VEX related improvements for the build process #1767

macedogm · 2025-01-09T19:56:39Z

macedogm
Jan 9, 2025

In SUSE Rancher we have our own VEX Hub rancher/vexhub repository to remove (VEX) known false-positive CVEs in our projects (images and binaries) and derived third-party and upstream binaries.

Note: The VEX report follows the OpenVEX specification. The VEX Hub repository follows Aqua Security's VEX Repository specification.

In order for VEX to fully work and for security scanners (e.g., Trivy) to correctly match a VEX entry with a Go binary being scanned, the Go binary must have its full package path inside of it. Example:

> go version -m dist/kube-bench | head -n 3
dist/kube-bench: go1.23.4
	path	github.com/aquasecurity/kube-bench
	mod	github.com/aquasecurity/kube-bench	(devel)

When a Go binary is compiled by specifying directly the file as go build main.go as opposed to go build ., the binary won't contain the package path.

> go version -m /usr/bin/kube-bench | head -n 2
/usr/bin/kube-bench: go1.22.7
	path	command-line-arguments

In the above case, the security scanner won't be able to match the binary with its respective VEX entry. This situation is happening with the binary artifacts generated in kube-bench due to:

kube-bench/.goreleaser.yml

Line 8 in df48da4

- main: main.go

This doesn't happen with make build because it's pointing to the directory .:

kube-bench/makefile

Lines 41 to 45 in df48da4

    
           $(BINARY): $(SOURCES) 
        
           	GOOS=$(GOOS) CGO_ENABLED=0 go build -ldflags "-X github.com/aquasecurity/kube-bench/cmd.KubeBenchVersion=$(KUBEBENCH_VERSION)" -o $(BINARY) . 
        
           build-fips: 
        
           	GOOS=$(GOOS) CGO_ENABLED=0 GOEXPERIMENT=boringcrypto go build -tags fipsonly -ldflags "-X github.com/aquasecurity/kube-bench/cmd.KubeBenchVersion=$(KUBEBENCH_VERSION)" -o $(BINARY) .

I would like to propose a simple PR to fix this:

diff --git a/.goreleaser.yml b/.goreleaser.yml
index cb15102..872693d 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -5,7 +5,7 @@ env:
   - CGO_ENABLED=0
   - KUBEBENCH_CFG=/etc/kube-bench/cfg
 builds:
-  - main: main.go
+  - main: .
     binary: kube-bench
     tags:
       - osusergo

Would such change be accepted to help improve the build process and add the needed information for VEX removal by security scanners to actually work? The change doesn't affect the code's behavior and features.

macedogm · 2025-01-09T19:59:08Z

macedogm
Jan 9, 2025
Author

CC @itaysk and @afdesk apologies the direct ping, but just in case the repo isn't being watched closely as Trivy.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

VEX related improvements for the build process #1767

{{title}}

Replies: 1 comment

{{title}}

Select a reply

VEX related improvements for the build process #1767

macedogm Jan 9, 2025

Replies: 1 comment

macedogm Jan 9, 2025 Author

macedogm
Jan 9, 2025

macedogm
Jan 9, 2025
Author