trivy can't detect older binary

[camaeel]

Description

First extract contents of a image:
docker export $(docker create quay.io/uswitch/vault-creds:v0.14.0) | tar -xC .

Run trivy scan: trivy fs vaultcreds.

It reports no lang-specific files:
2024-02-16T09:41:07.523+0100 INFO Number of language-specific files: 0

If I build the same code version with current golang SDK and scan it, then it shows some vulnerabilities.

Desired Behavior

Trivy should be able to scan even older binaries, or in worst case at least report some warning (if possible?).

Actual Behavior

SIlent failure

Reproduction Steps

1. `docker export $(docker create quay.io/uswitch/vault-creds:v0.14.0) | tar -xC .`
2. `trivy fs vaultcreds`

Target

Filesystem

Scanner

Vulnerability

Output Format

None

Mode

None

Debug Output

❯ trivy fs vaultcreds --debug
2024-02-16T09:44:56.219+0100    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-02-16T09:44:56.220+0100    DEBUG   Ignore statuses {"statuses": null}
2024-02-16T09:44:56.235+0100    DEBUG   cache dir:  REDACTED/trivy
2024-02-16T09:44:56.235+0100    DEBUG   DB update was skipped because the local DB is the latest
2024-02-16T09:44:56.235+0100    DEBUG   DB Schema: 2, UpdatedAt: 2024-02-16 06:12:10.483953515 +0000 UTC, NextUpdate: 2024-02-16 12:12:10.483953215 +0000 UTC, DownloadedAt: 2024-02-16 07:22:51.381622 +0000 UTC
2024-02-16T09:44:56.257+0100    INFO    Vulnerability scanning is enabled
2024-02-16T09:44:56.257+0100    DEBUG   Vulnerability type:  [os library]
2024-02-16T09:44:56.257+0100    INFO    Secret scanning is enabled
2024-02-16T09:44:56.257+0100    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-02-16T09:44:56.257+0100    INFO    Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2024-02-16T09:44:56.257+0100    DEBUG   Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2024-02-16T09:44:56.258+0100    DEBUG   No secret config detected: trivy-secret.yaml
2024-02-16T09:44:56.258+0100    DEBUG   The nuget packages directory couldn't be found. License search disabled
2024-02-16T09:44:56.258+0100    DEBUG   Walk the file tree rooted at 'vaultcreds' in parallel
2024-02-16T09:44:56.270+0100    DEBUG   OS is not detected.
2024-02-16T09:44:56.270+0100    DEBUG   Detected OS: unknown
2024-02-16T09:44:56.270+0100    INFO    Number of language-specific files: 0

Operating System

macos Sonoma 14.2.1

Version

❯ trivy --version
Version: 0.48.3
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-02-16 06:12:10.483953515 +0000 UTC
  NextUpdate: 2024-02-16 12:12:10.483953215 +0000 UTC
  DownloadedAt: 2024-02-16 07:22:51.381622 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-02-12 00:45:04.687521318 +0000 UTC
  NextUpdate: 2024-02-15 00:45:04.687521198 +0000 UTC
  DownloadedAt: 2024-02-12 09:02:10.615217 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[DmitriyLewen]

Hello @camaeel
Thanks for your report!

We use Go to get information about go binaries.
I checked your file, and Go says that it is not go binary:

➜ go version ./vaultcreds 
./vaultcreds: could not read Go build info from ./vaultcreds: not a Go executable

Regards, Dmitriy

[nikpivkin]

@DmitriyLewen Are you running this on mac OS? vault-creds is built on ubuntu

Upd: user has macOS as well. Could this be the cause?

[DmitriyLewen]

There seems to be no difference:

➜ docker run -it --rm -v ./vaultcreds:/vaultcreds golang:1.21
root@6be2998e3efe:/go# uname -m   
aarch64
root@6be2998e3efe:/go# go version
go version go1.21.7 linux/arm64
root@6be2998e3efe:/go# go version /vaultcreds 
/vaultcreds: could not read Go build info from /vaultcreds: not a Go executable

➜ docker run -it --rm -v ./vaultcreds:/vaultcreds --platform=linux/amd64 golang:1.21
root@c78de1f330a9:/go# uname -m
x86_64
root@c78de1f330a9:/go# go version
go version go1.21.7 linux/amd64
root@c78de1f330a9:/go# go version /vaultcreds 
/vaultcreds: could not read Go build info from /vaultcreds: not a Go executable

This binary does not appear to contain Go build information - https://go.dev/src/debug/buildinfo/buildinfo.go:

	// errNotGoExe is returned when a given executable file is valid but does
	// not contain Go build information.
	errNotGoExe = errors.New("not a Go executable")

If this is true, the binary is valid and works, but we can't get build information.

[camaeel]

@DmitriyLewen I checked with older versions of golang (up to 1.12, which might have been used to build the binary), and it is not able to detect go version at all. Probably this drone-ci pipeline: https://github.com/uswitch/vault-creds/blob/v0.14.0/.drone.yml has been used to build the binary, but it can't be run again now - it seems some dependencies from that time no longer exist.

Maybe if this is detected go binary but has no version at least some warning, or maybe even error should be raised?

[DmitriyLewen]

I'm not sure if this is possible.

We can't differentiate this binary from a non-golang binary.
e.g.:

➜ /bin go version ./bash
./bash: Failed to read Go build information from ./bash: Not a Go executable

Therefore, we will show this warning for every binary file.

I think this is a rare case. Support for 1.12 has also been completed.
I think we can ignore this case.

If we get more problems like this with the current version of Go, we will return to this problem (add a warning, write to the Go developers, etc.).

[camaeel]

Thanx @DmitriyLewen for clarification here.