From 036945f68c2291edd485fc2607a9e7f0e5809187 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Thu, 16 May 2024 13:50:04 +0600 Subject: [PATCH] fix(gobinaries): add only non-empty root modules --- pkg/dependency/parser/golang/binary/parse.go | 23 +++++++++++-------- .../parser/golang/binary/parse_test.go | 5 ---- 2 files changed, 13 insertions(+), 15 deletions(-) diff --git a/pkg/dependency/parser/golang/binary/parse.go b/pkg/dependency/parser/golang/binary/parse.go index a50397db11b2..4c53858c69e9 100644 --- a/pkg/dependency/parser/golang/binary/parse.go +++ b/pkg/dependency/parser/golang/binary/parse.go @@ -58,8 +58,17 @@ func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependenc ldflags := p.ldFlags(info.Settings) pkgs := make(ftypes.Packages, 0, len(info.Deps)+2) - pkgs = append(pkgs, []ftypes.Package{ - { + pkgs = append(pkgs, ftypes.Package{ + // Add the Go version used to build this binary. + Name: "stdlib", + Version: stdlibVersion, + Relationship: ftypes.RelationshipDirect, // Considered a direct dependency as the main module depends on the standard packages. + }) + + // There are times when gobinaries don't contain Main information. + // e.g. `Go` binaries (e.g. `go`, `gofmt`, etc.) + if info.Main.Path != "" { + pkgs = append(pkgs, ftypes.Package{ // Add main module Name: info.Main.Path, // Only binaries installed with `go install` contain semver version of the main module. @@ -69,14 +78,8 @@ func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependenc // See https://github.com/aquasecurity/trivy/issues/1837#issuecomment-1832523477. Version: cmp.Or(p.checkVersion(info.Main.Path, info.Main.Version), p.ParseLDFlags(info.Main.Path, ldflags)), Relationship: ftypes.RelationshipRoot, - }, - { - // Add the Go version used to build this binary. - Name: "stdlib", - Version: stdlibVersion, - Relationship: ftypes.RelationshipDirect, // Considered a direct dependency as the main module depends on the standard packages. - }, - }...) + }) + } for _, dep := range info.Deps { // binaries with old go version may incorrectly add module in Deps diff --git a/pkg/dependency/parser/golang/binary/parse_test.go b/pkg/dependency/parser/golang/binary/parse_test.go index 8b84c8dbbaf4..13cc1e682f9c 100644 --- a/pkg/dependency/parser/golang/binary/parse_test.go +++ b/pkg/dependency/parser/golang/binary/parse_test.go @@ -118,11 +118,6 @@ func TestParse(t *testing.T) { name: "goexperiment", inputFile: "testdata/goexperiment", want: []ftypes.Package{ - { - Name: "", - Version: "", - Relationship: ftypes.RelationshipRoot, - }, { Name: "stdlib", Version: "1.22.1",