Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Go binary scanning is not working if libraries are vendored #980

Closed
ebati opened this issue May 5, 2021 · 2 comments
Closed

Go binary scanning is not working if libraries are vendored #980

ebati opened this issue May 5, 2021 · 2 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.

Comments

@ebati
Copy link
Contributor

ebati commented May 5, 2021

Description

trivy's go dependency analysis is not working with binaries built with vendoring enabled.

I noticed that Parse logic depends only on field count but since with vendoring there is no hash value in the output line, there are only 3 fields (instead of expected 4 fields). I think instead of trusting field count first field should be inspected.

For my use-case, i test my own binaries so hashes are not important (i check libraries authenticity separately) but if it is required to check the used libraries authenticity from the given binary, hash should also be validated using checksum db.

What did you expect to happen?

trivy to scan binary built with source code that uses vendor folder for dependencies.

What happened instead?

trivy does not detect gobinary

(I didn't provide the -debug info etc. as i tested with closed source project)
@ebati ebati added the kind/bug Categorizes issue or PR as related to a bug. label May 5, 2021
@ebati ebati mentioned this issue May 26, 2021
Merged
@knqyf263 knqyf263 added the priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. label May 30, 2021
@knqyf263
Copy link
Collaborator

Thank you for reporting! I'll have a look.

@ebati
Copy link
Contributor Author

ebati commented May 30, 2021

I sent a PR which have more details.

Also after asking on go slack channel an issue is opened about this topic (to be able to embed vendored modules hash, it must be in module cache as well).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@knqyf263 @ebati