golang binary version parsing fails if GOEXPERIMENT was enabled

[knqyf263]

Discussed in #6695

^{Originally posted by lyoung-confluent May 16, 2024}

Description

When running trivy on a Golang binary that was compiled with GOEXPERIMENT such as boringcrypto or loopvar the version extraction for stdlib will fail:

2024-05-15T15:20:45-07:00	WARN	Version matching error	err="version error (1.21.5 X:boringcrypto): malformed version: 1.21.5 X:boringcrypto"

This is because the returned GoVersion includes the additional experiment tags as part of the "version".

Desired Behavior

Trivy successfully extracts the Go version and reports the vulnerabilities

Actual Behavior

Trivy fails to extract the Go version and as such does not detect/report Go stdlib vulnerabilities

Reproduction Steps

1. Build the following Dockerfile (docker build -t goexperiment-test .):

FROM golang:1.22.1 AS builder
COPY <<EOF /example.go
package main

func main() {
    println("Hello World")
}
EOF
RUN GOEXPERIMENT=loopvar go build -o /example /example.go

FROM scratch
COPY --from=builder /example /example

2. Scan the image using trivy, observe that no stdlib vulnerabilities are reported and an error is found in the output:

$ trivy image goexperiment-test
2024-05-15T15:44:09-07:00	INFO	[gobinary] Detecting vulnerabilities...
2024-05-15T15:44:09-07:00	WARN	Version matching error	err="version error (1.22.1 X:loopvar): malformed version: 1.22.1 X:loopvar"

Target

Container Image

Scanner

Vulnerability

Output Format

None

Mode

None

Debug Output

N/A