False positive warnings from trivy and dependabot

[wallrj]

This project imports the go module istio.io/istio which uses unadorned semver tags rather than the go standard v prefixed release tags. The consequence is that go mod tidy always replaced the go.mod entry with a pseudo version and this version is then misinterpreted by trivy and by dependabot:

• go.mod: Support updating non-release git dependencies dependabot/dependabot-core#2028
• https://github.com/cert-manager/istio-csr/security/dependabot/21
• [Question]: Why istio tags are not prefixed with a v istio/istio#41702
• wrong version compare? aquasecurity/trivy#1456
• f4da319

In #222 I upgrading istio.io/istio to the latest version and still trivy reports the same false positive vulnerabilities:

$ trivy repo .
2023-12-05T15:42:33.816Z        INFO    Vulnerability scanning is enabled
2023-12-05T15:42:33.816Z        INFO    Secret scanning is enabled
2023-12-05T15:42:33.816Z        INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-12-05T15:42:33.817Z        INFO    Please see also https://aquasecurity.github.io/trivy/v0.47/docs/scanner/secret/#recommendation for faster secret detection
2023-12-05T15:42:38.475Z        INFO    Number of language-specific files: 2
2023-12-05T15:42:38.475Z        INFO    Detecting gomod vulnerabilities...

go.mod (gomod)

Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 4, CRITICAL: 0)

┌────────────────┬────────────────┬──────────┬────────┬───────────────────────────────────┬─────────────────────────┬──────────────────────────────────────────────────────────────┐
│    Library     │ Vulnerability  │ Severity │ Status │         Installed Version         │      Fixed Version      │                            Title                             │
├────────────────┼────────────────┼──────────┼────────┼───────────────────────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ istio.io/istio │ CVE-2019-14993 │ HIGH     │ fixed  │ 0.0.0-20231205100254-0ebec17e00ab │ 1.1.13, 1.2.4           │ istio/envoy: mishandling regular expressions for long URIs   │
│                │                │          │        │                                   │                         │ leading to DoS                                               │
│                │                │          │        │                                   │                         │ https://avd.aquasec.com/nvd/cve-2019-14993                   │
│                ├────────────────┤          │        │                                   ├─────────────────────────┼──────────────────────────────────────────────────────────────┤
│                │ CVE-2021-39155 │          │        │                                   │ 1.9.8, 1.10.4, 1.11.1   │ HTTP request can bypass authorization mechanisms due to case │
│                │                │          │        │                                   │                         │ insensitive host comparison...                               │
│                │                │          │        │                                   │                         │ https://avd.aquasec.com/nvd/cve-2021-39155                   │
│                ├────────────────┤          │        │                                   │                         ├──────────────────────────────────────────────────────────────┤
│                │ CVE-2021-39156 │          │        │                                   │                         │ HTTP request with fragment in URI can bypass authorization   │
│                │                │          │        │                                   │                         │ mechanisms                                                   │
│                │                │          │        │                                   │                         │ https://avd.aquasec.com/nvd/cve-2021-39156                   │
│                ├────────────────┤          │        │                                   ├─────────────────────────┼──────────────────────────────────────────────────────────────┤
│                │ CVE-2022-23635 │          │        │                                   │ 1.13.1, 1.12.4, 1.11.7  │ unauthenticated control plane denial of service attack       │
│                │                │          │        │                                   │                         │ https://avd.aquasec.com/nvd/cve-2022-23635                   │
│                ├────────────────┼──────────┤        │                                   ├─────────────────────────┼──────────────────────────────────────────────────────────────┤
│                │ CVE-2022-31045 │ MEDIUM   │        │                                   │ 1.12.18, 1.13.5, 1.14.1 │ Unsafe memory access in metadata exchange.                   │
│                │                │          │        │                                   │                         │ https://avd.aquasec.com/nvd/cve-2022-31045                   │
└────────────────┴────────────────┴──────────┴────────┴───────────────────────────────────┴─────────────────────────┴──────────────────────────────────────────────────────────────┘

[marcingy]

This also affects the scan tool we are using (orca) in the same way

[tomelliot16]

I believe unless I'm mistaken that this is because istio doesn't tag with v prefix https://github.com/istio/istio/release I believe an issue should be made with istio/istio to change the versioning to include the prefix v.