Go.mod toolchain directive gives error when running with Docker

[jarno-rootz]

Describe the bug When running the owasp/dependency-check as a docker image, if go.mod file contains toolchain directive, dependency-check fails with messages like

[WARN] While analyzing `/builds/foo/fooservice/go.mod` `go` generated the following warnings:
go: errors parsing go.mod:
/builds/foo/fooservice/go.mod:5: unknown directive: toolchain
[WARN] An error occurred while analyzing '/builds/foo/fooservice/go.mod' (Golang Mod Analyzer).
...
[ERROR] Error analyzing '/builds/foo/fooservice/go.mod'; Error parsing output from `go list -json -m all`

This is because the go version used in the image is golang:1.17.1-alpine. The toolchain directive has appeared in go 1.21.

Version of dependency-check used The problem occurs using version owasp/dependency-check:9.0.3 docker image.

Log file https://gist.github.com/jarno-rootz/53e6709a9e23424b666b13c7820b54c9

To Reproduce

$ cat go.mod module example.com/toolchain

go 1.21

toolchain go1.21.1 $ docker run --rm --volume $(pwd):/src:z owasp/dependency-check --project toolchain --scan . --enableExperimental

Expected behavior Dependency-check should finish the analyzis without errors even when there is a toolchain directive in go.mod file.

Additional context Workaround is to remove the toolchain directive from go.mod file.

[jarno-rootz]

https://github.com/jeremylong/DependencyCheck/pull/6233 would probably fix this.

[manglide]

6233 would probably fix this.

Thanks, that did fixed mine issue. Bumped FROM golang:1.20.7-alpine3.18 to FROM golang:1.21.8-alpine3.19

[alvarino-21]

I get this error when I want to install gowhitness on linux parrot help go: github.com/sensepost/gowitness@latest (in github.com/sensepost/gowitness@v0.0.0-20240410033601-6b10eaeba7a6): go.mod:5: unknown directive: toolchain