Support Go binaries in bom generate #347
Labels
help wanted
Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.
kind/feature
Categorizes issue or PR as related to a new feature.
sig/release
Categorizes an issue or PR as relevant to SIG Release.
Today, when generating an SBOM for a container image, you get something like the following.
Note that only the OS package database is analyzed, even though there are Go binaries
go-runner
and/usr/local/bin/kube-apiserver
with their own dependencies.When running
go version -m
, go will analyze module information baked into the binary. This functionality is facilitated bydebug/buildinfo.ReadFile()
in the standard library which returns a*runtime/debug.BuildInfo{}
.What would you like to be added:
While it would not be as complete as the current
go.mod
analyzer, it'd be nice to be able to analyze local files or files within an image specified likebom generate -i $IMAGE --scan-images -f /go-runner -f /usr/local/bin/kube-apiserver
to check if they're go binaries and get the module information.Why is this needed:
If I'm a user scanning an image with a Go binary that has module information, I'd like to know the module version information in my SBOM
The text was updated successfully, but these errors were encountered: