golang binary version parsing fails if GOEXPERIMENT was enabled

[lyoung-confluent]

Description

When running trivy on a Golang binary that was compiled with GOEXPERIMENT such as boringcrypto or loopvar the version extraction for stdlib will fail:

2024-05-15T15:20:45-07:00	WARN	Version matching error	err="version error (1.21.5 X:boringcrypto): malformed version: 1.21.5 X:boringcrypto"

This is because the returned GoVersion includes the additional experiment tags as part of the "version".

Desired Behavior

Trivy successfully extracts the Go version and reports the vulnerabilities

Actual Behavior

Trivy fails to extract the Go version and as such does not detect/report Go stdlib vulnerabilities

Reproduction Steps

1. Build the following Dockerfile (docker build -t goexperiment-test .):

FROM golang:1.22.1 AS builder
COPY <<EOF /example.go
package main

func main() {
    println("Hello World")
}
EOF
RUN GOEXPERIMENT=loopvar go build -o /example /example.go

FROM scratch
COPY --from=builder /example /example

2. Scan the image using trivy, observe that no stdlib vulnerabilities are reported and an error is found in the output:

$ trivy image goexperiment-test
2024-05-15T15:44:09-07:00	INFO	[gobinary] Detecting vulnerabilities...
2024-05-15T15:44:09-07:00	WARN	Version matching error	err="version error (1.22.1 X:loopvar): malformed version: 1.22.1 X:loopvar"

Target

Container Image

Scanner

Vulnerability

Output Format

None

Mode

None

Debug Output

N/A

Operating System

macOS Sonoma

Version

Version: 0.51.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-05-15 18:11:03.121256649 +0000 UTC
  NextUpdate: 2024-05-16 00:11:03.121256348 +0000 UTC
  DownloadedAt: 2024-05-15 21:46:24.370291 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-05-13 01:02:16.958984562 +0000 UTC
  NextUpdate: 2024-05-16 01:02:16.958984372 +0000 UTC
  DownloadedAt: 2024-05-13 04:31:47.140417 +0000 UTC
Check Bundle:
  Digest: sha256:6d0771effa53c6cf8130861fc3ac28f5515c35a028edb4bb1e67261b9218c80e
  DownloadedAt: 2024-05-14 17:56:45.102444 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[lyoung-confluent]

Should be fixed via #6696 when merged

[knqyf263]

Thanks. Created #6698