Skip to content

CVEs found in latest RIE release #145

New issue
New issue
Open
Open
CVEs found in latest RIE release#145
@github-actions

Description

@github-actions
github-actions
bot
opened on Jun 18, 2025

CVEs found in latest RIE release

product  version  location     cve_number     cvss_vector
go       1.24.4   /usr/bin/go  CVE-2024-3566  unknown

Are these resolved by building with the latest patch version of Go (go1.24.4)?:

No

Activity

valerena
mentioned this in 2 issues on Jun 20, 2025
valerena

valerena commented on Jun 20, 2025

@valerena
valerena
on Jun 20, 2025
Contributor

This looks like an old CVE, which apparently affects all(?) versions of Go? or not? https://www.cve.org/CVERecord?id=CVE-2024-3566

There might be issues with the tool we're using to check. It hasn't found other CVEs and then it randomly started showing this one, which doesn't seem relevant really.

valerena

valerena commented on Jun 20, 2025

@valerena
valerena
on Jun 20, 2025
Contributor

I disabled the workflow so it doesn't keep creating issues, but we need to investigate more about this false positive.

valerena

valerena commented on Jun 20, 2025

@valerena
valerena
on Jun 20, 2025
Contributor
docker run -v $(pwd):/rie -w /rie anchore/grype dir:. -vv

returns no vulnerabilities

but what runs in the workflow:

pip install cve-bin-tool
python -m cve_bin_tool.cli . -r go -d REDHAT,OSV,GAD,CURL

returns this one above.

valerena

valerena commented on Jun 27, 2025

@valerena
valerena
on Jun 27, 2025
Contributor

I created a basic app with Go, and it shows this vulnerability:

package main

import "fmt"

func main() {
    fmt.Println("Hello, World!")
}
$ go build -o goapp
$ python -m cve_bin_tool.cli . -r go -d REDHAT,OSV,GAD,CURL
┏━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━┓
┃ Vendor ┃ Product ┃ Version ┃ CVE Number    ┃ Source ┃ Severity ┃ Score (CVSS Version) ┃
┡━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━┩
│ golang │ go      │ 1.24.4  │ CVE-2024-3566 │ NVD    │ CRITICAL │ 9.8 (v3)             │
└────────┴─────────┴─────────┴───────────────┴────────┴──────────┴──────────────────────┘
┏━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━┓
┃ Vendor ┃ Product ┃ Version ┃ Root                  ┃ Filename ┃
┡━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━┩
│ golang │ go      │ 1.24.4  │ /tmp/oncall/rie/hello │ goapp    │
└────────┴─────────┴─────────┴───────────────────────┴──────────┘
valerena

valerena commented on Jul 2, 2025

@valerena
valerena
on Jul 2, 2025
Contributor

The issue is confirmed to be not relevant because of the above, but because of the tool we use cve_bin_tool shows it as vulnerability, we need something so the ticket doesn't trigger all the time. Either we change our reporting tool, or we ignore this specific CVE

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @valerena

        Issue actions
          CVEs found in latest RIE release · Issue #145 · aws/aws-lambda-runtime-interface-emulator