Hi all,
I am generating an SBOM for a Docker image that contains the deck binary (release v1.36.1). I noticed that tools like Syft cannot detect the correct version of deck.
The command deck --version works fine, but the internal debug.BuildInfo of the Go binary is missing the semantic version. Because of this, vulnerability scanners ignore deck entirely, as they cannot map a pseudo-version to a CVE database.
github.com/Kong/go-diff v1.2.2 go-module
github.com/Kong/gojsondiff v1.3.2 go-module
github.com/kong/deck v0.0.0-20240321105356-920cf1dec549 go-module
github.com/kong/go-apiops v0.1.31 go-module
github.com/kong/go-database-reconciler v1.8.0 go-module
github.com/kong/go-kong v0.51.1-0.20240125175037-0c077f5b9ac7 go-module
github.com/kong/go-slugify v1.0.0 go-module
github.com/kong/kubernetes-ingress-controller/v3 v3.1.2 go-module
github.com/kong/semver/v4 v4.0.1 go-module
$ go version -m deck | grep -E "path|mod" | head -n 2
path github.com/kong/deck
mod github.com/kong/deck (devel) # or v0.0.0-20240321...
Is it correct this behavior?
Thanks,
Marcello
Hi all,
I am generating an SBOM for a Docker image that contains the deck binary (release v1.36.1). I noticed that tools like Syft cannot detect the correct version of deck.
The command deck --version works fine, but the internal debug.BuildInfo of the Go binary is missing the semantic version. Because of this, vulnerability scanners ignore deck entirely, as they cannot map a pseudo-version to a CVE database.
Is it correct this behavior?
Thanks,
Marcello