Wrong Envoy Proxy Gateway version identified

[bozho]

Description

We have Envoy Proxy Gateway deployed to our cluster. We deploy it using the official helm chart. The current version is 1.7.0. When running trivy kubernetes --report all --timeout 60m --include-namespaces networking, trivy misidentifies its version as v0.0.0-20260205163311-da2aac967d53, instead of `1.7.0:

namespace: networking, deployment: envoy-gateway (gobinary)
===========================================================
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 3, CRITICAL: 0)

┌───────────────────────────────┬────────────────┬──────────┬────────┬────────────────────────────────────┬──────────────────────────────┬──────────────────────────────────────────────────────────────┐
│            Library            │ Vulnerability  │ Severity │ Status │         Installed Version          │        Fixed Version         │                            Title                             │
├───────────────────────────────┼────────────────┼──────────┼────────┼────────────────────────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/envoyproxy/gateway │ CVE-2025-24030 │ HIGH     │ fixed  │ v0.0.0-20260205163311-da2aac967d53 │ 1.2.6                        │ github.com/envoyproxy/gateway: Envoy Admin Interface Exposed │
│                               │                │          │        │                                    │                              │ through prometheus metrics endpoint                          │
│                               │                │          │        │                                    │                              │ https://avd.aquasec.com/nvd/cve-2025-24030                   │
│                               ├────────────────┤          │        │                                    ├──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                               │ CVE-2026-22771 │          │        │                                    │ 1.6.2, 1.5.7                 │ envoyproxy/gateway: Envoy Gateway: Unauthorized access to    │
│                               │                │          │        │                                    │                              │ secrets via Lua script credential leakage...                 │
│                               │                │          │        │                                    │                              │ https://avd.aquasec.com/nvd/cve-2026-22771                   │
│                               ├────────────────┼──────────┤        │                                    ├──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                               │ CVE-2025-25294 │ MEDIUM   │        │                                    │ 1.2.7, 1.3.1                 │ envoyproxy/gateway: Envoy Gateway Log Injection              │
│                               │                │          │        │                                    │                              │ Vulnerability                                                │
│                               │                │          │        │                                    │                              │ https://avd.aquasec.com/nvd/cve-2025-25294                   │
├───────────────────────────────┼────────────────┼──────────┤        ├────────────────────────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib                        │ CVE-2025-68121 │ HIGH     │        │ v1.25.6                            │ 1.24.13, 1.25.7, 1.26.0-rc.3 │ During session resumption in crypto/tls, if the underlying   │
│                               │                │          │        │                                    │                              │ Config has ......                                            │
│                               │                │          │        │                                    │                              │ https://avd.aquasec.com/nvd/cve-2025-68121                   │
└───────────────────────────────┴────────────────┴──────────┴────────┴────────────────────────────────────┴──────────────────────────────┴──────────────────────────────────────────────────────────────┘

v1.7.0 was released on 2026.02.05 and its commit hash is da2aac967d53.

Desired Behavior

Correctly identified deployment version :-)

Actual Behavior

Envoy Proxy Gateway version identified as v0.0.0-20260205163311-da2aac967d53, reporting a false positive with 2 high and 1 medium CVE.

Reproduction Steps

1. Deploy Envoy Proxy Gateway using the official `helm` chart.
2. Run detailed `trivy` scan on the namespace.
3. Observe wrong version

Target

None

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

2026-02-09T15:37:52+01:00       DEBUG   No plugins loaded
2026-02-09T15:37:52+01:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2026-02-09T15:37:52+01:00       DEBUG   Cache dir       dir="F:\\Users\\bozho\\AppData\\Local\\trivy"
2026-02-09T15:37:52+01:00       DEBUG   Cache dir       dir="F:\\Users\\bozho\\AppData\\Local\\trivy"
2026-02-09T15:37:52+01:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2026-02-09T15:37:52+01:00       DEBUG   Ignore statuses statuses=[]
2026-02-09T15:37:53+01:00       INFO    [checks-client] Using existing checks from cache        path="F:\\Users\\bozho\\AppData\\Local\\trivy\\policy\\content"
2026-02-09T15:37:56+01:00       INFO    Node scanning is enabled
2026-02-09T15:37:56+01:00       INFO    If you want to disable Node scanning via an in-cluster Job, please try '--disable-node-collector' to disable the Node-Collector job.
2026-02-09T15:37:56+01:00       DEBUG   DB update was skipped because the local DB is the latest
2026-02-09T15:37:56+01:00       DEBUG   DB info schema=2 updated_at=2026-02-09T06:47:59.166570526Z next_update=2026-02-10T06:47:59.166570235Z downloaded_at=2026-02-09T14:36:41.5283114Z
2026-02-09T15:37:56+01:00       INFO    Scanning K8s... K8s="<redacted>"
2026-02-09T15:37:56+01:00       DEBUG   [notification] Running version check
2026-02-09T15:37:56+01:00       DEBUG   [notification] Version check completed  latest_version="0.69.1"

Operating System

Windows 10 Pro

Version

Version: 0.69.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2026-02-09 06:47:59.166570526 +0000 UTC
  NextUpdate: 2026-02-10 06:47:59.166570235 +0000 UTC
  DownloadedAt: 2026-02-09 13:52:13.6912009 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2025-12-30 01:14:14.705334356 +0000 UTC
  NextUpdate: 2026-01-02 01:14:14.705334196 +0000 UTC
  DownloadedAt: 2025-12-30 12:43:18.9515286 +0000 UTC
Check Bundle:
  Digest: sha256:ff1f8aeb19a802446ed4125bd084f2d6f50ad6800328fee24a4bc2f5a03c23c1
  DownloadedAt: 2026-02-09 13:52:04.8536478 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

Duplicate of #9446