Detect golang boring crypto and fipsonly modules (#2021)

* Extending build info to include crypto settings

Signed-off-by: Sirish Bathina <sirish@kasten.io>

* Use kasten fork for goversion module

Signed-off-by: Sirish Bathina <sirish@kasten.io>

* go mod tidy

Signed-off-by: Sirish Bathina <sirish@kasten.io>

* change key to GoCryptoSettings and lint fix

Signed-off-by: Sirish Bathina <sirish@kasten.io>

* Addressing feedback

Signed-off-by: Sirish Bathina <sirish@kasten.io>

---------

Signed-off-by: Sirish Bathina <sirish@kasten.io>

go.mod

@@ -69,6 +69,7 @@ require (
 	github.com/google/go-containerregistry v0.16.1
 	github.com/google/licensecheck v0.3.1
 	github.com/invopop/jsonschema v0.7.0
+	github.com/kastenhq/goversion v0.0.0-20230811215019-93b2f8823953
 	github.com/knqyf263/go-rpmdb v0.0.0-20230301153543-ba94b245509b
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/saferwall/pe v1.4.4

go.sum

@@ -428,6 +428,8 @@ github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHm
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
+github.com/kastenhq/goversion v0.0.0-20230811215019-93b2f8823953 h1:WdAeg/imY2JFPc/9CST4bZ80nNJbiBFCAdSZCSgrS5Y=
+github.com/kastenhq/goversion v0.0.0-20230811215019-93b2f8823953/go.mod h1:6o+UrvuZWc4UTyBhQf0LGjW9Ld7qJxLz/OqvSOWWlEc=
 github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs=
 github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8=
 github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=

internal/constants.go

@@ -6,5 +6,5 @@ const (
 
 	// JSONSchemaVersion is the current schema version output by the JSON encoder
 	// This is roughly following the "SchemaVer" guidelines for versioning the JSON schema. Please see schema/json/README.md for details on how to increment.
-	JSONSchemaVersion = "10.0.0"
+	JSONSchemaVersion = "10.0.1"
 )

syft/pkg/cataloger/golang/package.go

@@ -11,7 +11,7 @@ import (
 	"github.com/anchore/syft/syft/pkg"
 )
 
-func (c *goBinaryCataloger) newGoBinaryPackage(resolver file.Resolver, dep *debug.Module, mainModule, goVersion, architecture string, buildSettings map[string]string, locations ...file.Location) pkg.Package {
+func (c *goBinaryCataloger) newGoBinaryPackage(resolver file.Resolver, dep *debug.Module, mainModule, goVersion, architecture string, buildSettings map[string]string, cryptoSettings []string, locations ...file.Location) pkg.Package {
 	if dep.Replace != nil {
 		dep = dep.Replace
 	}
@@ -36,6 +36,7 @@ func (c *goBinaryCataloger) newGoBinaryPackage(resolver file.Resolver, dep *debu
 			Architecture:      architecture,
 			BuildSettings:     buildSettings,
 			MainModule:        mainModule,
+			GoCryptoSettings:  cryptoSettings,
 		},
 	}
 

syft/pkg/cataloger/golang/parse_go_binary.go

@@ -66,7 +66,7 @@ func (c *goBinaryCataloger) parseGoBinary(resolver file.Resolver, _ *generic.Env
 	return pkgs, nil, nil
 }
 
-func (c *goBinaryCataloger) makeGoMainPackage(resolver file.Resolver, mod *debug.BuildInfo, arch string, location file.Location) pkg.Package {
+func (c *goBinaryCataloger) makeGoMainPackage(resolver file.Resolver, mod *extendedBuildInfo, arch string, location file.Location) pkg.Package {
 	gbs := getBuildSettings(mod.Settings)
 	main := c.newGoBinaryPackage(
 		resolver,
@@ -75,6 +75,7 @@ func (c *goBinaryCataloger) makeGoMainPackage(resolver file.Resolver, mod *debug
 		mod.GoVersion,
 		arch,
 		gbs,
+		mod.cryptoSettings,
 		location.WithAnnotation(pkg.EvidenceAnnotationKey, pkg.PrimaryEvidenceAnnotation),
 	)
 
@@ -153,7 +154,7 @@ func extractVersionFromLDFlags(ldflags string) (majorVersion string, fullVersion
 // getArchs finds a binary architecture by two ways:
 // 1) reading build info from binaries compiled by go1.18+
 // 2) reading file headers from binaries compiled by < go1.18
-func getArchs(readers []io.ReaderAt, builds []*debug.BuildInfo) []string {
+func getArchs(readers []io.ReaderAt, builds []*extendedBuildInfo) []string {
 	if len(readers) != len(builds) {
 		log.Trace("golang cataloger: bin parsing: number of builds and readers doesn't match")
 		return nil
@@ -255,7 +256,7 @@ func createMainModuleFromPath(path string) (mod debug.Module) {
 	return
 }
 
-func (c *goBinaryCataloger) buildGoPkgInfo(resolver file.Resolver, location file.Location, mod *debug.BuildInfo, arch string) []pkg.Package {
+func (c *goBinaryCataloger) buildGoPkgInfo(resolver file.Resolver, location file.Location, mod *extendedBuildInfo, arch string) []pkg.Package {
 	var pkgs []pkg.Package
 	if mod == nil {
 		return pkgs
@@ -277,6 +278,7 @@ func (c *goBinaryCataloger) buildGoPkgInfo(resolver file.Resolver, location file
 			mod.GoVersion,
 			arch,
 			nil,
+			mod.cryptoSettings,
 			location.WithAnnotation(pkg.EvidenceAnnotationKey, pkg.PrimaryEvidenceAnnotation),
 		)
 		if pkg.IsValid(&p) {

syft/pkg/cataloger/golang/parse_go_binary_test.go

@@ -155,7 +155,7 @@ func TestBuildGoPkgInfo(t *testing.T) {
 
 	tests := []struct {
 		name     string
-		mod      *debug.BuildInfo
+		mod      *extendedBuildInfo
 		arch     string
 		expected []pkg.Package
 	}{
@@ -166,16 +166,18 @@ func TestBuildGoPkgInfo(t *testing.T) {
 		},
 		{
 			name: "package without name",
-			mod: &debug.BuildInfo{
-				Deps: []*debug.Module{
-					{
-						Path: "github.com/adrg/xdg",
+			mod: &extendedBuildInfo{
+				&debug.BuildInfo{
+					Deps: []*debug.Module{
+						{
+							Path: "github.com/adrg/xdg",
+						},
+						{
+							Path:    "",
+							Version: "v0.2.1",
+						},
 					},
-					{
-						Path:    "",
-						Version: "v0.2.1",
-					},
-				},
+				}, nil,
 			},
 			expected: []pkg.Package{
 				{
@@ -198,26 +200,28 @@ func TestBuildGoPkgInfo(t *testing.T) {
 		},
 		{
 			name:     "buildGoPkgInfo parses a blank mod and returns no packages",
-			mod:      &debug.BuildInfo{},
+			mod:      &extendedBuildInfo{&debug.BuildInfo{}, nil},
 			expected: []pkg.Package(nil),
 		},
 		{
 			name: "parse a mod without main module",
 			arch: archDetails,
-			mod: &debug.BuildInfo{
-				GoVersion: goCompiledVersion,
-				Settings: []debug.BuildSetting{
-					{Key: "GOARCH", Value: archDetails},
-					{Key: "GOOS", Value: "darwin"},
-					{Key: "GOAMD64", Value: "v1"},
-				},
-				Deps: []*debug.Module{
-					{
-						Path:    "github.com/adrg/xdg",
-						Version: "v0.2.1",
-						Sum:     "h1:VSVdnH7cQ7V+B33qSJHTCRlNgra1607Q8PzEmnvb2Ic=",
+			mod: &extendedBuildInfo{
+				&debug.BuildInfo{
+					GoVersion: goCompiledVersion,
+					Settings: []debug.BuildSetting{
+						{Key: "GOARCH", Value: archDetails},
+						{Key: "GOOS", Value: "darwin"},
+						{Key: "GOAMD64", Value: "v1"},
 					},
-				},
+					Deps: []*debug.Module{
+						{
+							Path:    "github.com/adrg/xdg",
+							Version: "v0.2.1",
+							Sum:     "h1:VSVdnH7cQ7V+B33qSJHTCRlNgra1607Q8PzEmnvb2Ic=",
+						},
+					},
+				}, nil,
 			},
 			expected: []pkg.Package{
 				{
@@ -246,14 +250,16 @@ func TestBuildGoPkgInfo(t *testing.T) {
 		{
 			name: "parse a mod with path but no main module",
 			arch: archDetails,
-			mod: &debug.BuildInfo{
-				GoVersion: goCompiledVersion,
-				Settings: []debug.BuildSetting{
-					{Key: "GOARCH", Value: archDetails},
-					{Key: "GOOS", Value: "darwin"},
-					{Key: "GOAMD64", Value: "v1"},
-				},
-				Path: "github.com/a/b/c",
+			mod: &extendedBuildInfo{
+				&debug.BuildInfo{
+					GoVersion: goCompiledVersion,
+					Settings: []debug.BuildSetting{
+						{Key: "GOARCH", Value: archDetails},
+						{Key: "GOOS", Value: "darwin"},
+						{Key: "GOAMD64", Value: "v1"},
+					},
+					Path: "github.com/a/b/c",
+				}, []string{"boringcrypto + fips"},
 			},
 			expected: []pkg.Package{
 				{
@@ -280,7 +286,8 @@ func TestBuildGoPkgInfo(t *testing.T) {
 							"GOARCH":  "amd64",
 							"GOOS":    "darwin",
 						},
-						MainModule: "github.com/a/b/c",
+						MainModule:       "github.com/a/b/c",
+						GoCryptoSettings: []string{"boringcrypto + fips"},
 					},
 				},
 			},
@@ -288,31 +295,35 @@ func TestBuildGoPkgInfo(t *testing.T) {
 		{
 			name: "parse a mod without packages",
 			arch: archDetails,
-			mod: &debug.BuildInfo{
-				GoVersion: goCompiledVersion,
-				Main:      debug.Module{Path: "github.com/anchore/syft", Version: "(devel)"},
-				Settings: []debug.BuildSetting{
-					{Key: "GOARCH", Value: archDetails},
-					{Key: "GOOS", Value: "darwin"},
-					{Key: "GOAMD64", Value: "v1"},
-				},
+			mod: &extendedBuildInfo{
+				&debug.BuildInfo{
+					GoVersion: goCompiledVersion,
+					Main:      debug.Module{Path: "github.com/anchore/syft", Version: "(devel)"},
+					Settings: []debug.BuildSetting{
+						{Key: "GOARCH", Value: archDetails},
+						{Key: "GOOS", Value: "darwin"},
+						{Key: "GOAMD64", Value: "v1"},
+					},
+				}, nil,
 			},
 			expected: []pkg.Package{unmodifiedMain},
 		},
 		{
 			name: "parse main mod and replace devel pseudo version and ldflags exists (but contains no version)",
 			arch: archDetails,
-			mod: &debug.BuildInfo{
-				GoVersion: goCompiledVersion,
-				Main:      debug.Module{Path: "github.com/anchore/syft", Version: "(devel)"},
-				Settings: []debug.BuildSetting{
-					{Key: "GOARCH", Value: archDetails},
-					{Key: "GOOS", Value: "darwin"},
-					{Key: "GOAMD64", Value: "v1"},
-					{Key: "vcs.revision", Value: "41bc6bb410352845f22766e27dd48ba93aa825a4"},
-					{Key: "vcs.time", Value: "2022-10-14T19:54:57Z"},
-					{Key: "-ldflags", Value: `build	-ldflags="-w -s -extldflags '-static' -X blah=foobar`},
-				},
+			mod: &extendedBuildInfo{
+				&debug.BuildInfo{
+					GoVersion: goCompiledVersion,
+					Main:      debug.Module{Path: "github.com/anchore/syft", Version: "(devel)"},
+					Settings: []debug.BuildSetting{
+						{Key: "GOARCH", Value: archDetails},
+						{Key: "GOOS", Value: "darwin"},
+						{Key: "GOAMD64", Value: "v1"},
+						{Key: "vcs.revision", Value: "41bc6bb410352845f22766e27dd48ba93aa825a4"},
+						{Key: "vcs.time", Value: "2022-10-14T19:54:57Z"},
+						{Key: "-ldflags", Value: `build	-ldflags="-w -s -extldflags '-static' -X blah=foobar`},
+					},
+				}, nil,
 			},
 			expected: []pkg.Package{
 				{
@@ -349,17 +360,19 @@ func TestBuildGoPkgInfo(t *testing.T) {
 		{
 			name: "parse main mod and replace devel version with one from ldflags with vcs. build settings",
 			arch: archDetails,
-			mod: &debug.BuildInfo{
-				GoVersion: goCompiledVersion,
-				Main:      debug.Module{Path: "github.com/anchore/syft", Version: "(devel)"},
-				Settings: []debug.BuildSetting{
-					{Key: "GOARCH", Value: archDetails},
-					{Key: "GOOS", Value: "darwin"},
-					{Key: "GOAMD64", Value: "v1"},
-					{Key: "vcs.revision", Value: "41bc6bb410352845f22766e27dd48ba93aa825a4"},
-					{Key: "vcs.time", Value: "2022-10-14T19:54:57Z"},
-					{Key: "-ldflags", Value: `build	-ldflags="-w -s -extldflags '-static' -X github.com/anchore/syft/internal/version.version=0.79.0`},
-				},
+			mod: &extendedBuildInfo{
+				&debug.BuildInfo{
+					GoVersion: goCompiledVersion,
+					Main:      debug.Module{Path: "github.com/anchore/syft", Version: "(devel)"},
+					Settings: []debug.BuildSetting{
+						{Key: "GOARCH", Value: archDetails},
+						{Key: "GOOS", Value: "darwin"},
+						{Key: "GOAMD64", Value: "v1"},
+						{Key: "vcs.revision", Value: "41bc6bb410352845f22766e27dd48ba93aa825a4"},
+						{Key: "vcs.time", Value: "2022-10-14T19:54:57Z"},
+						{Key: "-ldflags", Value: `build	-ldflags="-w -s -extldflags '-static' -X github.com/anchore/syft/internal/version.version=0.79.0`},
+					},
+				}, nil,
 			},
 			expected: []pkg.Package{
 				{
@@ -396,15 +409,17 @@ func TestBuildGoPkgInfo(t *testing.T) {
 		{
 			name: "parse main mod and replace devel version with one from ldflags without any vcs. build settings",
 			arch: archDetails,
-			mod: &debug.BuildInfo{
-				GoVersion: goCompiledVersion,
-				Main:      debug.Module{Path: "github.com/anchore/syft", Version: "(devel)"},
-				Settings: []debug.BuildSetting{
-					{Key: "GOARCH", Value: archDetails},
-					{Key: "GOOS", Value: "darwin"},
-					{Key: "GOAMD64", Value: "v1"},
-					{Key: "-ldflags", Value: `build	-ldflags="-w -s -extldflags '-static' -X github.com/anchore/syft/internal/version.version=0.79.0`},
-				},
+			mod: &extendedBuildInfo{
+				&debug.BuildInfo{
+					GoVersion: goCompiledVersion,
+					Main:      debug.Module{Path: "github.com/anchore/syft", Version: "(devel)"},
+					Settings: []debug.BuildSetting{
+						{Key: "GOARCH", Value: archDetails},
+						{Key: "GOOS", Value: "darwin"},
+						{Key: "GOAMD64", Value: "v1"},
+						{Key: "-ldflags", Value: `build	-ldflags="-w -s -extldflags '-static' -X github.com/anchore/syft/internal/version.version=0.79.0`},
+					},
+				}, nil,
 			},
 			expected: []pkg.Package{
 				{
@@ -439,15 +454,17 @@ func TestBuildGoPkgInfo(t *testing.T) {
 		{
 			name: "parse main mod and replace devel version with one from ldflags main.version without any vcs. build settings",
 			arch: archDetails,
-			mod: &debug.BuildInfo{
-				GoVersion: goCompiledVersion,
-				Main:      debug.Module{Path: "github.com/anchore/syft", Version: "(devel)"},
-				Settings: []debug.BuildSetting{
-					{Key: "GOARCH", Value: archDetails},
-					{Key: "GOOS", Value: "darwin"},
-					{Key: "GOAMD64", Value: "v1"},
-					{Key: "-ldflags", Value: `build	-ldflags="-w -s -extldflags '-static' -X main.version=0.79.0`},
-				},
+			mod: &extendedBuildInfo{
+				&debug.BuildInfo{
+					GoVersion: goCompiledVersion,
+					Main:      debug.Module{Path: "github.com/anchore/syft", Version: "(devel)"},
+					Settings: []debug.BuildSetting{
+						{Key: "GOARCH", Value: archDetails},
+						{Key: "GOOS", Value: "darwin"},
+						{Key: "GOAMD64", Value: "v1"},
+						{Key: "-ldflags", Value: `build	-ldflags="-w -s -extldflags '-static' -X main.version=0.79.0`},
+					},
+				}, nil,
 			},
 			expected: []pkg.Package{
 				{
@@ -482,15 +499,17 @@ func TestBuildGoPkgInfo(t *testing.T) {
 		{
 			name: "parse main mod and replace devel version with one from ldflags main.Version without any vcs. build settings",
 			arch: archDetails,
-			mod: &debug.BuildInfo{
-				GoVersion: goCompiledVersion,
-				Main:      debug.Module{Path: "github.com/anchore/syft", Version: "(devel)"},
-				Settings: []debug.BuildSetting{
-					{Key: "GOARCH", Value: archDetails},
-					{Key: "GOOS", Value: "darwin"},
-					{Key: "GOAMD64", Value: "v1"},
-					{Key: "-ldflags", Value: `build	-ldflags="-w -s -extldflags '-static' -X main.Version=0.79.0`},
-				},
+			mod: &extendedBuildInfo{
+				&debug.BuildInfo{
+					GoVersion: goCompiledVersion,
+					Main:      debug.Module{Path: "github.com/anchore/syft", Version: "(devel)"},
+					Settings: []debug.BuildSetting{
+						{Key: "GOARCH", Value: archDetails},
+						{Key: "GOOS", Value: "darwin"},
+						{Key: "GOAMD64", Value: "v1"},
+						{Key: "-ldflags", Value: `build	-ldflags="-w -s -extldflags '-static' -X main.Version=0.79.0`},
+					},
+				}, nil,
 			},
 			expected: []pkg.Package{
 				{
@@ -525,16 +544,18 @@ func TestBuildGoPkgInfo(t *testing.T) {
 		{
 			name: "parse main mod and replace devel version with a pseudo version",
 			arch: archDetails,
-			mod: &debug.BuildInfo{
-				GoVersion: goCompiledVersion,
-				Main:      debug.Module{Path: "github.com/anchore/syft", Version: "(devel)"},
-				Settings: []debug.BuildSetting{
-					{Key: "GOARCH", Value: archDetails},
-					{Key: "GOOS", Value: "darwin"},
-					{Key: "GOAMD64", Value: "v1"},
-					{Key: "vcs.revision", Value: "41bc6bb410352845f22766e27dd48ba93aa825a4"},
-					{Key: "vcs.time", Value: "2022-10-14T19:54:57Z"},
-				},
+			mod: &extendedBuildInfo{
+				&debug.BuildInfo{
+					GoVersion: goCompiledVersion,
+					Main:      debug.Module{Path: "github.com/anchore/syft", Version: "(devel)"},
+					Settings: []debug.BuildSetting{
+						{Key: "GOARCH", Value: archDetails},
+						{Key: "GOOS", Value: "darwin"},
+						{Key: "GOAMD64", Value: "v1"},
+						{Key: "vcs.revision", Value: "41bc6bb410352845f22766e27dd48ba93aa825a4"},
+						{Key: "vcs.time", Value: "2022-10-14T19:54:57Z"},
+					},
+				}, nil,
 			},
 			expected: []pkg.Package{
 				{
@@ -570,26 +591,28 @@ func TestBuildGoPkgInfo(t *testing.T) {
 		{
 			name: "parse a populated mod string and returns packages but no source info",
 			arch: archDetails,
-			mod: &debug.BuildInfo{
-				GoVersion: goCompiledVersion,
-				Main:      debug.Module{Path: "github.com/anchore/syft", Version: "(devel)"},
-				Settings: []debug.BuildSetting{
-					{Key: "GOARCH", Value: archDetails},
-					{Key: "GOOS", Value: "darwin"},
-					{Key: "GOAMD64", Value: "v1"},
-				},
-				Deps: []*debug.Module{
-					{
-						Path:    "github.com/adrg/xdg",
-						Version: "v0.2.1",
-						Sum:     "h1:VSVdnH7cQ7V+B33qSJHTCRlNgra1607Q8PzEmnvb2Ic=",
+			mod: &extendedBuildInfo{
+				&debug.BuildInfo{
+					GoVersion: goCompiledVersion,
+					Main:      debug.Module{Path: "github.com/anchore/syft", Version: "(devel)"},
+					Settings: []debug.BuildSetting{
+						{Key: "GOARCH", Value: archDetails},
+						{Key: "GOOS", Value: "darwin"},
+						{Key: "GOAMD64", Value: "v1"},
 					},
-					{
-						Path:    "github.com/anchore/client-go",
-						Version: "v0.0.0-20210222170800-9c70f9b80bcf",
-						Sum:     "h1:DYssiUV1pBmKqzKsm4mqXx8artqC0Q8HgZsVI3lMsAg=",
+					Deps: []*debug.Module{
+						{
+							Path:    "github.com/adrg/xdg",
+							Version: "v0.2.1",
+							Sum:     "h1:VSVdnH7cQ7V+B33qSJHTCRlNgra1607Q8PzEmnvb2Ic=",
+						},
+						{
+							Path:    "github.com/anchore/client-go",
+							Version: "v0.0.0-20210222170800-9c70f9b80bcf",
+							Sum:     "h1:DYssiUV1pBmKqzKsm4mqXx8artqC0Q8HgZsVI3lMsAg=",
+						},
 					},
-				},
+				}, nil,
 			},
 			expected: []pkg.Package{
 				{
@@ -642,31 +665,33 @@ func TestBuildGoPkgInfo(t *testing.T) {
 		{
 			name: "parse a populated mod string and returns packages when a replace directive exists",
 			arch: archDetails,
-			mod: &debug.BuildInfo{
-				GoVersion: goCompiledVersion,
-				Main:      debug.Module{Path: "github.com/anchore/syft", Version: "(devel)"},
-				Settings: []debug.BuildSetting{
-					{Key: "GOARCH", Value: archDetails},
-					{Key: "GOOS", Value: "darwin"},
-					{Key: "GOAMD64", Value: "v1"},
-				},
-				Deps: []*debug.Module{
-					{
-						Path:    "golang.org/x/sys",
-						Version: "v0.0.0-20211006194710-c8a6f5223071",
-						Sum:     "h1:PjhxBct4MZii8FFR8+oeS7QOvxKOTZXgk63EU2XpfJE=",
+			mod: &extendedBuildInfo{
+				&debug.BuildInfo{
+					GoVersion: goCompiledVersion,
+					Main:      debug.Module{Path: "github.com/anchore/syft", Version: "(devel)"},
+					Settings: []debug.BuildSetting{
+						{Key: "GOARCH", Value: archDetails},
+						{Key: "GOOS", Value: "darwin"},
+						{Key: "GOAMD64", Value: "v1"},
 					},
-					{
-						Path:    "golang.org/x/term",
-						Version: "v0.0.0-20210927222741-03fcf44c2211",
-						Sum:     "h1:PjhxBct4MZii8FFR8+oeS7QOvxKOTZXgk63EU2XpfJE=",
-						Replace: &debug.Module{
+					Deps: []*debug.Module{
+						{
+							Path:    "golang.org/x/sys",
+							Version: "v0.0.0-20211006194710-c8a6f5223071",
+							Sum:     "h1:PjhxBct4MZii8FFR8+oeS7QOvxKOTZXgk63EU2XpfJE=",
+						},
+						{
 							Path:    "golang.org/x/term",
-							Version: "v0.0.0-20210916214954-140adaaadfaf",
-							Sum:     "h1:Ihq/mm/suC88gF8WFcVwk+OV6Tq+wyA1O0E5UEvDglI=",
+							Version: "v0.0.0-20210927222741-03fcf44c2211",
+							Sum:     "h1:PjhxBct4MZii8FFR8+oeS7QOvxKOTZXgk63EU2XpfJE=",
+							Replace: &debug.Module{
+								Path:    "golang.org/x/term",
+								Version: "v0.0.0-20210916214954-140adaaadfaf",
+								Sum:     "h1:Ihq/mm/suC88gF8WFcVwk+OV6Tq+wyA1O0E5UEvDglI=",
+							},
 						},
 					},
-				},
+				}, nil,
 			},
 			expected: []pkg.Package{
 				{

syft/pkg/cataloger/golang/scan_binary.go

@@ -6,12 +6,19 @@ import (
 	"io"
 	"runtime/debug"
 
+	"github.com/kastenhq/goversion/version"
+
 	"github.com/anchore/syft/internal/log"
 	"github.com/anchore/syft/syft/pkg/cataloger/internal/unionreader"
 )
 
+type extendedBuildInfo struct {
+	*debug.BuildInfo
+	cryptoSettings []string
+}
+
 // scanFile scans file to try to report the Go and module versions.
-func scanFile(reader unionreader.UnionReader, filename string) ([]*debug.BuildInfo, []string) {
+func scanFile(reader unionreader.UnionReader, filename string) ([]*extendedBuildInfo, []string) {
 	// NOTE: multiple readers are returned to cover universal binaries, which are files
 	// with more than one binary
 	readers, err := unionreader.GetReaders(reader)
@@ -20,7 +27,7 @@ func scanFile(reader unionreader.UnionReader, filename string) ([]*debug.BuildIn
 		return nil, nil
 	}
 
-	var builds []*debug.BuildInfo
+	var builds []*extendedBuildInfo
 	for _, r := range readers {
 		bi, err := getBuildInfo(r)
 		if err != nil {
@@ -30,7 +37,14 @@ func scanFile(reader unionreader.UnionReader, filename string) ([]*debug.BuildIn
 		if bi == nil {
 			continue
 		}
-		builds = append(builds, bi)
+
+		v, err := getCryptoInformation(r)
+		if err != nil {
+			log.WithFields("file", filename, "error", err).Trace("unable to read golang version info")
+			continue
+		}
+
+		builds = append(builds, &extendedBuildInfo{bi, v})
 	}
 
 	archs := getArchs(readers, builds)
@@ -38,6 +52,29 @@ func scanFile(reader unionreader.UnionReader, filename string) ([]*debug.BuildIn
 	return builds, archs
 }
 
+func getCryptoInformation(reader io.ReaderAt) ([]string, error) {
+	v, err := version.ReadExeFromReader(reader)
+	if err != nil {
+		return nil, err
+	}
+
+	return getCryptoSettingsFromVersion(v), nil
+}
+
+func getCryptoSettingsFromVersion(v version.Version) []string {
+	cryptoSettings := []string{}
+	if v.StandardCrypto {
+		cryptoSettings = append(cryptoSettings, "standard-crypto")
+	}
+	if v.BoringCrypto {
+		cryptoSettings = append(cryptoSettings, "boring-crypto")
+	}
+	if v.FIPSOnly {
+		cryptoSettings = append(cryptoSettings, "crypto/tls/fipsonly")
+	}
+	return cryptoSettings
+}
+
 func getBuildInfo(r io.ReaderAt) (bi *debug.BuildInfo, err error) {
 	defer func() {
 		if r := recover(); r != nil {

syft/pkg/cataloger/golang/scan_binary_test.go

@@ -6,6 +6,7 @@ import (
 	"runtime/debug"
 	"testing"
 
+	"github.com/kastenhq/goversion/version"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -38,3 +39,72 @@ func Test_getBuildInfo(t *testing.T) {
 		})
 	}
 }
+
+func Test_getCryptoSettingsFromVersion(t *testing.T) {
+	for _, tt := range []struct {
+		name    string
+		version version.Version
+		result  []string
+	}{
+		{
+			name: "standard crypto",
+			version: version.Version{
+				StandardCrypto: true,
+			},
+			result: []string{"standard-crypto"},
+		},
+		{
+			name: "boring crypto",
+			version: version.Version{
+				BoringCrypto: true,
+			},
+			result: []string{"boring-crypto"},
+		},
+		{ // Should never see this. Boring crypto is required for fipsonly
+			name: "fipsonly",
+			version: version.Version{
+				FIPSOnly: true,
+			},
+			result: []string{"crypto/tls/fipsonly"},
+		},
+		{
+			name: "boring crypto and fipsonly",
+			version: version.Version{
+				BoringCrypto: true,
+				FIPSOnly:     true,
+			},
+			result: []string{"boring-crypto", "crypto/tls/fipsonly"},
+		},
+		{ // Should never see this.
+			name: "boring and standard crypto!",
+			version: version.Version{
+				BoringCrypto:   true,
+				StandardCrypto: true,
+			},
+			result: []string{"boring-crypto", "standard-crypto"},
+		},
+		{ // Should never see this. Boring crypto is required for fipsonly
+			name: "fipsonly and standard crypto!",
+			version: version.Version{
+				FIPSOnly:       true,
+				StandardCrypto: true,
+			},
+			result: []string{"crypto/tls/fipsonly", "standard-crypto"},
+		},
+
+		{ // Should never see this. Boring crypto is required for fipsonly
+			name: "fipsonly boringcrypto and standard crypto!",
+			version: version.Version{
+				FIPSOnly:       true,
+				StandardCrypto: true,
+				BoringCrypto:   true,
+			},
+			result: []string{"crypto/tls/fipsonly", "standard-crypto", "boring-crypto"},
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			res := getCryptoSettingsFromVersion(tt.version)
+			assert.ElementsMatch(t, res, tt.result)
+		})
+	}
+}

syft/pkg/golang_metadata.go

@@ -7,6 +7,7 @@ type GolangBinMetadata struct {
 	Architecture      string            `json:"architecture" cyclonedx:"architecture"`
 	H1Digest          string            `json:"h1Digest,omitempty" cyclonedx:"h1Digest"`
 	MainModule        string            `json:"mainModule,omitempty" cyclonedx:"mainModule"`
+	GoCryptoSettings  []string          `json:"goCryptoSettings,omitempty" cyclonedx:"goCryptoSettings"`
 }
 
 // GolangModMetadata represents all captured data for a Golang source scan with go.mod/go.sum