How do I interpret CRITICAL vulnerability on (gobinary)?

[ak2766]

Question

I'm trying to clean up my cluster of many (overwhelmingly many) security vulnerabilities as reported by Trivy. However, it appears that most of these CRITICAL vulnerabilities are attached to (gobinary). For instance, I just deployed the latest cert-manager and I see all components have a critical vulnerability:

Workload Assessment

Workload Assessment
┌──────────────┬────────────────────────────────────┬───────────────────┬───────────────────┬───────────────────┐
│  Namespace   │              Resource              │  Vulnerabilities  │ Misconfigurations │      Secrets      │
│              │                                    ├───┬───┬───┬───┬───┼───┬───┬───┬───┬───┼───┬───┬───┬───┬───┤
│              │                                    │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │
├──────────────┼────────────────────────────────────┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┼───┤
│ cert-manager │ Deployment/cert-manager            │ 1 │ 1 │   │   │   │   │   │   │ 6 │   │   │   │   │   │   │
│ cert-manager │ Deployment/cert-manager-cainjector │ 1 │ 1 │   │   │   │   │   │   │ 6 │   │   │   │   │   │   │
│ cert-manager │ Deployment/cert-manager-webhook    │ 1 │ 1 │   │   │   │   │   │   │ 6 │   │   │   │   │   │   │
└──────────────┴────────────────────────────────────┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┘

When I run the all report, I get:

Cert Manager full report

namespace: cert-manager, deployment: cert-manager
=================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


namespace: cert-manager, deployment: cert-manager (gobinary)
============================================================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 1)

┌─────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                         Title                          │
├─────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2024-45337 │ CRITICAL │ fixed  │ v0.27.0           │ 0.31.0        │ golang.org/x/crypto/ssh: Misuse of                     │
│                     │                │          │        │                   │               │ ServerConfig.PublicKeyCallback may cause authorization │
│                     │                │          │        │                   │               │ bypass in golang.org/x/crypto                          │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-45337             │
├─────────────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ golang.org/x/net    │ CVE-2024-45338 │ HIGH     │        │ v0.29.0           │ 0.33.0        │ golang.org/x/net/html: Non-linear parsing of           │
│                     │                │          │        │                   │               │ case-insensitive content in golang.org/x/net/html      │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-45338             │
└─────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────┘

So, why is it that there are 2 parts(?), namely:
1: the top part shows all is well
2. then the bottom part shows the same info but for (gobinary).

So, what exactly am I looking at and how should I interpret this? I've searched and frankly, there's loads of information out there and I could have missed it. If so, please provide links so I can go read.

Overall, be gentle as I'm only a few weeks old using Trivy.

Target

Kubernetes

Scanner

Vulnerability

Output Format

None

Mode

Standalone

Operating System

I'm on Ubuntu 24.04.1

Version

$ > trivy --version
Version: 0.58.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-01-06 06:18:23.609115718 +0000 UTC
  NextUpdate: 2025-01-07 06:18:23.609115348 +0000 UTC
  DownloadedAt: 2025-01-06 09:03:02.216498403 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-12-18 02:53:19.193069252 +0000 UTC
  NextUpdate: 2024-12-21 02:53:19.193069092 +0000 UTC
  DownloadedAt: 2024-12-19 12:47:39.311770211 +0000 UTC
Check Bundle:
  Digest: sha256:f6901e03f486a48f47aa17a78d89d18e6c31ded82aff83ed19d0d73935a1a059
  DownloadedAt: 2025-01-06 09:02:51.408344975 +0000 UTC

[ak2766]

This (gobinary) also appears on other deployments. For instance, I have a NodeJS application running in the cluster that has some critical and high vulnerabilities. I need to understand if it's something I can do something about or not. I know for sure that the NodeJS app makes no direct use of Golang code but it could be that one of the modules pulled in might.

How could I go about learning which module brought it in it Trivy doesn't tell me?

[knqyf263]

Trivy shows vulnerabilities in OS packages and language-specific packages. The first part seems relevant to OS packages, and the second part is about the Go binary. However, since it's k8s scanning, I'd defer to @afdesk, who is on vacation now. He will be back next week.

[ak2766]

@knqyf263 - Thanks for stepping in. Eagerly awaiting @afdesk's return.