Identifying Go executables embedded inside other Go executables

[tomerse-sg]

What would you like to be added: I have a binary in Go, we will name it Alpha. Alpha includes another binary (I'm implementing it using go:embed) named Beta. So Alpha uses Beta as a dependency. However, when I run syft on the binary Alpha, I see only the dependencies which are specified in go.mod, but I don't see the transitive dependencies of Beta.

Why is this needed: Finding the full SBOM of the binary

Additional context:

[wagoodman]

There isn't an easy way to do this since go:embed will essentially store the binary as a data payload, so there isn't anything that is really observable when parsing the outer binary file. The best way I can figure is to search within the binary for known patterns that looks like a buildinfo section within a standard go binary, which could lead to false positives, but would be possible.

[willmurphyscode]

@tomerse-sg, if both executables are go programs, is there a reason to embed one via go:embed instead of making one depend on the other as a normal go package? It's only the embed mechanism that's making it so we can't detect Beta from your example.

[tgerla]

Hi, we're going to go ahead and close this issue--we've discussed this and we wouldn't be able to extract enough useful data from an embedded Go binary to make any useful identification in Syft. If there is ever a standard way to extract the Go embed data and we were able to treat the embedded data like the contents of an archive, we would have more options, but that method doesn't currently exist.