Hi @Aqualon this is a great question! Thanks for asking it.
You’re absolutely right, what Grype is telling you is that there is a Go program in your image that was built with Go 1.18.5, which has a number of CVEs. Of course, every Go executable has the dependency “stdlib” so that package name isn’t very helpful.
We do have an experimental command to help: grype explain.
Right now, grype explain takes the scan results on stdin, so for example you could do this:
$ grype -o json $MY_IMAGE > /tmp/grype.json
$ cat /tmp/grype.json | grype explain --id CVE-2023-24537
This will print a lot of info about the vulnerability, including the locations where a vulnerable package is found.
You could also use jq to just get the locations and IDs all at once:
$ cat /tmp/grype.json | jq -c '.matches[] | select(.artifact.name == "stdlib") | { path: .artifact.locations[0].path, id: .vulnerability.id }' | sort | uniq
As for what to do about it, you could try upgrading the vulnerable package once you know where it is - maybe there’s an upgrade available from your distro? It really depends what the vulnerable package is. Maybe it makes sense for you to remove it, or see if a newer version is present in a newer base image.
I’ll add this question to our topic list for our livestreamed community gardenings, since I think this is a place in our UX where we could be doing better.
Thanks for the great question!