Not recognizing modules in go binaries on wolfi base images

[dus7eh]

Description

Perfoming an image vulnerability scan with cyclonedx output fails to detect gobinary modules in wolfi based images.

Desired Behavior

Modules should be detected in go binaries and generated as a dependency in cyclonedx report.

Actual Behavior

Go binary module dependencies are missing from the report.

Reproduction Steps

1. Run `trivy image cgr.dev/chainguard/apko --scanners vuln --debug -f cyclonedx`
2. Analyze the output and verify that no apko tool modules are part of the report  
For comparison I ran the scan using `grype` which successfuly found dependencies as defined in apko repository (https://github.com/chainguard-dev/apko/blob/main/go.mod)

...

Target

Container Image

Scanner

Vulnerability

Output Format

CycloneDX

Mode

Standalone

Debug Output

trivy image cgr.dev/chainguard/apko --scanners vuln --debug -f cyclonedx
2025-01-21T00:30:58+01:00	DEBUG	No plugins loaded
2025-01-21T00:30:58+01:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-01-21T00:30:58+01:00	DEBUG	Cache dir	dir="/home/somedir/.cache/trivy"
2025-01-21T00:30:58+01:00	DEBUG	Cache dir	dir="/home/somedir/.cache/trivy"
2025-01-21T00:30:58+01:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-01-21T00:30:58+01:00	DEBUG	Ignore statuses	statuses=[]
2025-01-21T00:30:58+01:00	DEBUG	DB update was skipped because the local DB is the latest
2025-01-21T00:30:58+01:00	DEBUG	DB info	schema=2 updated_at=2025-01-20T06:16:24.666860769Z next_update=2025-01-21T06:16:24.666860498Z downloaded_at=2025-01-20T10:39:21.859064643Z
2025-01-21T00:30:58+01:00	DEBUG	[pkg] Package types	types=[os library]
2025-01-21T00:30:58+01:00	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2025-01-21T00:30:58+01:00	INFO	[vuln] Vulnerability scanning is enabled
2025-01-21T00:30:58+01:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-01-21T00:30:58+01:00	DEBUG	Initializing scan cache...	type="fs"
2025-01-21T00:31:19+01:00	DEBUG	[image] Detected image ID	image_id="sha256:d00e07ebcbe7bbd0dc5d2722789ac082e39283c293d606ee761a8d11796d6e55"
2025-01-21T00:31:19+01:00	DEBUG	[image] Detected diff ID	diff_ids=[sha256:5088aae317afa52db21e52db54f2949045c4e4e31099abad783c1f58137cdfa3]
2025-01-21T00:31:19+01:00	DEBUG	[image] Detected base layers	diff_ids=[]
2025-01-21T00:31:19+01:00	INFO	Detected OS	family="wolfi" version="20230201"
2025-01-21T00:31:19+01:00	INFO	[wolfi] Detecting vulnerabilities...	pkg_num=5
2025-01-21T00:31:19+01:00	INFO	Number of language-specific files	num=0
2025-01-21T00:31:19+01:00	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2025-01-21T00:31:19+01:00	DEBUG	[vex] VEX filtering is disabled
....

Operating System

Ubuntu

Version

trivy --version
Version: 0.58.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-01-20 06:16:24.666860769 +0000 UTC
  NextUpdate: 2025-01-21 06:16:24.666860498 +0000 UTC
  DownloadedAt: 2025-01-20 10:39:21.859064643 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-03-28 00:45:09.15157664 +0000 UTC
  NextUpdate: 2024-03-31 00:45:09.15157648 +0000 UTC
  DownloadedAt: 2024-03-28 12:24:41.574216227 +0000 UTC
Check Bundle:
  Digest: sha256:f6901e03f486a48f47aa17a78d89d18e6c31ded82aff83ed19d0d73935a1a059
  DownloadedAt: 2025-01-15 11:19:40.683610877 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[knqyf263]

Please reference https://trivy.dev/latest/docs/scanner/vulnerability/#detection-behavior

[dus7eh]

Thanks, didn't notice when the defaut behaviour changed

[knqyf263]

The default behavior is the same from the beginning. We just added a flag to change the behavior, which may cause more false positives.