x/vulndb: suggestion regarding GO-2023-2331

[bcho]

Report ID

GO-2023-2331

Suggestion/Comment

Currently the GO-2023-2331 / CVE-2023-47108 is being excluded from the vuln db result as it was marked as "DEPENDENT_VULNERABILITY" mentioned in here: #2331 (comment)

I understand the CVE-2023-47108 is sharing the same root cause as CVE-2023-25151 , however, the affected code paths from these two CVEs are different:

• CVE-2023-25151: https://github.com/open-telemetry/opentelemetry-go-contrib/blob/463c2e7cd69d25f40b0a595b05394eeb26c68ae2/instrumentation/net/http/otelhttp/handler.go#L218
• CVE-2023-47108: https://github.com/open-telemetry/opentelemetry-go-contrib/blob/9d4eb7e7706038b07d33f83f76afbe13f53d171d/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go#L327

If we exclude the CVE-2023-47108, it will result in false negative from govulncheck result since the affected dep and code path is being scanned.

I have a reproduction in here: https://github.com/bahe-msft/govuln-CVE-2023-47108/blob/8977c03e4fb1347cfe46d651481db066d0816e51/main.go#L10-L12 , which we invoked the affected code in the demo program. This demo code will not be flagged with this CVE (govuln result) while it's being flagged by trivy.

If the two CVEs are affecting different code paths, should we keep both as active? This is very helpful if we want to make use of the VEX feature from govulncheck since we will need to inspect the binary with the CVE details instead of excluding it.

[ritazh]

xref components that need this: kubernetes/apiserver#106 (comment)

[timothy-king]

Thank you for the report. We will look into this.

[gopherbot]

Change https://go.dev/cl/595257 mentions this issue: data/reports: unexclude GO-2023-2331