search

owasp-dep-scan / dep-scan

OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Both local repositories and container images are supported as the input, and the tool is ideal for integration.
https://owasp.org/www-project-dep-scan/
MIT License
1.02k stars 98 forks source link

Golang binaries are not scanned from within containers #314

Open lm-sig opened 5 months ago

lm-sig commented 5 months ago

Expected Behavior

SBOM should contain purls with "pkg:golang/..." in it

Actual Behavior

SBOM does not list any golang packages.

Steps to Reproduce

Create container with golang binary. My example is the "Zarf" golang application.

Zarf: https://zarf.dev

Create container with OWASP Dep-scan 5.4.0 and cdxgen 10.6.2.

Call depscan:

$ depscan -i /tmp/container.tar --deep -t docker

Additional Information

I can scan the same Zarf container with Trivy and it generates an SBOM with Go libraries listed.

Example Trivy SBOM entry:

  "components": [
    {
      "bom-ref": "00b32844-f12a-480e-9c14-a5105b7422bf",
      "type": "library",
      "name": "google.golang.org/genproto/googleapis/api",
      "version": "v0.0.0-20240311173647-c811ad7063a7",
      "purl": "pkg:golang/google.golang.org/genproto/googleapis/api@v0.0.0-20240311173647-c811ad7063a7",
      "properties": [
        {
          "name": "aquasecurity:trivy:FilePath",
          "value": "opt/bitnami/cosign"
        },
        {
          "name": "aquasecurity:trivy:LayerDiffID",
          "value": "sha256:d112b9181f19a69f0a75e882c564928fea652283cc71f767f7e60aa332c1354e"
        },
        {
          "name": "aquasecurity:trivy:LayerDigest",
          "value": "sha256:613a963825a72ba921a178fc21988d0f21d3c24f9069a36d09903118f4635d80"
        },
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "google.golang.org/genproto/googleapis/api@v0.0.0-20240311173647-c811ad7063a7"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "gobinary"
        }
      ]
    },
...
prabhu commented 5 months ago

@lm-sig It's a feature. cdxgen doesn't do binary analysis by default for containers. We will add this in v6 using blint.