Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Golang binaries are not scanned from within containers #314

Open
lm-sig opened this issue Jun 13, 2024 · 1 comment
Open

Golang binaries are not scanned from within containers #314

lm-sig opened this issue Jun 13, 2024 · 1 comment
Labels
enhancement New feature or request

Comments

@lm-sig
Copy link

lm-sig commented Jun 13, 2024

Expected Behavior

SBOM should contain purls with "pkg:golang/..." in it

Actual Behavior

SBOM does not list any golang packages.

Steps to Reproduce

Create container with golang binary. My example is the "Zarf" golang application.

Zarf: https://zarf.dev

Create container with OWASP Dep-scan 5.4.0 and cdxgen 10.6.2.

Call depscan:

$ depscan -i /tmp/container.tar --deep -t docker

Additional Information

I can scan the same Zarf container with Trivy and it generates an SBOM with Go libraries listed.

Example Trivy SBOM entry:

  "components": [
    {
      "bom-ref": "00b32844-f12a-480e-9c14-a5105b7422bf",
      "type": "library",
      "name": "google.golang.org/genproto/googleapis/api",
      "version": "v0.0.0-20240311173647-c811ad7063a7",
      "purl": "pkg:golang/google.golang.org/genproto/googleapis/api@v0.0.0-20240311173647-c811ad7063a7",
      "properties": [
        {
          "name": "aquasecurity:trivy:FilePath",
          "value": "opt/bitnami/cosign"
        },
        {
          "name": "aquasecurity:trivy:LayerDiffID",
          "value": "sha256:d112b9181f19a69f0a75e882c564928fea652283cc71f767f7e60aa332c1354e"
        },
        {
          "name": "aquasecurity:trivy:LayerDigest",
          "value": "sha256:613a963825a72ba921a178fc21988d0f21d3c24f9069a36d09903118f4635d80"
        },
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "google.golang.org/genproto/googleapis/api@v0.0.0-20240311173647-c811ad7063a7"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "gobinary"
        }
      ]
    },
...
@lm-sig lm-sig added the bug Something isn't working label Jun 13, 2024
@prabhu
Copy link
Member

prabhu commented Jun 21, 2024

@lm-sig It's a feature. cdxgen doesn't do binary analysis by default for containers. We will add this in v6 using blint.

@prabhu prabhu added enhancement New feature or request and removed bug Something isn't working labels Jun 21, 2024
@prabhu prabhu changed the title Bug: Golang binaries are not scanned Golang binaries are not scanned from within containers Jun 21, 2024
@prabhu prabhu mentioned this issue Jul 14, 2024
Open
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@prabhu @lm-sig