Trivy produces components with empty names when detecting dependencies of Go binaries

[oatovar]

Description

It's not guaranteed for a Go binary to have a main module populated when read by buildinfo.Read. Due to the implementation of buildinfo.Read, a nil error is returned in such scenarios, and Trivy continues to add the empty main module as a package.

❯ trivy image --format cyclonedx --output sbom.cdx.json golang:1.22
2024-05-15T12:22:57-04:00       INFO    "--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.
2024-05-15T12:23:00-04:00       INFO    [python] License acquired from METADATA classifiers may be subject to additional terms  name="mercurial" version="6.3.2"

Inspecting the resulting SBOM shows entries like the following:

[
    {
      "bom-ref": "08df9fa0-cbf2-408f-859c-9a023a0b3ca4",
      "type": "library",
      "name": "stdlib",
      "version": "1.22.3",
      "purl": "pkg:golang/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:LayerDiffID",
          "value": "sha256:dbc78f895659e011c02f7b63ab5c93f33c34880fdc3175f9b9a3f2a0bfb0dd6b"
        },
        {
          "name": "aquasecurity:trivy:LayerDigest",
          "value": "sha256:5ca4369267475245bb0e6217f0fdba040890f26fdef9b65cac11a545ab2db160"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "gobinary"
        }
      ]
    },
    {
      "bom-ref": "0d7f442a-1adb-4d00-9f14-43a79e425b25",
      "type": "library",
      "name": "",
      "properties": [
        {
          "name": "aquasecurity:trivy:LayerDiffID",
          "value": "sha256:dbc78f895659e011c02f7b63ab5c93f33c34880fdc3175f9b9a3f2a0bfb0dd6b"
        },
        {
          "name": "aquasecurity:trivy:LayerDigest",
          "value": "sha256:5ca4369267475245bb0e6217f0fdba040890f26fdef9b65cac11a545ab2db160"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "gobinary"
        }
      ]
    },
]

Desired Behavior

The module should not be added if it's not available in the Go binary. This creates a separate issue, however. Trivy will have to handle the stdlib dependency differently since it won't have a root module to relate to. Skipping analysis would fix this, but it'll fail to detect versions of Go used by Go binaries which are used to find related vulnerabilities.

Actual Behavior

A component with an empty name is reported when using --format cyclonedx.

Reproduction Steps

1. Scan the base Go 1.22 image with Trivy and output in `cyclonedx` format.


$ trivy image --format cyclonedx --output sbom.cdx.json golang:1.22
2024-05-15T12:22:57-04:00       INFO    "--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.
2024-05-15T12:23:00-04:00       INFO    [python] License acquired from METADATA classifiers may be subject to additional terms  name="mercurial" version="6.3.2"


2. Inspect the resulting SBOM and verify that there are entries like the following:

```json
[
    {
      "bom-ref": "08df9fa0-cbf2-408f-859c-9a023a0b3ca4",
      "type": "library",
      "name": "stdlib",
      "version": "1.22.3",
      "purl": "pkg:golang/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:LayerDiffID",
          "value": "sha256:dbc78f895659e011c02f7b63ab5c93f33c34880fdc3175f9b9a3f2a0bfb0dd6b"
        },
        {
          "name": "aquasecurity:trivy:LayerDigest",
          "value": "sha256:5ca4369267475245bb0e6217f0fdba040890f26fdef9b65cac11a545ab2db160"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "gobinary"
        }
      ]
    },
    {
      "bom-ref": "0d7f442a-1adb-4d00-9f14-43a79e425b25",
      "type": "library",
      "name": "",
      "properties": [
        {
          "name": "aquasecurity:trivy:LayerDiffID",
          "value": "sha256:dbc78f895659e011c02f7b63ab5c93f33c34880fdc3175f9b9a3f2a0bfb0dd6b"
        },
        {
          "name": "aquasecurity:trivy:LayerDigest",
          "value": "sha256:5ca4369267475245bb0e6217f0fdba040890f26fdef9b65cac11a545ab2db160"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "gobinary"
        }
      ]
    },
]

### Target

Container Image

### Scanner

Vulnerability

### Output Format

CycloneDX

### Mode

Standalone

### Debug Output

```bash
$ trivy image --format cyclonedx --output sbom.cdx.json --debug golang:1.22
2024-05-15T12:43:59-04:00       DEBUG   ["cyclonedx" "spdx" "spdx-json" "github"] automatically enables '--list-all-pkgs'.
2024-05-15T12:43:59-04:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-05-15T12:43:59-04:00       DEBUG   Ignore statuses statuses=[]
2024-05-15T12:43:59-04:00       INFO    "--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.
2024-05-15T12:43:59-04:00       DEBUG   Cache dir       dir="/Users/hacks4oats/Library/Caches/trivy"
2024-05-15T12:43:59-04:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-05-15T12:44:00-04:00       DEBUG   [nuget] The nuget packages directory couldn't be found. License search disabled
2024-05-15T12:44:00-04:00       DEBUG   [image] Detected image ID       image_id="sha256:5905f95343e84d1f8f14aff8f8b83747fb39ea0e0fad52a9d14cf41860295fff"
2024-05-15T12:44:00-04:00       DEBUG   [image] Detected diff ID        diff_ids=[sha256:bbe1a212f7e9f1baaef62491a51254f3adda514c22632ea719f62713fad80f77 sha256:d7d4c2f9d26b2dad32b86ed9739919f76ae423f16aa103924c183048810290de sha256:8845ab872c1ce04cf64c4755aa585386c7ebe1b7633d977d275d6f2d2146000d sha256:ed5bf86b995984a5211f5e018e201ed3146923e82a385b0542db04ea4b152076 sha256:dbc78f895659e011c02f7b63ab5c93f33c34880fdc3175f9b9a3f2a0bfb0dd6b sha256:a8a2007b3a9651cb25203b522b09f261118ec4215a80318a231150732d43422b sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef]
2024-05-15T12:44:00-04:00       DEBUG   [image] Detected base layers    diff_ids=[sha256:bbe1a212f7e9f1baaef62491a51254f3adda514c22632ea719f62713fad80f77]
2024-05-15T12:44:00-04:00       DEBUG   [image] Missing image ID in cache       image_id="sha256:5905f95343e84d1f8f14aff8f8b83747fb39ea0e0fad52a9d14cf41860295fff"
2024-05-15T12:44:00-04:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:d7d4c2f9d26b2dad32b86ed9739919f76ae423f16aa103924c183048810290de"
2024-05-15T12:44:00-04:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:bbe1a212f7e9f1baaef62491a51254f3adda514c22632ea719f62713fad80f77"
2024-05-15T12:44:00-04:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:dbc78f895659e011c02f7b63ab5c93f33c34880fdc3175f9b9a3f2a0bfb0dd6b"
2024-05-15T12:44:00-04:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:8845ab872c1ce04cf64c4755aa585386c7ebe1b7633d977d275d6f2d2146000d"
2024-05-15T12:44:00-04:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:ed5bf86b995984a5211f5e018e201ed3146923e82a385b0542db04ea4b152076"
2024-05-15T12:44:01-04:00       DEBUG   [gobinary] Parsing dependency's build info settings     dependency="" -ldflags=[]
2024-05-15T12:44:01-04:00       DEBUG   [gobinary] Unable to detect dependency version used in `-ldflags` build info settings. Empty version used.   dependency=""
2024-05-15T12:44:01-04:00       DEBUG   [gobinary] Parsing dependency's build info settings     dependency="" -ldflags=[]
2024-05-15T12:44:01-04:00       DEBUG   [gobinary] Unable to detect dependency version used in `-ldflags` build info settings. Empty version used.   dependency=""
2024-05-15T12:44:01-04:00       DEBUG   [gobinary] Parsing dependency's build info settings     dependency="" -ldflags=[]
2024-05-15T12:44:01-04:00       DEBUG   [gobinary] Unable to detect dependency version used in `-ldflags` build info settings. Empty version used.   dependency=""
2024-05-15T12:44:01-04:00       DEBUG   [gobinary] Parsing dependency's build info settings     dependency="" -ldflags=[]
2024-05-15T12:44:01-04:00       DEBUG   [gobinary] Unable to detect dependency version used in `-ldflags` build info settings. Empty version used.   dependency=""
2024-05-15T12:44:01-04:00       DEBUG   [gobinary] Parsing dependency's build info settings     dependency="" -ldflags=[]
2024-05-15T12:44:01-04:00       DEBUG   [gobinary] Unable to detect dependency version used in `-ldflags` build info settings. Empty version used.   dependency=""
2024-05-15T12:44:01-04:00       DEBUG   [gobinary] Parsing dependency's build info settings     dependency="" -ldflags=[]
2024-05-15T12:44:01-04:00       DEBUG   [gobinary] Unable to detect dependency version used in `-ldflags` build info settings. Empty version used.   dependency=""
2024-05-15T12:44:01-04:00       DEBUG   [dpkg] Unable to parse the available file       file="var/lib/dpkg/available" err="file open error: open var/lib/dpkg/available: file does not exist"
2024-05-15T12:44:01-04:00       DEBUG   [gobinary] Parsing dependency's build info settings     dependency="" -ldflags=[]
2024-05-15T12:44:01-04:00       DEBUG   [gobinary] Unable to detect dependency version used in `-ldflags` build info settings. Empty version used.   dependency=""
2024-05-15T12:44:01-04:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:a8a2007b3a9651cb25203b522b09f261118ec4215a80318a231150732d43422b"
2024-05-15T12:44:01-04:00       DEBUG   [gobinary] Parsing dependency's build info settings     dependency="" -ldflags=[]
2024-05-15T12:44:01-04:00       DEBUG   [gobinary] Unable to detect dependency version used in `-ldflags` build info settings. Empty version used.   dependency=""
2024-05-15T12:44:01-04:00       DEBUG   [gobinary] Parsing dependency's build info settings     dependency="" -ldflags=[]
2024-05-15T12:44:01-04:00       DEBUG   [gobinary] Unable to detect dependency version used in `-ldflags` build info settings. Empty version used.   dependency=""
2024-05-15T12:44:01-04:00       DEBUG   [gobinary] Parsing dependency's build info settings     dependency="" -ldflags=[]
2024-05-15T12:44:01-04:00       DEBUG   [gobinary] Unable to detect dependency version used in `-ldflags` build info settings. Empty version used.   dependency=""
2024-05-15T12:44:01-04:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef"
2024-05-15T12:44:02-04:00       DEBUG   [gobinary] Parsing dependency's build info settings     dependency="" -ldflags=[]
2024-05-15T12:44:02-04:00       DEBUG   [gobinary] Unable to detect dependency version used in `-ldflags` build info settings. Empty version used.   dependency=""
2024-05-15T12:44:02-04:00       DEBUG   [gobinary] Parsing dependency's build info settings     dependency="" -ldflags=[]
2024-05-15T12:44:02-04:00       DEBUG   [gobinary] Unable to detect dependency version used in `-ldflags` build info settings. Empty version used.   dependency=""
2024-05-15T12:44:02-04:00       DEBUG   [gobinary] Parsing dependency's build info settings     dependency="" -ldflags=[]
2024-05-15T12:44:02-04:00       DEBUG   [gobinary] Unable to detect dependency version used in `-ldflags` build info settings. Empty version used.   dependency=""
2024-05-15T12:44:02-04:00       DEBUG   [gobinary] Parsing dependency's build info settings     dependency="" -ldflags=[]
2024-05-15T12:44:02-04:00       DEBUG   [gobinary] Unable to detect dependency version used in `-ldflags` build info settings. Empty version used.   dependency=""
2024-05-15T12:44:02-04:00       DEBUG   [gobinary] Parsing dependency's build info settings     dependency="" -ldflags=[]
2024-05-15T12:44:02-04:00       DEBUG   [gobinary] Unable to detect dependency version used in `-ldflags` build info settings. Empty version used.   dependency=""
2024-05-15T12:44:02-04:00       DEBUG   [gobinary] Parsing dependency's build info settings     dependency="" -ldflags=[]
2024-05-15T12:44:02-04:00       DEBUG   [gobinary] Unable to detect dependency version used in `-ldflags` build info settings. Empty version used.   dependency=""
2024-05-15T12:44:02-04:00       DEBUG   [gobinary] Parsing dependency's build info settings     dependency="" -ldflags=[]
2024-05-15T12:44:02-04:00       DEBUG   [gobinary] Unable to detect dependency version used in `-ldflags` build info settings. Empty version used.   dependency=""
2024-05-15T12:44:02-04:00       DEBUG   [gobinary] Parsing dependency's build info settings     dependency="" -ldflags=[]
2024-05-15T12:44:02-04:00       DEBUG   [gobinary] Unable to detect dependency version used in `-ldflags` build info settings. Empty version used.   dependency=""
2024-05-15T12:44:02-04:00       DEBUG   [gobinary] Parsing dependency's build info settings     dependency="" -ldflags=[]
2024-05-15T12:44:02-04:00       DEBUG   [gobinary] Unable to detect dependency version used in `-ldflags` build info settings. Empty version used.   dependency=""
2024-05-15T12:44:03-04:00       INFO    [python] License acquired from METADATA classifiers may be subject to additional terms  name="mercurial" version="6.3.2"
2024-05-15T12:44:03-04:00       DEBUG   [dpkg] Unable to parse the available file       file="var/lib/dpkg/available" err="file open error: open var/lib/dpkg/available: file does not exist"
2024-05-15T12:44:03-04:00       DEBUG   [dpkg] Unable to parse the available file       file="var/lib/dpkg/available" err="file open error: open var/lib/dpkg/available: file does not exist"
2024-05-15T12:44:03-04:00       DEBUG   No secrets found in container image config

Operating System

macOS 14.4.1

Version

$ trivy --version
Version: 0.51.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-05-15 12:14:30.807678727 +0000 UTC
  NextUpdate: 2024-05-15 18:14:30.807678587 +0000 UTC
  DownloadedAt: 2024-05-15 16:22:11.754738 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[knqyf263]

@DmitriyLewen Can you please take a look?

[DmitriyLewen]

Hello @oatovar
Thanks for your report!

Created #6709 for this task.

Regards, Dmitriy