Detect golang boring crypto and fipsonly modules (#2021)

* Extending build info to include crypto settings Signed-off-by: Sirish Bathina <sirish@kasten.io> * Use kasten fork for goversion module Signed-off-by: Sirish Bathina <sirish@kasten.io> * go mod tidy Signed-off-by: Sirish Bathina <sirish@kasten.io> * change key to GoCryptoSettings and lint fix Signed-off-by: Sirish Bathina <sirish@kasten.io> * Addressing feedback Signed-off-by: Sirish Bathina <sirish@kasten.io> --------- Signed-off-by: Sirish Bathina <sirish@kasten.io>
2025-11-17 08:23:15 +01:00 · 2023-08-24 03:49:59 -10:00 · 2023-08-24 03:49:59 -10:00 · 62f689824c
commit 62f689824c
parent 07ac640ac5
10 changed files with 2215 additions and 147 deletions
--- a/go.mod
+++ b/go.mod
@ -69,6 +69,7 @@ require (
 	github.com/google/go-containerregistry v0.16.1
 	github.com/google/licensecheck v0.3.1
 	github.com/invopop/jsonschema v0.7.0
+	github.com/kastenhq/goversion v0.0.0-20230811215019-93b2f8823953
 	github.com/knqyf263/go-rpmdb v0.0.0-20230301153543-ba94b245509b
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/saferwall/pe v1.4.4
--- a/go.sum
+++ b/go.sum
@ -428,6 +428,8 @@ github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHm
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
+github.com/kastenhq/goversion v0.0.0-20230811215019-93b2f8823953 h1:WdAeg/imY2JFPc/9CST4bZ80nNJbiBFCAdSZCSgrS5Y=
+github.com/kastenhq/goversion v0.0.0-20230811215019-93b2f8823953/go.mod h1:6o+UrvuZWc4UTyBhQf0LGjW9Ld7qJxLz/OqvSOWWlEc=
 github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs=
 github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8=
 github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=
--- a/internal/constants.go
+++ b/internal/constants.go
@ -6,5 +6,5 @@ const (

 	// JSONSchemaVersion is the current schema version output by the JSON encoder
 	// This is roughly following the "SchemaVer" guidelines for versioning the JSON schema. Please see schema/json/README.md for details on how to increment.
-	JSONSchemaVersion = "10.0.0"
+	JSONSchemaVersion = "10.0.1"
 )
--- a/schema/json/schema-10.0.1.json
+++ b/schema/json/schema-10.0.1.json
--- a/syft/pkg/cataloger/golang/package.go
+++ b/syft/pkg/cataloger/golang/package.go
@ -11,7 +11,7 @@ import (
 	"github.com/anchore/syft/syft/pkg"
 )

-func (c *goBinaryCataloger) newGoBinaryPackage(resolver file.Resolver, dep *debug.Module, mainModule, goVersion, architecture string, buildSettings map[string]string, locations ...file.Location) pkg.Package {
+func (c *goBinaryCataloger) newGoBinaryPackage(resolver file.Resolver, dep *debug.Module, mainModule, goVersion, architecture string, buildSettings map[string]string, cryptoSettings []string, locations ...file.Location) pkg.Package {
 	if dep.Replace != nil {
 		dep = dep.Replace
 	}
@ -36,6 +36,7 @@ func (c *goBinaryCataloger) newGoBinaryPackage(resolver file.Resolver, dep *debu
 			Architecture:      architecture,
 			BuildSettings:     buildSettings,
 			MainModule:        mainModule,
+			GoCryptoSettings:  cryptoSettings,
 		},
 	}

--- a/syft/pkg/cataloger/golang/parse_go_binary.go
+++ b/syft/pkg/cataloger/golang/parse_go_binary.go
@ -66,7 +66,7 @@ func (c *goBinaryCataloger) parseGoBinary(resolver file.Resolver, _ *generic.Env
 	return pkgs, nil, nil
 }

-func (c *goBinaryCataloger) makeGoMainPackage(resolver file.Resolver, mod *debug.BuildInfo, arch string, location file.Location) pkg.Package {
+func (c *goBinaryCataloger) makeGoMainPackage(resolver file.Resolver, mod *extendedBuildInfo, arch string, location file.Location) pkg.Package {
 	gbs := getBuildSettings(mod.Settings)
 	main := c.newGoBinaryPackage(
 		resolver,
@ -75,6 +75,7 @@ func (c *goBinaryCataloger) makeGoMainPackage(resolver file.Resolver, mod *debug
 		mod.GoVersion,
 		arch,
 		gbs,
+		mod.cryptoSettings,
 		location.WithAnnotation(pkg.EvidenceAnnotationKey, pkg.PrimaryEvidenceAnnotation),
 	)

@ -153,7 +154,7 @@ func extractVersionFromLDFlags(ldflags string) (majorVersion string, fullVersion
 // getArchs finds a binary architecture by two ways:
 // 1) reading build info from binaries compiled by go1.18+
 // 2) reading file headers from binaries compiled by < go1.18
-func getArchs(readers []io.ReaderAt, builds []*debug.BuildInfo) []string {
+func getArchs(readers []io.ReaderAt, builds []*extendedBuildInfo) []string {
 	if len(readers) != len(builds) {
 		log.Trace("golang cataloger: bin parsing: number of builds and readers doesn't match")
 		return nil
@ -255,7 +256,7 @@ func createMainModuleFromPath(path string) (mod debug.Module) {
 	return
 }

-func (c *goBinaryCataloger) buildGoPkgInfo(resolver file.Resolver, location file.Location, mod *debug.BuildInfo, arch string) []pkg.Package {
+func (c *goBinaryCataloger) buildGoPkgInfo(resolver file.Resolver, location file.Location, mod *extendedBuildInfo, arch string) []pkg.Package {
 	var pkgs []pkg.Package
 	if mod == nil {
 		return pkgs
@ -277,6 +278,7 @@ func (c *goBinaryCataloger) buildGoPkgInfo(resolver file.Resolver, location file
 			mod.GoVersion,
 			arch,
 			nil,
+			mod.cryptoSettings,
 			location.WithAnnotation(pkg.EvidenceAnnotationKey, pkg.PrimaryEvidenceAnnotation),
 		)
 		if pkg.IsValid(&p) {
--- a/syft/pkg/cataloger/golang/parse_go_binary_test.go
+++ b/syft/pkg/cataloger/golang/parse_go_binary_test.go
@ -155,7 +155,7 @@ func TestBuildGoPkgInfo(t *testing.T) {

 	tests := []struct {
 		name     string
-		mod      *debug.BuildInfo
+		mod      *extendedBuildInfo
 		arch     string
 		expected []pkg.Package
 	}{
@ -166,7 +166,8 @@ func TestBuildGoPkgInfo(t *testing.T) {
 		},
 		{
 			name: "package without name",
-			mod: &debug.BuildInfo{
+			mod: &extendedBuildInfo{
+				&debug.BuildInfo{
 					Deps: []*debug.Module{
 						{
 							Path: "github.com/adrg/xdg",
@ -176,6 +177,7 @@ func TestBuildGoPkgInfo(t *testing.T) {
 							Version: "v0.2.1",
 						},
 					},
+				}, nil,
 			},
 			expected: []pkg.Package{
 				{
@ -198,13 +200,14 @@ func TestBuildGoPkgInfo(t *testing.T) {
 		},
 		{
 			name:     "buildGoPkgInfo parses a blank mod and returns no packages",
-			mod:      &debug.BuildInfo{},
+			mod:      &extendedBuildInfo{&debug.BuildInfo{}, nil},
 			expected: []pkg.Package(nil),
 		},
 		{
 			name: "parse a mod without main module",
 			arch: archDetails,
-			mod: &debug.BuildInfo{
+			mod: &extendedBuildInfo{
+				&debug.BuildInfo{
 					GoVersion: goCompiledVersion,
 					Settings: []debug.BuildSetting{
 						{Key: "GOARCH", Value: archDetails},
@ -218,6 +221,7 @@ func TestBuildGoPkgInfo(t *testing.T) {
 							Sum:     "h1:VSVdnH7cQ7V+B33qSJHTCRlNgra1607Q8PzEmnvb2Ic=",
 						},
 					},
+				}, nil,
 			},
 			expected: []pkg.Package{
 				{
@ -246,7 +250,8 @@ func TestBuildGoPkgInfo(t *testing.T) {
 		{
 			name: "parse a mod with path but no main module",
 			arch: archDetails,
-			mod: &debug.BuildInfo{
+			mod: &extendedBuildInfo{
+				&debug.BuildInfo{
 					GoVersion: goCompiledVersion,
 					Settings: []debug.BuildSetting{
 						{Key: "GOARCH", Value: archDetails},
@ -254,6 +259,7 @@ func TestBuildGoPkgInfo(t *testing.T) {
 						{Key: "GOAMD64", Value: "v1"},
 					},
 					Path: "github.com/a/b/c",
+				}, []string{"boringcrypto + fips"},
 			},
 			expected: []pkg.Package{
 				{
@ -281,6 +287,7 @@ func TestBuildGoPkgInfo(t *testing.T) {
 							"GOOS":    "darwin",
 						},
 						MainModule:       "github.com/a/b/c",
+						GoCryptoSettings: []string{"boringcrypto + fips"},
 					},
 				},
 			},
@ -288,7 +295,8 @@ func TestBuildGoPkgInfo(t *testing.T) {
 		{
 			name: "parse a mod without packages",
 			arch: archDetails,
-			mod: &debug.BuildInfo{
+			mod: &extendedBuildInfo{
+				&debug.BuildInfo{
 					GoVersion: goCompiledVersion,
 					Main:      debug.Module{Path: "github.com/anchore/syft", Version: "(devel)"},
 					Settings: []debug.BuildSetting{
@ -296,13 +304,15 @@ func TestBuildGoPkgInfo(t *testing.T) {
 						{Key: "GOOS", Value: "darwin"},
 						{Key: "GOAMD64", Value: "v1"},
 					},
+				}, nil,
 			},
 			expected: []pkg.Package{unmodifiedMain},
 		},
 		{
 			name: "parse main mod and replace devel pseudo version and ldflags exists (but contains no version)",
 			arch: archDetails,
-			mod: &debug.BuildInfo{
+			mod: &extendedBuildInfo{
+				&debug.BuildInfo{
 					GoVersion: goCompiledVersion,
 					Main:      debug.Module{Path: "github.com/anchore/syft", Version: "(devel)"},
 					Settings: []debug.BuildSetting{
@ -313,6 +323,7 @@ func TestBuildGoPkgInfo(t *testing.T) {
 						{Key: "vcs.time", Value: "2022-10-14T19:54:57Z"},
 						{Key: "-ldflags", Value: `build	-ldflags="-w -s -extldflags '-static' -X blah=foobar`},
 					},
+				}, nil,
 			},
 			expected: []pkg.Package{
 				{
@ -349,7 +360,8 @@ func TestBuildGoPkgInfo(t *testing.T) {
 		{
 			name: "parse main mod and replace devel version with one from ldflags with vcs. build settings",
 			arch: archDetails,
-			mod: &debug.BuildInfo{
+			mod: &extendedBuildInfo{
+				&debug.BuildInfo{
 					GoVersion: goCompiledVersion,
 					Main:      debug.Module{Path: "github.com/anchore/syft", Version: "(devel)"},
 					Settings: []debug.BuildSetting{
@ -360,6 +372,7 @@ func TestBuildGoPkgInfo(t *testing.T) {
 						{Key: "vcs.time", Value: "2022-10-14T19:54:57Z"},
 						{Key: "-ldflags", Value: `build	-ldflags="-w -s -extldflags '-static' -X github.com/anchore/syft/internal/version.version=0.79.0`},
 					},
+				}, nil,
 			},
 			expected: []pkg.Package{
 				{
@ -396,7 +409,8 @@ func TestBuildGoPkgInfo(t *testing.T) {
 		{
 			name: "parse main mod and replace devel version with one from ldflags without any vcs. build settings",
 			arch: archDetails,
-			mod: &debug.BuildInfo{
+			mod: &extendedBuildInfo{
+				&debug.BuildInfo{
 					GoVersion: goCompiledVersion,
 					Main:      debug.Module{Path: "github.com/anchore/syft", Version: "(devel)"},
 					Settings: []debug.BuildSetting{
@ -405,6 +419,7 @@ func TestBuildGoPkgInfo(t *testing.T) {
 						{Key: "GOAMD64", Value: "v1"},
 						{Key: "-ldflags", Value: `build	-ldflags="-w -s -extldflags '-static' -X github.com/anchore/syft/internal/version.version=0.79.0`},
 					},
+				}, nil,
 			},
 			expected: []pkg.Package{
 				{
@ -439,7 +454,8 @@ func TestBuildGoPkgInfo(t *testing.T) {
 		{
 			name: "parse main mod and replace devel version with one from ldflags main.version without any vcs. build settings",
 			arch: archDetails,
-			mod: &debug.BuildInfo{
+			mod: &extendedBuildInfo{
+				&debug.BuildInfo{
 					GoVersion: goCompiledVersion,
 					Main:      debug.Module{Path: "github.com/anchore/syft", Version: "(devel)"},
 					Settings: []debug.BuildSetting{
@ -448,6 +464,7 @@ func TestBuildGoPkgInfo(t *testing.T) {
 						{Key: "GOAMD64", Value: "v1"},
 						{Key: "-ldflags", Value: `build	-ldflags="-w -s -extldflags '-static' -X main.version=0.79.0`},
 					},
+				}, nil,
 			},
 			expected: []pkg.Package{
 				{
@ -482,7 +499,8 @@ func TestBuildGoPkgInfo(t *testing.T) {
 		{
 			name: "parse main mod and replace devel version with one from ldflags main.Version without any vcs. build settings",
 			arch: archDetails,
-			mod: &debug.BuildInfo{
+			mod: &extendedBuildInfo{
+				&debug.BuildInfo{
 					GoVersion: goCompiledVersion,
 					Main:      debug.Module{Path: "github.com/anchore/syft", Version: "(devel)"},
 					Settings: []debug.BuildSetting{
@ -491,6 +509,7 @@ func TestBuildGoPkgInfo(t *testing.T) {
 						{Key: "GOAMD64", Value: "v1"},
 						{Key: "-ldflags", Value: `build	-ldflags="-w -s -extldflags '-static' -X main.Version=0.79.0`},
 					},
+				}, nil,
 			},
 			expected: []pkg.Package{
 				{
@ -525,7 +544,8 @@ func TestBuildGoPkgInfo(t *testing.T) {
 		{
 			name: "parse main mod and replace devel version with a pseudo version",
 			arch: archDetails,
-			mod: &debug.BuildInfo{
+			mod: &extendedBuildInfo{
+				&debug.BuildInfo{
 					GoVersion: goCompiledVersion,
 					Main:      debug.Module{Path: "github.com/anchore/syft", Version: "(devel)"},
 					Settings: []debug.BuildSetting{
@ -535,6 +555,7 @@ func TestBuildGoPkgInfo(t *testing.T) {
 						{Key: "vcs.revision", Value: "41bc6bb410352845f22766e27dd48ba93aa825a4"},
 						{Key: "vcs.time", Value: "2022-10-14T19:54:57Z"},
 					},
+				}, nil,
 			},
 			expected: []pkg.Package{
 				{
@ -570,7 +591,8 @@ func TestBuildGoPkgInfo(t *testing.T) {
 		{
 			name: "parse a populated mod string and returns packages but no source info",
 			arch: archDetails,
-			mod: &debug.BuildInfo{
+			mod: &extendedBuildInfo{
+				&debug.BuildInfo{
 					GoVersion: goCompiledVersion,
 					Main:      debug.Module{Path: "github.com/anchore/syft", Version: "(devel)"},
 					Settings: []debug.BuildSetting{
@ -590,6 +612,7 @@ func TestBuildGoPkgInfo(t *testing.T) {
 							Sum:     "h1:DYssiUV1pBmKqzKsm4mqXx8artqC0Q8HgZsVI3lMsAg=",
 						},
 					},
+				}, nil,
 			},
 			expected: []pkg.Package{
 				{
@ -642,7 +665,8 @@ func TestBuildGoPkgInfo(t *testing.T) {
 		{
 			name: "parse a populated mod string and returns packages when a replace directive exists",
 			arch: archDetails,
-			mod: &debug.BuildInfo{
+			mod: &extendedBuildInfo{
+				&debug.BuildInfo{
 					GoVersion: goCompiledVersion,
 					Main:      debug.Module{Path: "github.com/anchore/syft", Version: "(devel)"},
 					Settings: []debug.BuildSetting{
@ -667,6 +691,7 @@ func TestBuildGoPkgInfo(t *testing.T) {
 							},
 						},
 					},
+				}, nil,
 			},
 			expected: []pkg.Package{
 				{
--- a/syft/pkg/cataloger/golang/scan_binary.go
+++ b/syft/pkg/cataloger/golang/scan_binary.go
@ -6,12 +6,19 @@ import (
 	"io"
 	"runtime/debug"

+	"github.com/kastenhq/goversion/version"
+
 	"github.com/anchore/syft/internal/log"
 	"github.com/anchore/syft/syft/pkg/cataloger/internal/unionreader"
 )

+type extendedBuildInfo struct {
+	*debug.BuildInfo
+	cryptoSettings []string
+}
+
 // scanFile scans file to try to report the Go and module versions.
-func scanFile(reader unionreader.UnionReader, filename string) ([]*debug.BuildInfo, []string) {
+func scanFile(reader unionreader.UnionReader, filename string) ([]*extendedBuildInfo, []string) {
 	// NOTE: multiple readers are returned to cover universal binaries, which are files
 	// with more than one binary
 	readers, err := unionreader.GetReaders(reader)
@ -20,7 +27,7 @@ func scanFile(reader unionreader.UnionReader, filename string) ([]*debug.BuildIn
 		return nil, nil
 	}

-	var builds []*debug.BuildInfo
+	var builds []*extendedBuildInfo
 	for _, r := range readers {
 		bi, err := getBuildInfo(r)
 		if err != nil {
@ -30,7 +37,14 @@ func scanFile(reader unionreader.UnionReader, filename string) ([]*debug.BuildIn
 		if bi == nil {
 			continue
 		}
-		builds = append(builds, bi)
+
+		v, err := getCryptoInformation(r)
+		if err != nil {
+			log.WithFields("file", filename, "error", err).Trace("unable to read golang version info")
+			continue
+		}
+
+		builds = append(builds, &extendedBuildInfo{bi, v})
 	}

 	archs := getArchs(readers, builds)
@ -38,6 +52,29 @@ func scanFile(reader unionreader.UnionReader, filename string) ([]*debug.BuildIn
 	return builds, archs
 }

+func getCryptoInformation(reader io.ReaderAt) ([]string, error) {
+	v, err := version.ReadExeFromReader(reader)
+	if err != nil {
+		return nil, err
+	}
+
+	return getCryptoSettingsFromVersion(v), nil
+}
+
+func getCryptoSettingsFromVersion(v version.Version) []string {
+	cryptoSettings := []string{}
+	if v.StandardCrypto {
+		cryptoSettings = append(cryptoSettings, "standard-crypto")
+	}
+	if v.BoringCrypto {
+		cryptoSettings = append(cryptoSettings, "boring-crypto")
+	}
+	if v.FIPSOnly {
+		cryptoSettings = append(cryptoSettings, "crypto/tls/fipsonly")
+	}
+	return cryptoSettings
+}
+
 func getBuildInfo(r io.ReaderAt) (bi *debug.BuildInfo, err error) {
 	defer func() {
 		if r := recover(); r != nil {
--- a/syft/pkg/cataloger/golang/scan_binary_test.go
+++ b/syft/pkg/cataloger/golang/scan_binary_test.go
@ -6,6 +6,7 @@ import (
 	"runtime/debug"
 	"testing"

+	"github.com/kastenhq/goversion/version"
 	"github.com/stretchr/testify/assert"
 )

@ -38,3 +39,72 @@ func Test_getBuildInfo(t *testing.T) {
 		})
 	}
 }
+
+func Test_getCryptoSettingsFromVersion(t *testing.T) {
+	for _, tt := range []struct {
+		name    string
+		version version.Version
+		result  []string
+	}{
+		{
+			name: "standard crypto",
+			version: version.Version{
+				StandardCrypto: true,
+			},
+			result: []string{"standard-crypto"},
+		},
+		{
+			name: "boring crypto",
+			version: version.Version{
+				BoringCrypto: true,
+			},
+			result: []string{"boring-crypto"},
+		},
+		{ // Should never see this. Boring crypto is required for fipsonly
+			name: "fipsonly",
+			version: version.Version{
+				FIPSOnly: true,
+			},
+			result: []string{"crypto/tls/fipsonly"},
+		},
+		{
+			name: "boring crypto and fipsonly",
+			version: version.Version{
+				BoringCrypto: true,
+				FIPSOnly:     true,
+			},
+			result: []string{"boring-crypto", "crypto/tls/fipsonly"},
+		},
+		{ // Should never see this.
+			name: "boring and standard crypto!",
+			version: version.Version{
+				BoringCrypto:   true,
+				StandardCrypto: true,
+			},
+			result: []string{"boring-crypto", "standard-crypto"},
+		},
+		{ // Should never see this. Boring crypto is required for fipsonly
+			name: "fipsonly and standard crypto!",
+			version: version.Version{
+				FIPSOnly:       true,
+				StandardCrypto: true,
+			},
+			result: []string{"crypto/tls/fipsonly", "standard-crypto"},
+		},
+
+		{ // Should never see this. Boring crypto is required for fipsonly
+			name: "fipsonly boringcrypto and standard crypto!",
+			version: version.Version{
+				FIPSOnly:       true,
+				StandardCrypto: true,
+				BoringCrypto:   true,
+			},
+			result: []string{"crypto/tls/fipsonly", "standard-crypto", "boring-crypto"},
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			res := getCryptoSettingsFromVersion(tt.version)
+			assert.ElementsMatch(t, res, tt.result)
+		})
+	}
+}
--- a/syft/pkg/golang_metadata.go
+++ b/syft/pkg/golang_metadata.go
@ -7,6 +7,7 @@ type GolangBinMetadata struct {
 	Architecture      string            `json:"architecture" cyclonedx:"architecture"`
 	H1Digest          string            `json:"h1Digest,omitempty" cyclonedx:"h1Digest"`
 	MainModule        string            `json:"mainModule,omitempty" cyclonedx:"mainModule"`
+	GoCryptoSettings  []string          `json:"goCryptoSettings,omitempty" cyclonedx:"goCryptoSettings"`
 }

 // GolangModMetadata represents all captured data for a Golang source scan with go.mod/go.sum