x/vulndb: suggestion regarding GO-2024-2856

[51n15t9r]

Report ID

GO-2024-2856

Suggestion/Comment

This vulnrability impacts Grafana server (>=9.2.0 and < 9.2.4) )and should not be marked against the Grafana go package.
The latest Grafana Go package version is v6.1.6+incompatible

[tatianab]

Hi @51n15t9r, thanks for your report. With repositories like grafana, that are not really intended to be used as libraries, and which use custom versioning, it is not always clear how to create a precise and helpful vulnerability report.

May I ask, how did you come across this issue? Did you notice a false positive report from govulncheck or another security scanner?

[51n15t9r]

Hi @tatianab - This was reported in our Anchore container scan.
I had not run govulncheck uptil now, but I can see these reported in govulncheck as well.

There are a bunch of such vulnerabilities on the same go library package, which I believe should be relooked at, since the description and fix version suggests that they affect only the Grafana server.

[tatianab]

Hi again, thanks for the clarification. Would you be willing to share the output from your Anchore container scan or govulncheck? In particular, what version and packages of the grafana library are you using? (If you'd rather share privately, you can send an email to security@golang.org).