syft icon indicating copy to clipboard operation
syft copied to clipboard

Published 20 hours ago verified publisher icon anchore

Incorrect crypto version when scanning Go binary

Open learnitall opened this issue 4 months ago • 2 comments

What happened:

I build a Go binary using the boringcrypto Go Experiment, however a Syft scan showed the experiment as not being used. This happens regardless of if crypto/tls/fipsonly is imported.

What you expected to happen:

The Go standard library version would contain some sort of reference to the boringcrypto experiment being used.

Steps to reproduce the issue:

  1. Create an example binary. I chose to use this one, which I found via https://github.com/golang/go/issues/68588.

  2. Compile the binary using GOEXPERIMENT=1 CGO_ENABLED=1:

$ GOEXPERIMENT=1 CGO_ENABLED=1 go build .
  1. Use go tool nm to verify that the boringcrypto experiment was applied:
$ go tool nm ./boringtest | grep 'BoringCrypto'
  627440 T crypto/internal/boring/sig.BoringCrypto.abi0
$ go tool nm ./boringtest | grep 'StandardCrypto'
$ echo $?
1
  1. Use Syft to scan the binary:
$ syft  ./boringtest
 ✔ Indexed file system                                                 <truncated>/boringtest
 ✔ Cataloged contents                   9433b1793756a85175baf7035c17f2059e6e427d947683adfd7ec014181d0bd8
   ├── ✔ Packages                        [2 packages]  
   └── ✔ Executables                     [1 executables]  
NAME                              VERSION   TYPE        
github.com/learnitall/boringtest  (devel)   go-module    
stdlib                            go1.23.1  go-module

Anything else we need to know?:

The kind of output I was expecting to see was something like:

stdlib                  go1.23.1 X:boringcrypto  go-module

Environment:

  • Output of syft version:
Application: syft
Version:    [not provided]
BuildDate:  [not provided]
GitCommit:  [not provided]
GitDescription: [not provided]
Platform:   linux/amd64
GoVersion:  go1.22.6
Compiler:   gc

The version of Syft that I used was one that I built today off of commit https://github.com/anchore/syft/commit/01de99b25304ec95197c00b21d698f127b31a887 (v1.13.0)

  • OS (e.g: cat /etc/os-release or similar):
ANSI_COLOR="1;34"
BUG_REPORT_URL="https://github.com/NixOS/nixpkgs/issues"
BUILD_ID="24.05.20240916.086b448"
DOCUMENTATION_URL="https://nixos.org/learn.html"
HOME_URL="https://nixos.org/"
ID=nixos
IMAGE_ID=""
IMAGE_VERSION=""
LOGO="nix-snowflake"
NAME=NixOS
PRETTY_NAME="NixOS 24.05 (Uakari)"
SUPPORT_END="2024-12-31"
SUPPORT_URL="https://nixos.org/community.html"
VERSION="24.05 (Uakari)"
VERSION_CODENAME=uakari
VERSION_ID="24.05"

learnitall avatar Oct 03 '24 22:10 learnitall