Replies: 1 comment 7 replies
-
Hello @b-ramsey hm.. Golang always uses @knqyf263 you added support for |
Beta Was this translation helpful? Give feedback.
7 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Description
When performing a trivy scan on a golang file such as go.mod or go.sum the resultant cyclonedx file no longer has the v as a part of the components version and purl. This behaviour has changed since 0.43 trivy.
Example go.mod snippet:
`
go 1.20
require (
go.uber.org/mock v0.4.0
google.golang.org/protobuf v1.31.0
)
`
The purl specification does not specify any requirement around the formatting of version numbers, having the v at the beginning of the version number is acceptable.
This has caused issues where a tool has their data related to the full version number from the go.mod tool, and the request feed in from the sbom file.
Desired Behavior
Components related to the above go.mod
{ "bom-ref": "pkg:golang/go.uber.org/[email protected]", "type": "library", "name": "go.uber.org/mock", "version": "v0.4.0", "purl": "pkg:golang/go.uber.org/[email protected]", "properties": [ { "name": "aquasecurity:trivy:PkgID", "value": "go.uber.org/[email protected]" }, { "name": "aquasecurity:trivy:PkgType", "value": "gomod" } ] }, { "bom-ref": "pkg:golang/google.golang.org/[email protected]", "type": "library", "name": "google.golang.org/protobuf", "version": "v1.31.0", "purl": "pkg:golang/google.golang.org/[email protected]", "properties": [ { "name": "aquasecurity:trivy:PkgID", "value": "google.golang.org/[email protected]" }, { "name": "aquasecurity:trivy:PkgType", "value": "gomod" } ] }
Actual Behavior
Components related to the above go.mod
{
"bom-ref": "pkg:golang/go.uber.org/[email protected]",
"type": "library",
"name": "go.uber.org/mock",
"version": "0.4.0",
"purl": "pkg:golang/go.uber.org/[email protected]",
"properties": [
{
"name": "aquasecurity:trivy:PkgID",
"value": "go.uber.org/[email protected]"
},
{
"name": "aquasecurity:trivy:PkgType",
"value": "gomod"
}
]
},
{
"bom-ref": "pkg:golang/google.golang.org/[email protected]",
"type": "library",
"name": "google.golang.org/protobuf",
"version": "1.31.0",
"purl": "pkg:golang/google.golang.org/[email protected]",
"properties": [
{
"name": "aquasecurity:trivy:PkgID",
"value": "google.golang.org/[email protected]"
},
{
"name": "aquasecurity:trivy:PkgType",
"value": "gomod"
}
]
}
Reproduction Steps
Target
Filesystem
Scanner
Vulnerability
Output Format
CycloneDX
Mode
Standalone
Debug Output
Operating System
docker image
Version
Checklist
trivy clean --all
Beta Was this translation helpful? Give feedback.
All reactions