search

owasp-dep-scan / dep-scan

OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Both local repositories and container images are supported as the input, and the tool is ideal for integration.
https://owasp.org/www-project-dep-scan/
MIT License
933 stars 94 forks source link

Golang binaries are not scanned from within containers #314

Open lm-sig opened 2 weeks ago

lm-sig commented 2 weeks ago

Expected Behavior

SBOM should contain purls with "pkg:golang/..." in it

Actual Behavior

SBOM does not list any golang packages.

Steps to Reproduce

Create container with golang binary. My example is the "Zarf" golang application.

Zarf: https://zarf.dev

Create container with OWASP Dep-scan 5.4.0 and cdxgen 10.6.2.

Call depscan:

$ depscan -i /tmp/container.tar --deep -t docker

Additional Information

I can scan the same Zarf container with Trivy and it generates an SBOM with Go libraries listed.

Example Trivy SBOM entry:

  "components": [
    {
      "bom-ref": "00b32844-f12a-480e-9c14-a5105b7422bf",
      "type": "library",
      "name": "google.golang.org/genproto/googleapis/api",
      "version": "v0.0.0-20240311173647-c811ad7063a7",
      "purl": "pkg:golang/google.golang.org/genproto/googleapis/api@v0.0.0-20240311173647-c811ad7063a7",
      "properties": [
        {
          "name": "aquasecurity:trivy:FilePath",
          "value": "opt/bitnami/cosign"
        },
        {
          "name": "aquasecurity:trivy:LayerDiffID",
          "value": "sha256:d112b9181f19a69f0a75e882c564928fea652283cc71f767f7e60aa332c1354e"
        },
        {
          "name": "aquasecurity:trivy:LayerDigest",
          "value": "sha256:613a963825a72ba921a178fc21988d0f21d3c24f9069a36d09903118f4635d80"
        },
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "google.golang.org/genproto/googleapis/api@v0.0.0-20240311173647-c811ad7063a7"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "gobinary"
        }
      ]
    },
...
prabhu commented 1 week ago

@lm-sig It's a feature. cdxgen doesn't do binary analysis by default for containers. We will add this in v6 using blint.