21.6                                                     go-module  CVE-2024-24787       Unknown   
stdlib                       go1.21.6                                                     go-module  CVE-2024-24785       Unknown   
stdlib                       go1.21.6                                                     go-module  CVE-2024-24784       Unknown   
stdlib                       go1.21.6                                                     go-module  CVE-2024-24783       Unknown   
stdlib                       go1.21.6                                                     go-module  CVE-2023-45290       Unknown   
stdlib                       go1.21.6                                                     go-module  CVE-2023-45289       Unknown   
stdlib                       go1.21.6                                                     go-module  CVE-2023-45288       Unknown   
stdlib                       go1.22.1                                                     go-module  CVE-2024-24788       Unknown   
stdlib                       go1.22.1                                                     go-module  CVE-2024-24787       Unknown   
stdlib                       go1.22.1                                                     go-module  CVE-2023-45288       Unknown
A newer version of grype is available for download: 0.77.4 (installed version is 0.77.3)

I have seen other issues already raised pertaining to how go provides versions - does this fall under this issue/is it something that is already being addressed? In regards to the image I tested, the consul binary is downloaded from a specified location (this binary is already built) and the binary is then moved to /usr/bin/consul, if that makes any difference.

[spiffcs]

@kevin-niland thanks for the issue!

Here are some more details regarding your request and steps I tried to reproduce. When consul is installed as a go module on my local I do not see the v0.0.0-<pseudo-version> behavior.

grype dir:. <-- In this case scanning a go project with consul installed

github.com/hashicorp/consul                         v1.18.1                                go-module

When I run go install github.com/hashicorp/consul I also don't see the FP when scanning against the binary

grype ~/go/bin/consul
2024/05/15 12:11:48 profile: memory profiling enabled (rate 4096), /var/folders/l0/_71m09512ss7lv9c64ldzld80000gn/T/profile1991174059/mem.pprof
 ✔ Vulnerability DB                [no update available]
 ✔ Indexed file system                                                                                                    /Users/hal/go/bin
 ✔ Cataloged contents                                                      845ea22333829145c1064244883fd66d011c502f16b0a774c20f2a6243d23c82
   ├── ✔ Packages                        [253 packages]
   └── ✔ Executables                     [1 executables]
 ✔ Scanned for vulnerabilities     [4 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 1 medium, 0 low, 0 negligible (3 unknown)
   └── by status:   1 fixed, 3 not-fixed, 0 ignored
NAME              INSTALLED  FIXED-IN  TYPE       VULNERABILITY        SEVERITY
golang.org/x/net  v0.19.0    0.23.0    go-module  GHSA-4v7x-pqxf-cx7m  Medium
stdlib            go1.22.1             go-module  CVE-2024-24788       Unknown
stdlib            go1.22.1             go-module  CVE-2024-24787       Unknown
stdlib            go1.22.1             go-module  CVE-2023-45288       Unknown

If I run syft against the binary I see:

github.com/hashicorp/consul                         v1.18.1                                go-module

I also copied this binary into a docker container built it and also do not see the behavior you're seeing.

Is there more information about the binary you're using? We should be able to extract the version here given the LD flags and how it's compiled.

Can you show me the match json from the grype -o json output?

[kevin-niland]

Hi @spiffcs , what version of grype did you use? I see there was a revert recently for something: #1815

[spiffcs]

@kevin-niland my grype version v0.77.4