wal-g CVE-2021-38599: +dirty pseudo-version, FixedVersion 1.1 — expected?

[AreejMohamedSaad]

IDs

CVE-2021-38599

Description

What we built

A minimal image wal-g-only:latest that installs only the upstream wal-g PostgreSQL binary from the latest wal-g release on Ubuntu 24.04 (asset name pattern wal-g-pg-24.04-amd64). The binary is installed at /usr/local/bin/wal-g.

Put the Dockerfile below in a directory such as wal-g-minimal/ (save it as wal-g-minimal/Dockerfile next to where you run docker build).

What Trivy reported

trivy image --scanners vuln --no-progress wal-g-only:latest

Report summary (from our run):

Target	Type	Vulnerabilities
wal-g-only:latest (ubuntu 24.04)	ubuntu	6
usr/local/bin/wal-g	gobinary	10

Ubuntu layer: mix of LOW/MEDIUM (e.g. libgcrypt, login/passwd, tar, systemd/udev with some rows marked fixed vs affected depending on package/version).

Go binary (usr/local/bin/wal-g) — relevant excerpt:

Library	CVE	Severity	Installed version (Trivy)	Fixed version (Trivy)
github.com/wal-g/wal-g	CVE-2021-38599	HIGH	v0.0.0-20260120170815-f81943e64bdf+dirty	1.1
stdlib	(several)	HIGH/MEDIUM/LOW	v1.25.5	(per CVE)

wal-g --version on the same binary reports a normal release line (e.g. wal-g version v3.0.8 … PostgreSQL), while the main module row uses a pseudo-version with +dirty, which is confusing for triage and dashboards.

Why we’re filing

We want to confirm whether this mapping is intended (advisory data vs. embedded buildinfo) and whether anything can be improved (e.g. clearer Status, version normalization for +dirty release artifacts, or documentation so users know why release binaries look like this in Go binary scans).

Reproduction Steps

1. Dockerfile (minimal; fetches latest wal-g release and wal-g-pg-24.04-amd64):

FROM ubuntu:24.04

ARG WALG_UBUNTU=24.04

RUN apt-get update \
 && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends ca-certificates curl \
 && set -eux; \
    WALG_VER=$(curl -fsSL https://api.github.com/repos/wal-g/wal-g/releases/latest \
      | sed -n 's/.*"tag_name"[[:space:]]*:[[:space:]]*"v\([0-9.]*\)".*/\1/p' | head -1); \
    test -n "$WALG_VER"; \
    curl -fsSL \
      "https://github.com/wal-g/wal-g/releases/download/v${WALG_VER}/wal-g-pg-${WALG_UBUNTU}-amd64" \
      -o /usr/local/bin/wal-g; \
    chmod +x /usr/local/bin/wal-g; \
    rm -rf /var/lib/apt/lists/*; \
    wal-g --version

2. Build

cd "/path/to/wal-g-minimal"
docker build -t wal-g-only:latest .

3. Scan

trivy image --scanners vuln --no-progress wal-g-only:latest

4. Optional — JSON for maintainers

trivy image --scanners vuln --format json -o trivy-wal-g-only.json wal-g-only:latest
rg 'CVE-2021-38599|wal-g' trivy-wal-g-only.json

Expected in our environment: CVE-2021-38599 appears under the gobinary target for github.com/wal-g/wal-g with a pseudo-version containing +dirty and FixedVersion 1.1, alongside other stdlib / grpc findings.

Note: Upstream renamed release assets; older docs use wal-g-pg-ubuntu-20.04-amd64 — that name 404s on current releases. Use wal-g-pg-24.04-amd64 (or the flavor matching your base Ubuntu).

Target

Container Image

Scanner

Vulnerability

Target OS

Ubuntu 24.04 (base image for the minimal repro)

Debug Output

trivy image --scanners vuln --format json -o /dev/null wal-g-only:latest --debug 2>&1 | tee trivy-wal-g-only-debug.txt


2026-04-03T12:49:53+02:00	DEBUG	No plugins loaded
2026-04-03T12:49:53+02:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2026-04-03T12:49:53+02:00	DEBUG	Cache dir	dir="/home/user/.cache/trivy"
2026-04-03T12:49:53+02:00	DEBUG	Cache dir	dir="/home/user/.cache/trivy"
2026-04-03T12:49:53+02:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2026-04-03T12:49:53+02:00	DEBUG	Ignore statuses	statuses=[]
2026-04-03T12:49:53+02:00	DEBUG	DB update was skipped because the local DB is the latest
2026-04-03T12:49:53+02:00	DEBUG	DB info	schema=2 updated_at=2026-04-03T00:47:36.177501637Z next_update=2026-04-04T00:47:36.177501346Z downloaded_at=2026-04-03T09:45:40.960945272Z
2026-04-03T12:49:53+02:00	DEBUG	[pkg] Package types	types=[os library]
2026-04-03T12:49:53+02:00	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2026-04-03T12:49:53+02:00	INFO	[vuln] Vulnerability scanning is enabled
2026-04-03T12:49:53+02:00	DEBUG	Initializing scan cache...	type="fs"
2026-04-03T12:49:53+02:00	DEBUG	[notification] Running version check
2026-04-03T12:49:53+02:00	DEBUG	Created process-specific temp directory	path="/tmp/trivy-3886192"
2026-04-03T12:49:53+02:00	DEBUG	[image] Image found	image="wal-g-only:latest" source="docker"
2026-04-03T12:49:53+02:00	DEBUG	[image] Detected image ID	image_id="sha256:1e76fbc1ba9457cec6186c46c8e43ce92f48bffa0d8a789afa5043526dead273"
2026-04-03T12:49:53+02:00	DEBUG	[image] Detected diff ID	diff_ids=[sha256:f2a7f072635332d307212e318e07284948b89f4167fce5c4d7c9cfb7590b74b6 sha256:522243a6c5129722c6103b8d5197cbccd6ee1009c9246af0aa8af3501a987de2]
2026-04-03T12:49:53+02:00	DEBUG	[image] Detected base layers	diff_ids=[sha256:f2a7f072635332d307212e318e07284948b89f4167fce5c4d7c9cfb7590b74b6]
2026-04-03T12:49:53+02:00	INFO	Detected OS	family="ubuntu" version="24.04"
2026-04-03T12:49:53+02:00	INFO	[ubuntu] Detecting vulnerabilities...	os_version="24.04" pkg_num=109
2026-04-03T12:49:53+02:00	INFO	Number of language-specific files	num=1
2026-04-03T12:49:53+02:00	INFO	[gobinary] Detecting vulnerabilities...
2026-04-03T12:49:53+02:00	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="usr/local/bin/wal-g"
2026-04-03T12:49:53+02:00	WARN	Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/docs/v0.69/guide/scanner/vulnerability#severity-selection for details.
2026-04-03T12:49:53+02:00	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2026-04-03T12:49:53+02:00	DEBUG	[vex] VEX filtering is disabled
2026-04-03T12:49:53+02:00	DEBUG	[notification] Version check completed	latest_version="0.69.3"
2026-04-03T12:49:53+02:00	DEBUG	[notification] Printing notices

📣 �[34mNotices:�[0m
  - Version 0.69.3 of Trivy is now available, current version is 0.69.1

To suppress version checks, run Trivy scans with the --skip-version-check flag

2026-04-03T12:49:53+02:00	DEBUG	Cleaning up temp directory	path="/tmp/trivy-3886192"

Version

Version: 0.69.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2026-04-03 00:47:36.177501637 +0000 UTC
  NextUpdate: 2026-04-04 00:47:36.177501346 +0000 UTC
  DownloadedAt: 2026-04-03 09:45:40.960945272 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2026-03-19 01:17:54.395813642 +0000 UTC
  NextUpdate: 2026-03-22 01:17:54.39581332 +0000 UTC
  DownloadedAt: 2026-03-25 13:52:56.378906797 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[DmitriyLewen]

duplicate of #9446