Currently, when scanning Go binaries, the stdlib version is identified from the go version -m result, but not when scanning go.mod. With the introduction of Go Toolchains, the version of Go used in a project can now be strictly specified, so we should use this version as stdlib.
module github.com/aquasecurity/trivy
go 1.22.0
toolchain go1.22.4
In this example, we take 1.22.4 as the stdlib version.
Description
Currently, when scanning Go binaries, the stdlib version is identified from the
go version -mresult, but not when scanninggo.mod. With the introduction of Go Toolchains, the version of Go used in a project can now be strictly specified, so we should use this version as stdlib.In this example, we take
1.22.4as the stdlib version.