Skip to content

fix: using SrcVersion instead of Version for echo detector #9552

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 9, 2025
Merged

fix: using SrcVersion instead of Version for echo detector #9552

merged 1 commit into from
Oct 9, 2025
+5 −3

Conversation

@orizerah
Copy link
Contributor

@orizerah orizerah commented Sep 30, 2025
edited
Loading

Description

Fixed a bug with echo detection where we use SrcVersion instead of Version

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@orizerah orizerah requested a review from knqyf263 as a code owner September 30, 2025 10:04
@Nathansh14
Copy link

Nathansh14 commented Sep 30, 2025

it will be great to have this fix in release v0.67.1 as this PR fixes a lot of false-positives when using trivy to scan images.

@orizerah orizerah changed the title feat(image): using SrcVersion instead of Version for echo detector fix: using SrcVersion instead of Version for echo detector Sep 30, 2025
@knqyf263
Copy link
Collaborator

knqyf263 commented Oct 1, 2025

it will be great to have this fix in release v0.67.1 as this PR fixes a lot of false-positives when using trivy to scan images.

The correct source version should be used, but I haven’t seen many other vendors producing so many false positives just because of that difference. Could you tell us in what cases these false positives are occurring?

@orizerah
Copy link
Contributor Author

orizerah commented Oct 1, 2025

@knqyf263
The samba os library installs packages with the version 2:2.4.3+samba4.22.4+dfsg-1~deb13u1, but the CVEs' fixed versions are the samba version, which is 4.22.4. So since 2.4.3 < 4.22.4, we get a false positive. It's the first time we encountered this issue, but we can assume it happens for more packages.

@knqyf263 knqyf263 added this pull request to the merge queue Oct 9, 2025
Merged via the queue into aquasecurity:main with commit 66479f0 Oct 9, 2025
15 checks passed
@aqua-bot aqua-bot mentioned this pull request Oct 9, 2025
Open
@DmitriyLewen DmitriyLewen added this to the v0.67.1 milestone Oct 9, 2025
@DmitriyLewen
Copy link
Contributor

DmitriyLewen commented Oct 9, 2025

@aqua-bot backport release/v0.67

github-actions bot pushed a commit that referenced this pull request Oct 9, 2025
@orizerah @actions-user
fix: using SrcVersion instead of Version for echo detector (#9552)
65bd1e4
@aqua-bot aqua-bot mentioned this pull request Oct 9, 2025
Merged
@aqua-bot
Copy link
Contributor

aqua-bot commented Oct 9, 2025

Backport PR created: #9629

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@knqyf263 knqyf263 knqyf263 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

v0.67.1

Development

Successfully merging this pull request may close these issues.

5 participants

@orizerah @Nathansh14 @knqyf263 @DmitriyLewen @aqua-bot