syft
syft copied to clipboard
anchore
feat:parse golang test binaries and resolve deps
Description
I've come up with an elegant solution to the issue: use Go module cache or vendor/ dir to resolve the dependencies appeared in the test binary.
Notice:
- if the test binary is built with
-ldflags="-s -w"which strips thesymtab.section, this PR fails to detect most of the dependencies.
- Fixes #3629
Type of change
- [x] New feature (non-breaking change which adds functionality)
Checklist:
- [x] I have added unit tests that cover changed behavior
- [x] I have tested my code in common scenarios and confirmed there are no regressions
- [x] I have added comments to my code, particularly in hard-to-understand sections
Below is the effect of the PR:
Demo
root@VM-0-14-debian:~/syft# go build -o /usr/local/bin/syft cmd/syft/main.go
root@VM-0-14-debian:~/syft# cd syft & go test -c . & cd ..
root@VM-0-14-debian:~/syft# syft syft/syft.test
✔ Indexed file system syft/syft.test
✔ Cataloged contents 6ec98e8522908893974a89b591000415b83660a03c7a0b7e344f4adfe6426c52
├── ✔ Packages [158 packages]
├── ✔ File metadata [1 locations]
├── ✔ Executables [1 executables]
└── ✔ File digests [1 files]
NAME VERSION TYPE
dario.cat/mergo v1.0.1 go-module
github.com/acobaugh/osrelease v0.1.0 go-module
github.com/adrg/xdg v0.5.3 go-module
github.com/agext/levenshtein v1.2.1 go-module
github.com/anchore/archiver/v3 v3.5.3-0.20241210171143-5b1d8d1c7c51 go-module
github.com/anchore/fangs v0.0.0-20250319222917-446a1e748ec2 go-module
github.com/anchore/go-homedir v0.0.0-20250319154043-c29668562e4d go-module
github.com/anchore/go-logger v0.0.0-20250318195838-07ae343dd722 go-module
github.com/anchore/go-macholibre v0.0.0-20220308212642-53e6d0aaf6fb go-module
github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 go-module
github.com/anchore/go-sync v0.0.0-20250326131806-4eda43a485b6 go-module
github.com/anchore/go-version v1.2.1 go-module
github.com/anchore/packageurl-go v0.1.1-0.20220428202044-a072fa3cb6d7 go-module
github.com/anchore/stereoscope v0.1.1-0.20250320125929-d35c173d28fc go-module
github.com/anchore/syft v1.5.5 go-module
github.com/andybalholm/brotli v1.1.1 go-module
github.com/apparentlymart/go-textseg/v13 v13.0.0 go-module
github.com/apparentlymart/go-textseg/v15 v15.0.0 go-module
github.com/aquasecurity/go-pep440-version v0.0.1 go-module
github.com/aquasecurity/go-version v0.0.1 go-module
github.com/aymanbagabas/go-osc52/v2 v2.0.1 go-module
github.com/bitnami/go-version v0.0.0-20250131085805-b1f57a8634ef go-module
github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb go-module
github.com/bmatcuk/doublestar/v4 v4.8.1 go-module
github.com/bodgit/plumbing v1.3.0 go-module
github.com/bodgit/sevenzip v1.6.0 go-module
github.com/bodgit/windows v1.0.1 go-module
github.com/charmbracelet/lipgloss v1.1.0 go-module
github.com/charmbracelet/x/ansi v0.8.0 go-module
github.com/cloudflare/circl v1.6.0 go-module
github.com/containerd/containerd v1.7.27 go-module
github.com/containerd/containerd/api v1.8.0 go-module
github.com/containerd/continuity v0.4.4 go-module
github.com/containerd/errdefs v0.3.0 go-module
github.com/containerd/log v0.1.0 go-module
github.com/containerd/platforms v0.2.1 go-module
github.com/containerd/ttrpc v1.2.7 go-module
github.com/containerd/typeurl/v2 v2.1.1 go-module
github.com/cyphar/filepath-securejoin v0.4.1 go-module
github.com/davecgh/go-spew v1.1.1 go-module
github.com/deitch/magic v0.0.0-20230404182410-1ff89d7342da go-module
github.com/distribution/reference v0.6.0 go-module
github.com/docker/cli v28.0.1+incompatible go-module
github.com/docker/distribution v2.8.3+incompatible go-module
github.com/docker/docker v0.8.2 go-module
github.com/docker/go-connections v0.4.0 go-module
github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c go-module
github.com/docker/go-units v0.4.0 go-module
github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5 go-module
github.com/dustin/go-humanize v1.0.1 go-module
github.com/elliotchance/phpserialize v1.4.0 go-module
github.com/emirpasic/gods v1.18.1 go-module
github.com/facebookincubator/nvdtools v0.1.5 go-module
github.com/felixge/fgprof v0.9.3 go-module
github.com/fsnotify/fsnotify v1.8.0 go-module
github.com/gabriel-vasile/mimetype v1.4.8 go-module
github.com/github/go-spdx/v2 v2.3.2 go-module
github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 go-module
github.com/go-git/go-billy/v5 v5.6.2 go-module
github.com/go-git/go-git/v5 v5.14.0 go-module
github.com/go-logr/logr v1.4.2 go-module
github.com/go-logr/stdr v1.2.2 go-module
github.com/go-restruct/restruct v1.2.0-alpha go-module
github.com/go-viper/mapstructure/v2 v2.2.1 go-module
github.com/gogo/protobuf v1.3.2 go-module
github.com/gohugoio/hashstructure v0.5.0 go-module
github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 go-module
github.com/golang/snappy v0.0.4 go-module
github.com/google/go-cmp v0.6.0 go-module
github.com/google/go-containerregistry v0.20.3 go-module
github.com/google/licensecheck v0.3.1 go-module
github.com/google/pprof v0.0.0-20211214055906-6f57359322fd go-module
github.com/google/uuid v1.6.0 go-module
github.com/gookit/color v1.5.4 go-module
github.com/hashicorp/go-multierror v1.1.0 go-module
github.com/hashicorp/golang-lru/v2 v2.0.7 go-module
github.com/hashicorp/hcl/v2 v2.23.0 go-module
github.com/huandu/xstrings v1.5.0 go-module
github.com/iancoleman/strcase v0.3.0 go-module
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 go-module
github.com/jinzhu/copier v0.4.0 go-module
github.com/kastenhq/goversion v0.0.0-20230811215019-93b2f8823953 go-module
github.com/kevinburke/ssh_config v1.2.0 go-module
github.com/klauspost/compress v1.17.11 go-module
github.com/klauspost/pgzip v1.2.6 go-module
github.com/knqyf263/go-rpmdb v0.1.1 go-module
github.com/lucasb-eyer/go-colorful v1.2.0 go-module
github.com/mattn/go-isatty v0.0.20 go-module
github.com/mattn/go-runewidth v0.0.13 go-module
github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d go-module
github.com/mholt/archives v0.1.0 go-module
github.com/minio/minlz v1.0.0 go-module
github.com/mitchellh/copystructure v1.2.0 go-module
github.com/mitchellh/reflectwalk v1.0.2 go-module
github.com/moby/sys/mountinfo v0.7.2 go-module
github.com/moby/sys/signal v0.7.0 go-module
github.com/moby/sys/user v0.1.0 go-module
github.com/moby/sys/userns v0.1.0 go-module
github.com/muesli/termenv v0.16.0 go-module
github.com/nix-community/go-nix v0.0.0-20250101154619-4bdde671e0a1 go-module
github.com/nwaples/rardecode v1.1.3 go-module
github.com/nwaples/rardecode/v2 v2.0.0-beta.4.0.20241112120701-034e449c6e78 go-module
github.com/olekukonko/tablewriter v0.0.5 go-module
github.com/opencontainers/go-digest v1.0.0 go-module
github.com/opencontainers/image-spec v1.0.2 go-module
github.com/opencontainers/runtime-spec v1.1.0 go-module
github.com/opencontainers/selinux v1.11.0 go-module
github.com/pelletier/go-toml v1.9.5 go-module
github.com/pelletier/go-toml/v2 v2.2.3 go-module
github.com/pierrec/lz4/v4 v4.1.21 go-module
github.com/pjbgf/sha1cd v0.3.2 go-module
github.com/pkg/errors v0.9.1 go-module
github.com/pmezard/go-difflib v1.0.0 go-module
github.com/rivo/uniseg v0.2.0 go-module
github.com/rust-secure-code/go-rustaudit v0.0.0-20250226111315-e20ec32e963c go-module
github.com/sagikazarmark/locafero v0.7.0 go-module
github.com/saintfish/chardet v0.0.0-20230101081208-5e3ef4b5456d go-module
github.com/sassoftware/go-rpmutils v0.4.0 go-module
github.com/scylladb/go-set v1.0.2 go-module
github.com/sergi/go-diff v1.3.1 go-module
github.com/shopspring/decimal v1.4.0 go-module
github.com/sirupsen/logrus v1.9.3 go-module
github.com/skeema/knownhosts v1.3.1 go-module
github.com/sorairolake/lzip-go v0.3.5 go-module
github.com/sourcegraph/conc v0.3.0 go-module
github.com/spdx/tools-golang v0.5.5 go-module
github.com/spf13/afero v1.14.0 go-module
github.com/spf13/cast v1.7.1 go-module
github.com/spf13/cobra v1.9.1 go-module
github.com/spf13/pflag v1.0.6 go-module
github.com/spf13/viper v1.20.0 go-module
github.com/stretchr/testify v1.10.0 go-module
github.com/subosito/gotenv v1.6.0 go-module
github.com/therootcompany/xz v1.0.1 go-module
github.com/ulikunitz/xz v0.5.12 go-module
github.com/vbatts/go-mtree v0.5.4 go-module
github.com/vbatts/tar-split v0.11.6 go-module
github.com/vifraa/gopom v1.0.0 go-module
github.com/wagoodman/go-partybus v0.0.0-20230516145632-8ccac152c651 go-module
github.com/wagoodman/go-progress v0.0.0-20230925121702-07e42b3cdba0 go-module
github.com/xanzy/ssh-agent v0.3.3 go-module
github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 go-module
github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e go-module
github.com/zclconf/go-cty v0.0.0-20240509010212-0d6042c53940 go-module
go v0.0.0-20230225012048-214862532bf5 go-module
go.opentelemetry.io/auto/sdk v1.1.0 go-module
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 go-module
go.opentelemetry.io/otel v1.31.0 go-module
go.opentelemetry.io/otel/metric v1.31.0 go-module
go.opentelemetry.io/otel/trace v1.31.0 go-module
go4 v0.0.0-20230225012048-214862532bf5 go-module
golang.org/x/crypto v0.36.0 go-module
golang.org/x/mod v0.23.0 go-module
golang.org/x/net v0.0.0-20211006190231-62292e806868 go-module
golang.org/x/sync v0.8.0 go-module
golang.org/x/sys v0.0.0-20211006194710-c8a6f5223071 go-module
golang.org/x/text v0.22.0 go-module
golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 go-module
google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9 go-module
google.golang.org/grpc v1.67.1 go-module
google.golang.org/protobuf v1.35.1 go-module
gopkg.in/warnings.v0 v0.1.2 go-module
gopkg.in/yaml.v3 v3.0.1 go-module
stdlib go1.24.1 go-module
Hi @spiffcs and @audunmo, do you have better solutions? I'm not sure if I'm on the right track. And I think it might be of low priority, because it's just about the local SBOM lookup of a test binary.
Hello,@kzantow, thanks for your reviews.
And here's some of my opinions:
If we're using the vendor dir, it's a case the user is not using go modules, but if they are using go modules we could probably get the version information from go.mod, rather than needing to look in the mod cache directory.
Maybe a test binary can be moved around even outside the scanned project , and because the locations of go mod cache or vendor/ are fixed, so the go mod cache&vendor/ is preferred.
- [x] As for the discrimination between test dependencies and normal ones, we can use the following commands,(and there are corresponding go packages to execute it)
go list -json ./util | jq '.Imports, .TestImports, .XTestImports'
But as is implied previously, we must ensure the test binary is generated where it should be this way.
- [ ] And for the accessibility to the host filesystem, now the privilege to search within these dirs are the same as license resolver does, so renaming is required.
Hi @spiffcs, I want to know whether this PR is pending or discarded? If it's discarded, is there any alternative to the solution? CC @kzantow