Trivy is reporting a CVE that looks like it may be a false positive: CVE-2024-52308.

[j3p0uk]

Describe the bug

When running Trivy on a container that pulls the built GitHub CLI from the GitHub releases location, Trivy reports the following:

usr/bin/gh (gobinary)

Total: 1 (HIGH: 1, CRITICAL: 0)

┌───────────────────────┬────────────────┬──────────┬────────┬────────────────────────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│        Library        │ Vulnerability  │ Severity │ Status │         Installed Version          │ Fixed Version │                           Title                            │
├───────────────────────┼────────────────┼──────────┼────────┼────────────────────────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ github.com/cli/cli/v2 │ CVE-2024-52308 │ HIGH     │ fixed  │ v2.0.0-20251113120743-680a8c4c4fe2 │ 2.62.0        │ The GitHub CLI version 2.6.1 and earlier are vulnerable to │
│                       │                │          │        │                                    │               │ remote code...                                             │
│                       │                │          │        │                                    │               │ https://avd.aquasec.com/nvd/cve-2024-52308                 │
└───────────────────────┴────────────────┴──────────┴────────┴────────────────────────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

Affected version

# gh --version
gh version 2.83.1 (2025-11-13)
https://github.com/cli/cli/releases/tag/v2.83.1

Steps to reproduce the behavior

Use this sample Dockerfile:

# https://github.com/cli/cli/releases
ARG GH_VERSION=2.83.1

FROM alpine:3.23.0
RUN apk add --no-cache --update \
    curl \
    unzip

ARG GH_VERSION
RUN curl -fsSLO https://github.com/cli/cli/releases/download/v${GH_VERSION}/gh_${GH_VERSION}_linux_amd64.tar.gz && \
    tar -zxf gh_${GH_VERSION}_linux_amd64.tar.gz && \
    chmod +x gh_${GH_VERSION}_linux_amd64/bin/gh && \
    cp gh_${GH_VERSION}_linux_amd64/bin/gh /usr/bin

Run a build: docker build -t gh-cli:test -f Dockerfile.test .
Run Trivy: TRIVY_IGNORE_UNFIXED=true TRIVY_SEVERITY=CRITICAL,HIGH trivy image gh-cli:test

Expected vs actual behavior

I do not expect CVE-2024-52308 to be identified.

Logs

Note that it looks like the build of the binary has changed, and this is what results in the issue. Running strings on the binary is returning the version number in v2.83.0+ and not in previous versions:

/tmp # GH_VERSION=2.62.0 && curl -fsSLO https://github.com/cli/cli/releases/download/v${GH_VERSION}
/gh_${GH_VERSION}_linux_amd64.tar.gz &&   tar -zxf gh_${GH_VERSION}_linux_amd64.tar.gz
/tmp # GH_VERSION=2.83.1 && curl -fsSLO https://github.com/cli/cli/releases/download/v${GH_VERSION}
/gh_${GH_VERSION}_linux_amd64.tar.gz &&   tar -zxf gh_${GH_VERSION}_linux_amd64.tar.gz
/tmp # GH_VERSION=2.82.1 && curl -fsSLO https://github.com/cli/cli/releases/download/v${GH_VERSION}
/gh_${GH_VERSION}_linux_amd64.tar.gz &&   tar -zxf gh_${GH_VERSION}_linux_amd64.tar.gz
/tmp # GH_VERSION=2.83.0 && curl -fsSLO https://github.com/cli/cli/releases/download/v${GH_VERSION}
/gh_${GH_VERSION}_linux_amd64.tar.gz &&   tar -zxf gh_${GH_VERSION}_linux_amd64.tar.gz
/tmp # for i in gh_2.*/bin/gh ; do echo $i: ; strings $i | grep "^mod[[:space:]]*github.com/cli/cli
/v2" ; done
gh_2.62.0_linux_amd64/bin/gh:
mod	github.com/cli/cli/v2	(devel)	
mod	github.com/cli/cli/v2	(devel)	
gh_2.82.1_linux_amd64/bin/gh:
mod	github.com/cli/cli/v2	(devel)	
mod	github.com/cli/cli/v2	(devel)	
gh_2.83.0_linux_amd64/bin/gh:
mod	github.com/cli/cli/v2	v2.0.0-20251104174640-152d328db80d	
mod	github.com/cli/cli/v2	v2.0.0-20251104174640-152d328db80d	
gh_2.83.1_linux_amd64/bin/gh:
mod	github.com/cli/cli/v2	v2.0.0-20251113120743-680a8c4c4fe2	
mod	github.com/cli/cli/v2	v2.0.0-20251113120743-680a8c4c4fe2	

[tsvetomir]

Same for CVE-2025-66564 and CVE-2025-61729 with GH CLI v2.83.1

usr/bin/gh (gobinary)
=====================
Total: 2 (HIGH: 2, CRITICAL: 0)

┌─────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬───────────────────────────────────────────────────────────┐
│                 Library                 │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                           │
├─────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼───────────────────────────────────────────────────────────┤
│ github.com/sigstore/timestamp-authority │ CVE-2025-66564 │ HIGH     │ fixed  │ v1.2.9            │ 2.0.3           │ Sigstore Timestamp Authority is a service for issuing RFC │
│                                         │                │          │        │                   │                 │ 3161 timesta ......                                       │
│                                         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-66564                │
├─────────────────────────────────────────┼────────────────┤          │        ├───────────────────┼─────────────────┼───────────────────────────────────────────────────────────┤
│ stdlib                                  │ CVE-2025-61729 │          │        │ v1.25.3           │ 1.24.11, 1.25.5 │ Within HostnameError.Error(), when constructing an error  │
│                                         │                │          │        │                   │                 │ string, there ...                                         │
│                                         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-61729                │
└─────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴───────────────────────────────────────────────────────────┘

[BagToad]

Hey folks, big thanks for opening this issue ❤️ I've been discussing this with @babakks. This was on our radar when we upgraded to Go 1.25.3 in #11926 when we noticed that govulncheck started failing for the same reasons, but at the time we didn't realize what this might mean to folks scanning the binary and not the source code. We wrote some notes in #11926 (comment), but here's the pertinent information:

It looks like the vcs stamp is now different in Go 1.25 when built with a shallow clone. It now drops the minor and patch versions v2.xx.xx and instead uses an arbitrary v2.0.0 causing govulncheck to think we are building gh with vulnerabilities discovered and fixed between v2.0.0 and the latest v2.85.x. We're not sure why exactly this changed.

Setting buildvcs to false fixes the issue because that version information doesn't get stamped into the binary, but that's probably not a great fix.

We also noticed that scanning in source code mode instead of binary mode fixes the issue, probably because the source code scan can resolve the real versions.

The TLDR is just that Go has changed something with how this version information is collected and stamped into the binary, and we don't fully understand why right now or what all our options are. That said, it does seem like we do have options, so we're seeing what we can do.

[babakks]

@tsvetomir, those are not false positives caused by missing/wrong embedded version. Here's the state of the work:

• github.com/sigstore/timestamp-authority: PR Bump sigstore-go to v1.1.4 #12289 is to fix this (the module is bumped to v2.0.3 in go.mod).
• stdlib: Already fixed in our latest release, v2.83.2 which uses Go 1.25.5.

[babakks]

Thanks everyone for the discussion. I looked into this and I'm now sharing what I think.

Observations

As @BagToad mentioned, we noticed, while upgrading to Go v1.25, that go build is now embedding a best-guess kind of version into the binary. Inspecting the current latest release, it seems to be v2.0.0-20251210145848-560ea94fc7d6, which is not right and is basically a pseudo-version number generated by Go (like when you add untagged dependencies):

gh release download v2.83.2 -p '*amd64.tar.gz'
tar -xvf gh_2.83.2_linux_amd64.tar.gz
go version -m ./gh_2.83.2_linux_amd64/bin/gh | head -n 3
# ./gh_2.83.2_linux_amd64/bin/gh: go1.25.5
#         path    github.com/cli/cli/v2/cmd/gh
#         mod     github.com/cli/cli/v2   v2.0.0-20251210145848-560ea94fc7d6

Before this change, gh binaries were built with (devel) as the embedded version. For example, this is what we get for v2.78.0:

gh release download v2.78.0 -p '*amd64.tar.gz'
tar -xvf gh_2.78.0_linux_amd64.tar.gz
go version -m ./gh_2.78.0_linux_amd64/bin/gh | head -n 3
# ./gh_2.78.0_linux_amd64/bin/gh: go1.24.6
#         path    github.com/cli/cli/v2/cmd/gh
#         mod     github.com/cli/cli/v2   (devel)

Let's also see an even older version, like v2.60.0:

gh release download v2.60.0 -p '*amd64.tar.gz'
tar -xvf gh_2.60.0_linux_amd64.tar.gz
go version -m ./gh_2.60.0_linux_amd64/bin/gh | head -n 3
# ./gh_2.60.0_linux_amd64/bin/gh: go1.22.6
#         path    github.com/cli/cli/v2/cmd/gh
#         mod     github.com/cli/cli/v2   (devel)

For now just note that the version is (devel) and it's built with Go 1.22. I'll explain why we need this later.

Cause of the change

When we first noticed the problem while bumping Go from 1.24 to 1.25, we looked into it (See #11926 (comment)) and we decided this might be a new behaviour in Go 1.25. Now that I've looked deeper, I'm surprised to see this behaviour was actually introduced in Go 1.24! And it didn't affect our binaries built with that version! 🤔 If you look at the above observations, you can see v2.78.0 is built with Go 1.24 and the embedded version is (devel). This is similar with even older builds, like v2.60.0 that was built with Go 1.22. So, this remains an open question. 🤷

Anyway, as of Go 1.24 release notes:

The go build command now sets the main module's version in the compiled binary based on the version control system tag and/or commit. A +dirty suffix will be appended if there are uncommitted changes. Use the -buildvcs=false flag to omit version control information from the binary.

And expectedly this change has caused problems for others OSS projects. A quick search yields these samples:

• Dependencies of the released Vault binary indicate wrong Vault version hashicorp/vault#30685
• AWS Inspector Security Scan reports false positive CVEs in grafana after Go 1.24 upgrade grafana/grafana#109239
• Grafana GO module: version is listed as v0.0.0-[date]-[id]+dirty for github.com/grafana/grafana in SBOM after go upgrade grafana/grafana#106728
• Alloy GO module version is listed as v0.0.0-[date]-[id]+dirty since version 1.8.x in SBOM grafana/alloy#3538
• (PR) fix incorrect module version ci builds grafana/alloy#3543

Potential solutions

1. Use -buildvcs=false and keep embedding (devel) as version

The simplest solution which will bring gh binaries back to how they were is to just add the -buildvcs=false flag to go build, as suggested by Go 1.24 release notes. We have already confirmed this approach (See #11926 (comment)).

However, this is not really the best fix. It has also been suggested in those other sample issues I linked above, and the community rightfully doesn't really like it as it eliminates accurate versioning, and hence, results in unusable version metadata. We haven't had any complaints in this regard in the past, so this can still be considered as a good enough fix for gh.

2. Embed the right version

If there's a git tag on the last commit from which we build the binary, then that tag will be used embedded as version. I tested it locally and it worked. Expand the below for more details.

Details

Here a small hello-world binary is built with and without a tag on the current commit. Also the git history has only one commit, to mimic our shallow checkout in workflows. Note the mod version in both builds (a pseudo-version in no-tag build, and the correct version in the other).

# Without tag
go build -o foo . && go version -m foo | head -n 3
# foo: go1.25.5
#     path   foo
#     mod    foo    v0.0.0-20251216123857-8a2e82b4cbf6	
# ...
#     build  vcs=git
#     build  vcs.revision=8a2e82b4cbf64bccac6e89c8ed32e22396257a40
#     build  vcs.time=2025-12-16T12:38:57Z
#     build  vcs.modified=false

# With tag
git tag v1.0.0 -m 'temp tag'
go build -o foo . && go version -m foo | head -n 3
# foo: go1.25.5
#     path   foo
#     mod    foo    v1.0.0
# ...
#     build  vcs=git
#     build  vcs.revision=8a2e82b4cbf64bccac6e89c8ed32e22396257a40
#     build  vcs.time=2025-12-16T12:38:57Z
#     build  vcs.modified=false

This seems to be simple, but it's actually a bit tricky to implement in the gh release workflow. The reason is our workflow first builds gh binaries for different OS via separate jobs, and then after some processing (e.g. signing, making MSI/PKG installers) and making sure everything is okay, we'll create and publish the git tag. We definitely don't want to create and publish the tag before the final step, otherwise, any failure during build or signing will leave the repo in a bogus state.

@BagToad and I, have already discussed this in the past. One workaround would be to create a temporary tag per build jobs and never push the tag. Since our workflow does not mutate the state of the git repository, and git objects are always created in a deterministic way, these isolated tags will all be exactly the same.

That said, this is yet to be discussed by the team.

[babakks]

@BagToad and I discussed this, and we're both into the second solution which provides a better packaging experience. However, we decided to block this issue on #12319, to avoid conflicting changes in our release workflow. Once the other PR is merged, we'll start fixing this issue.