snyk
diff --git a/‎lib/go-parser/go-binary.ts‎
Lines changed: 69 additions & 15 deletions b/‎lib/go-parser/go-binary.ts‎
Lines changed: 69 additions & 15 deletions
diff --git a/‎test/fixtures/docker-archives/stripped-go-binaries-minimal.tar.gz‎
17.8 MB b/‎test/fixtures/docker-archives/stripped-go-binaries-minimal.tar.gz‎
17.8 MB
diff --git a/‎test/system/application-scans/gomodules.spec.ts‎
Lines changed: 180 additions & 0 deletions b/‎test/system/application-scans/gomodules.spec.ts‎
Lines changed: 180 additions & 0 deletions
@@ -1,4 +1,5 @@
 import * as depGraph from "@snyk/dep-graph";
+import * as Debug from "debug";
 import { eventLoopSpinner } from "event-loop-spinner";
 // NOTE: Paths will always be normalized to POSIX even on Windows.
 // This makes it easier to ignore differences between Linux and Windows.
@@ -10,9 +11,40 @@ import { GoModule } from "./go-module";
 import { LineTable } from "./pclntab";
 import { Elf, ElfProgram } from "./types";
 
+const debug = Debug("snyk");
+
+/**
+ * GoBinary: Parser for Go compiled binaries
+ *
+ * This class extracts dependency information from Go binaries by reading ELF sections.
+ * It implements two scanning strategies depending on binary characteristics:
+ * - If .gopclntab exists: Extract source files → Map to packages → Report packages
+ * - If .gopclntab missing: Extract modules from .go.buildinfo → Report all modules
+ *
+ * Binary Types:
+ *
+ * 1. Normal Go Binaries (with .gopclntab):
+ *    - Built with standard flags
+ *    - Contains .gopclntab (Go Program Counter Line Table) section
+ *    - .gopclntab maps program counter addresses to source files
+ *
+ * 2. Stripped Go Binaries (without .gopclntab):
+ *    - Built with -ldflags='-s -w' flag
+ *    - Removes debug symbols, symbol tables (.symtab, .strtab), and .gopclntab
+ *
+ * 3. CGo Go Binaries:
+ *    - Built with CGO_ENABLED=1 (calls C code)
+ *    - May or may not contain .gopclntab depending on build configuration
+ *
+ * ELF Sections Used:
+ * - .go.buildinfo: Module names, versions, and build information (always present)
+ * - .gopclntab: Source file to package mapping (missing in stripped/some CGo binaries)
+ *
+ */
 export class GoBinary {
   public name: string;
   public modules: GoModule[];
+  private hasPclnTab: boolean;
 
   constructor(goElfBinary: Elf) {
     [this.name, this.modules] = extractModuleInformation(goElfBinary);
@@ -21,16 +53,20 @@ export class GoBinary {
       (section) => section.name === ".gopclntab",
     );
 
-    // some CGo built binaries might not contain a pclnTab, which means we
-    // cannot scan the files.
-    // TODO: from a technical perspective, it would be enough to only report the
-    // modules, as the only remediation path is to upgrade a full module
-    // anyways. From a product perspective, it's not clear (yet).
-    if (pclnTab === undefined) {
-      throw Error("no pcln table present in Go binary");
+    // Track whether pclnTab exists to determine reporting strategy
+    this.hasPclnTab = pclnTab !== undefined;
+
+    // Stripped binaries (built with -ldflags='-s -w') and some CGo binaries
+    // do not contain .gopclntab, which means we cannot detect package-level
+    // dependencies. In this case, we fall back to module-level reporting from
+    // .go.buildinfo, as remediation is performed at the module level anyway.
+    if (pclnTab !== undefined) {
+      try {
+        this.matchFilesToModules(new LineTable(pclnTab.data).go12MapFiles());
+      } catch (err) {
+        debug(`Failed to parse .gopclntab in ${this.name}`, err.stack || err);
+      }
     }
-
-    this.matchFilesToModules(new LineTable(pclnTab.data).go12MapFiles());
   }
 
   public async depGraph(): Promise<depGraph.DepGraph> {
@@ -40,18 +76,36 @@ export class GoBinary {
     );
 
     for (const module of this.modules) {
-      for (const pkg of module.packages) {
-        if (eventLoopSpinner.isStarving()) {
-          await eventLoopSpinner.spin();
-        }
+      if (eventLoopSpinner.isStarving()) {
+        await eventLoopSpinner.spin();
+      }
 
-        const nodeId = `${pkg}@${module.version}`;
+      // If we have package-level information (from pclntab), use it
+      if (module.packages.length > 0) {
+        for (const pkg of module.packages) {
+          const nodeId = `${pkg}@${module.version}`;
+          goModulesDepGraph.addPkgNode(
+            { name: pkg, version: module.version },
+            nodeId,
+          );
+          goModulesDepGraph.connectDep(goModulesDepGraph.rootNodeId, nodeId);
+        }
+      } else if (!this.hasPclnTab) {
+        // ONLY if .gopclntab is missing (stripped/CGo binaries), report module-level
+        // dependencies from .go.buildinfo.
+        //
+        // Note: .go.buildinfo contains ALL modules from the build graph, including
+        // modules required only for version resolution (transitive dependencies with
+        // no code actually compiled into the binary). Without .gopclntab, we cannot
+        // distinguish these from modules with actual code present.
+        const nodeId = `${module.name}@${module.version}`;
         goModulesDepGraph.addPkgNode(
-          { name: pkg, version: module.version },
+          { name: module.name, version: module.version },
           nodeId,
         );
         goModulesDepGraph.connectDep(goModulesDepGraph.rootNodeId, nodeId);
       }
+      // else: pclnTab exists but module has no packages - don't report anything
     }
 
     return goModulesDepGraph.build();
 
@@ -1,7 +1,10 @@
 import * as elf from "elfy";
+import * as fs from "fs";
+import * as path from "path";
 
 import { extractContent, scan } from "../../../lib";
 import { getGoModulesContentAction } from "../../../lib/go-parser";
+import { GoBinary } from "../../../lib/go-parser/go-binary";
 import { getFixture } from "../../util";
 
 describe("gomodules binaries scanning", () => {
@@ -94,3 +97,180 @@ describe("parse go modules from various versions of compiled binaries", () => {
     expect(pluginResult).toMatchSnapshot();
   });
 });
+
+/**
+ * Unit Tests: Stripped/CGo Binary Support
+ *
+ * Tests GoBinary class directly with a stripped binary fixture (no .gopclntab section).
+ * Validates module-level dependency extraction from .go.buildinfo.
+ *
+ * Fixture: test/fixtures/go-binaries/no-pcln-tab
+ * - Source: github.com/rootless-containers/rootlesskit/cmd/rootlesskit-docker-proxy
+ * - Go Version: 1.17.11
+ * - Dependencies: 3 modules
+ * - Expected output verified with: go version -m test/fixtures/go-binaries/no-pcln-tab
+ */
+describe("Stripped Go binary without .gopclntab: no-pcln-tab fixture", () => {
+  const fixturesPath = path.join(__dirname, "../../fixtures/go-binaries");
+  const noPclnTabPath = path.join(fixturesPath, "no-pcln-tab");
+
+  // Expected dependencies for no-pcln-tab fixture based on `go version -m`
+  const expectedDepsNoPcln = [
+    { name: "github.com/pkg/errors", version: "v0.9.1" },
+    { name: "github.com/sirupsen/logrus", version: "v1.8.1" },
+    { name: "golang.org/x/sys", version: "v0.0.0-20210119212857-b64e53b001e4" },
+  ];
+
+  it("should have .go.buildinfo but no .gopclntab", () => {
+    const fileContent = fs.readFileSync(noPclnTabPath);
+    const binary = elf.parse(fileContent);
+
+    const goBuildInfo = binary.body.sections.find(
+      (section) => section.name === ".go.buildinfo",
+    );
+    const goPclnTab = binary.body.sections.find(
+      (section) => section.name === ".gopclntab",
+    );
+
+    expect(goBuildInfo).toBeDefined();
+    expect(goPclnTab).toBeUndefined();
+  });
+
+  it("should extract 3 module-level dependencies from .go.buildinfo", async () => {
+    const fileContent = fs.readFileSync(noPclnTabPath);
+    const binary = elf.parse(fileContent);
+
+    const goBinary = new GoBinary(binary);
+    const depGraph = await goBinary.depGraph();
+
+    const deps = depGraph
+      .getPkgs()
+      .filter((pkg) => pkg.name !== depGraph.rootPkg.name);
+
+    expectedDepsNoPcln.forEach((expectedDep) => {
+      const found = deps.find(
+        (dep) =>
+          dep.name === expectedDep.name && dep.version === expectedDep.version,
+      );
+      expect(found).toBeDefined();
+    });
+
+    expect(deps.length).toBe(expectedDepsNoPcln.length);
+    expect(depGraph.rootPkg.name).toBe(
+      "github.com/rootless-containers/rootlesskit",
+    );
+  });
+
+  it("should report module-level dependencies (not package-level)", async () => {
+    const fileContent = fs.readFileSync(noPclnTabPath);
+    const binary = elf.parse(fileContent);
+
+    const goBinary = new GoBinary(binary);
+
+    const hasPackageLevelInfo = goBinary.modules.some(
+      (mod) => mod.packages.length > 0,
+    );
+
+    expect(hasPackageLevelInfo).toBe(false);
+    expect(goBinary.modules.length).toBe(3);
+  });
+});
+
+/**
+ * Test Image: test/fixtures/docker-archives/stripped-go-binaries-minimal.tar.gz
+ * - Size: 18 MB compressed, 62 MB uncompressed
+ * - Source: elastic-agent-complete:8.18.8
+ * - Binaries: 2 stripped Go binaries
+ *   1. fleet-server (76 modules)
+ *   2. osquery-extension.ext (10 modules) - we currently filter out binaries with extensions TODO-fix this
+ */
+describe("Stripped and CGo Go binaries detection scan handler test", () => {
+  const testImagePath = getFixture(
+    "docker-archives/stripped-go-binaries-minimal.tar.gz",
+  );
+  jest.setTimeout(180000);
+  const getScanOptions = () => {
+    return {
+      path: `docker-archive:${testImagePath}`,
+      "app-vulns": true,
+    };
+  };
+
+  it("should detect stripped/CGo Go binaries missing .gopclntab section", async () => {
+    const pluginResult = await scan(getScanOptions());
+
+    const goModules = pluginResult.scanResults.filter(
+      (r) => r.identity.type === "gomodules",
+    );
+
+    expect(goModules.length).toBeGreaterThanOrEqual(1);
+
+    const detectedBinaries: {
+      fleetServer: { targetFile: string; moduleCount: number } | null;
+      osqueryExt: { targetFile: string; moduleCount: number } | null;
+    } = {
+      fleetServer: null,
+      osqueryExt: null,
+    };
+
+    goModules.forEach((result) => {
+      const targetFile = result.identity.targetFile || "";
+      const depGraphFact = result.facts.find((f) => f.type === "depGraph");
+      const depGraph = depGraphFact?.data;
+
+      if (!depGraph) {
+        return;
+      }
+
+      const packages = depGraph.getPkgs();
+      const moduleCount = packages.length;
+
+      if (targetFile.includes("fleet-server")) {
+        detectedBinaries.fleetServer = { targetFile, moduleCount };
+      }
+    });
+
+    if (detectedBinaries.fleetServer) {
+      expect(detectedBinaries.fleetServer.moduleCount).toEqual(76);
+    } else {
+      fail("fleet-server not detected");
+    }
+
+    const detectedCount =
+      Object.values(detectedBinaries).filter(Boolean).length;
+    expect(detectedCount).toBe(1);
+  });
+
+  it("should report module-level dependencies (not package-level) for stripped/CGo binaries", async () => {
+    const pluginResult = await scan(getScanOptions());
+
+    const goModules = pluginResult.scanResults.filter(
+      (r) => r.identity.type === "gomodules",
+    );
+
+    expect(goModules.length).toEqual(1);
+
+    const fleetServer = goModules.find((r) =>
+      r.identity.targetFile?.includes("fleet-server"),
+    );
+
+    if (!fleetServer) {
+      return;
+    }
+
+    const depGraphFact = fleetServer.facts.find((f) => f.type === "depGraph");
+    const depGraph = depGraphFact?.data;
+
+    expect(depGraph).toBeDefined();
+
+    const packages = depGraph.getPkgs();
+    const sampleDeps = packages.slice(0, 10);
+
+    sampleDeps.forEach((pkg: any) => {
+      expect(pkg.name).toBeDefined();
+      if (pkg.version !== undefined) {
+        expect(typeof pkg.version).toBe("string");
+      }
+    });
+  });
+});