Any Go binary is listed as vulnerable to any stdlib CVE, even when not included or used.

[mbrancato]

IDs

CVE-2025-47907

Description

I'm using CVE-2025-47907 as an example here, but this seems to be a much bigger problem with Trivy in how it scans Go binaries.

Trivy will incorrectly report that a binary is vulnerable to a CVE in the Go stdlib, even when that stblib package is not used in the binary and is not even present in the compiled binary.

See reproduction steps.

These results are incorrect:

% KO_DOCKER_REPO=ko.local ko build .
2025/09/16 21:26:28 Using base cgr.dev/chainguard/static:latest@sha256:b2e1c3d3627093e54f6805823e73edd17ab93d6c7202e672988080c863e0412b for test-go-trivy
2025/09/16 21:26:29 current folder is not a git repository. Git info will not be available
2025/09/16 21:26:29 Building test-go-trivy for linux/amd64
2025/09/16 21:26:29 Loading ko.local/test-go-trivy-bd0381358c4cdde322c9e0b2891373bd:9b8476697dc77f3536f39c80dc053b78970fe666a85665ca87c47be5913beeb5
2025/09/16 21:26:29 Loaded ko.local/test-go-trivy-bd0381358c4cdde322c9e0b2891373bd:9b8476697dc77f3536f39c80dc053b78970fe666a85665ca87c47be5913beeb5
2025/09/16 21:26:29 Adding tag latest
2025/09/16 21:26:29 Added tag latest
ko.local/test-go-trivy-bd0381358c4cdde322c9e0b2891373bd:9b8476697dc77f3536f39c80dc053b78970fe666a85665ca87c47be5913beeb5
% trivy image --scanners vuln ko.local/test-go-trivy-bd0381358c4cdde322c9e0b2891373bd:9b8476697dc77f3536f39c80dc053b78970fe666a85665ca87c47be5913beeb5
2025-09-16T21:26:51-04:00	INFO	[vuln] Vulnerability scanning is enabled
2025-09-16T21:26:51-04:00	INFO	Detected OS	family="wolfi" version="20230201"
2025-09-16T21:26:51-04:00	INFO	[wolfi] Detecting vulnerabilities...	pkg_num=3
2025-09-16T21:26:51-04:00	INFO	Number of language-specific files	num=1
2025-09-16T21:26:51-04:00	INFO	[gobinary] Detecting vulnerabilities...
2025-09-16T21:26:51-04:00	WARN	Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/v0.60/docs/scanner/vulnerability#severity-selection for details.

Report Summary

┌──────────────────────────────────────────────────────────────────────────────────┬──────────┬─────────────────┐
│                                      Target                                      │   Type   │ Vulnerabilities │
├──────────────────────────────────────────────────────────────────────────────────┼──────────┼─────────────────┤
│ ko.local/test-go-trivy-bd0381358c4cdde322c9e0b2891373bd:9b8476697dc77f3536f39c8- │  wolfi   │        0        │
│ 0dc053b78970fe666a85665ca87c47be5913beeb5 (wolfi 20230201)                       │          │                 │
├──────────────────────────────────────────────────────────────────────────────────┼──────────┼─────────────────┤
│ ko-app/test-go-trivy                                                             │ gobinary │        1        │
└──────────────────────────────────────────────────────────────────────────────────┴──────────┴─────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


ko-app/test-go-trivy (gobinary)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                   Title                    │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────┤
│ stdlib  │ CVE-2025-47907 │ HIGH     │ fixed  │ v1.24.5           │ 1.23.12, 1.24.6 │ database/sql: Postgres Scan Race Condition │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-47907 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────┘

Reproduction Steps

file `go.mod`:

module test-go-trivy

go 1.24.5

file main.go:

package main

import "fmt"

func main() {
	fmt.Println("Hello, World!")
}

1. Run: go mod tidy
2. Build a distroless, minimal container: KO_DOCKER_REPO=ko.local ko build .
3. Scan the image output with Trivy: trivy image --scanners vuln --detection-priority comprehensive ko.local/test-go-trivy-bd0381358c4cdde322c9e0b2891373bd:9b8476697dc77f3536f39c80dc053b78970fe666a85665ca87c47be5913beeb5

Target

Container Image

Scanner

Vulnerability

Target OS

Wolfi / distroless

Debug Output

2025-09-16T21:31:14-04:00	DEBUG	No plugins loaded
2025-09-16T21:31:14-04:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-09-16T21:31:14-04:00	DEBUG	Cache dir	dir="/Users/mike/Library/Caches/trivy"
2025-09-16T21:31:14-04:00	DEBUG	Cache dir	dir="/Users/mike/Library/Caches/trivy"
2025-09-16T21:31:14-04:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-09-16T21:31:14-04:00	DEBUG	Ignore statuses	statuses=[]
2025-09-16T21:31:14-04:00	DEBUG	DB update was skipped because the local DB is the latest
2025-09-16T21:31:14-04:00	DEBUG	DB info	schema=2 updated_at=2025-09-17T00:39:58.729160736Z next_update=2025-09-18T00:39:58.729160045Z downloaded_at=2025-09-17T01:06:09.349591Z
2025-09-16T21:31:14-04:00	DEBUG	[pkg] Package types	types=[os library]
2025-09-16T21:31:14-04:00	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2025-09-16T21:31:14-04:00	INFO	[vuln] Vulnerability scanning is enabled
2025-09-16T21:31:14-04:00	DEBUG	Initializing scan cache...	type="fs"
2025-09-16T21:31:14-04:00	DEBUG	[image] Detected image ID	image_id="sha256:096b105013a4c2f014dae61a38307a1108346c0305aaef66ffbd398388f2815c"
2025-09-16T21:31:14-04:00	DEBUG	[image] Detected diff ID	diff_ids=[sha256:0177120e9357ad3dbca127b6382d1d481c48d06c18ef6ab8e40a9b7688ed542d sha256:ffe56a1c5f3878e9b5f803842adb9e2ce81584b6bd027e8599582aefe14a975b sha256:891551887786da8fd86b08277f75150d840e3a3a80e6c5069b0dfe9489c119fa]
2025-09-16T21:31:14-04:00	DEBUG	[image] Detected base layers	diff_ids=[]
2025-09-16T21:31:14-04:00	INFO	Detected OS	family="wolfi" version="20230201"
2025-09-16T21:31:14-04:00	INFO	[wolfi] Detecting vulnerabilities...	pkg_num=3
2025-09-16T21:31:14-04:00	INFO	Number of language-specific files	num=1
2025-09-16T21:31:14-04:00	INFO	[gobinary] Detecting vulnerabilities...
2025-09-16T21:31:14-04:00	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="ko-app/test-go-trivy"
2025-09-16T21:31:14-04:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="test-go-trivy"
2025-09-16T21:31:14-04:00	WARN	Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/v0.60/docs/scanner/vulnerability#severity-selection for details.
2025-09-16T21:31:14-04:00	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2025-09-16T21:31:14-04:00	DEBUG	[vex] VEX filtering is disabled

Version

Version: 0.60.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-09-17 00:39:58.729160736 +0000 UTC
  NextUpdate: 2025-09-18 00:39:58.729160045 +0000 UTC
  DownloadedAt: 2025-09-17 01:06:09.349591 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2025-03-10 03:02:18.95448909 +0000 UTC
  NextUpdate: 2025-03-13 03:02:18.95448898 +0000 UTC
  DownloadedAt: 2025-03-13 16:12:36.050774 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[DmitriyLewen]

Hello @mbrancato

This is documented here: https://trivy.dev/latest/docs/coverage/language/golang/#go-binary

Regards, Dmitriy

[mbrancato]

@DmitriyLewen if the binary is being extracted and scanned already, and if its not stripped, why would Trivy not go ahead and match to the claimed packages using symbols? Go provides tools to inspect binaries including go tool. But I'm also sure there are opportunities to use those packages or other programmatic approaches.

For example, here's a one liner that lists used stdlib packages in a binary:

% go tool nm $BIN | awk '$2 ~ /^(T|R|D|B)$/ && $3 ~ /\./ {split($3,a,"."); print a[1]}' | grep -Ff <(go list std) | sort -u

[DmitriyLewen]

Thanks for this idea!
This approach (just like with govulncheck) has limitations (for example, if the -w -s ldflags were used).
We are currently working on a middle tier that will bring some of Aqua’s features into Trivy, but not into OSS. It is planned that at some point we will add support for a similar solution.