feat: add Go stdlib vulnerability detection to container scans (#767)

bgardiner · web-flow · commit b30aa3529b61 · 2026-03-13T14:58:50.000-04:00
Extract the Go compiler version from binary buildinfo and add a
`stdlib` pseudo-dependency node to the dependency graph. This enables
vuln-service to match Go standard library vulnerabilities for
container images, closing the gap with Snyk Open Source support.

Works for both normal and stripped binaries since .go.buildinfo is
always present regardless of build flags.
diff --git a/lib/go-parser/go-binary.ts b/lib/go-parser/go-binary.ts
@@ -44,10 +44,12 @@ const debug = Debug("snyk");
 export class GoBinary {
   public name: string;
   public modules: GoModule[];
+  public goVersion: string;
   private hasPclnTab: boolean;
 
   constructor(goElfBinary: Elf) {
-    [this.name, this.modules] = extractModuleInformation(goElfBinary);
+    [this.name, this.modules, this.goVersion] =
+      extractModuleInformation(goElfBinary);
 
     const pclnTab = goElfBinary.body.sections.find(
       (section) => section.name === ".gopclntab",
@@ -108,6 +110,19 @@ export class GoBinary {
       // else: pclnTab exists but module has no packages - don't report anything
     }
 
+    if (this.goVersion) {
+      const stdlibNodeId = `stdlib@${this.goVersion}`;
+      goModulesDepGraph.addPkgNode(
+        { name: "stdlib", version: this.goVersion },
+        stdlibNodeId,
+      );
+      goModulesDepGraph.connectDep(goModulesDepGraph.rootNodeId, stdlibNodeId);
+    } else {
+      debug(
+        `Skipping stdlib node for ${this.name}: could not parse Go version`,
+      );
+    }
+
     return goModulesDepGraph.build();
   }
 
@@ -184,15 +199,36 @@ interface GoFileNameError extends Error {
   moduleName: string;
 }
 
+/**
+ * Strips the "go" prefix from a Go version string and validates the format.
+ * Returns the cleaned version (e.g., "1.21.0") or empty string if invalid.
+ * Rejects RC/beta/devel versions since we cannot accurately match vulnerabilities
+ * against pre-release builds.
+ */
+export function parseGoVersion(rawVersion: string): string {
+  // Only match release versions (e.g., "go1.21" or "go1.21.5").
+  // Reject RC/beta (go1.21rc1, go1.22beta2) and devel builds.
+  const match = rawVersion.match(/^go(\d+\.\d+(?:\.\d+)?)$/);
+  if (!match) {
+    return "";
+  }
+  const ver = match[1];
+  // Ensure three-segment semver (e.g., "1.19" → "1.19.0") because
+  // @snyk/vuln uses node's semver library which requires three segments.
+  return ver.includes(".", ver.indexOf(".") + 1) ? ver : ver + ".0";
+}
+
 export function extractModuleInformation(
   binary: Elf,
-): [name: string, deps: GoModule[]] {
-  const mod = readRawBuildInfo(binary);
-  if (!mod) {
+): [name: string, deps: GoModule[], goVersion: string] {
+  const { goVersion: rawGoVersion, modInfo } = readRawBuildInfo(binary);
+  if (!modInfo) {
     throw Error("binary contains empty module info");
   }
 
-  const [pathDirective, mainModuleLine, ...versionsLines] = mod
+  const goVersion = parseGoVersion(rawGoVersion);
+
+  const [pathDirective, mainModuleLine, ...versionsLines] = modInfo
     .replace("\r", "")
     .split("\n");
   const lineSplit = mainModuleLine.split("\t");
@@ -224,7 +260,7 @@ export function extractModuleInformation(
     }
   });
 
-  return [name, modules];
+  return [name, modules, goVersion];
 }
 
 // Source
@@ -234,7 +270,12 @@ export function extractModuleInformation(
  * module version information in the executable binary
  * @param binary
  */
-export function readRawBuildInfo(binary: Elf): string {
+export interface RawBuildInfo {
+  goVersion: string;
+  modInfo: string;
+}
+
+export function readRawBuildInfo(binary: Elf): RawBuildInfo {
   const buildInfoMagic = "\xff Go buildinf:";
   // Read the first 64kB of dataAddr to find the build info blob.
   // On some platforms, the blob will be in its own section, and DataStart
@@ -272,9 +313,9 @@ export function readRawBuildInfo(binary: Elf): string {
   const ptrSize = data[14];
   if ((data[15] & 2) !== 0) {
     data = data.subarray(32);
-    [, data] = decodeString(data);
-    const [mod] = decodeString(data);
-    return mod;
+    const [goVersion, rest] = decodeString(data);
+    const [mod] = decodeString(rest);
+    return { goVersion, modInfo: mod };
   } else {
     const bigEndian = data[15] !== 0;
 
@@ -326,7 +367,7 @@ export function readRawBuildInfo(binary: Elf): string {
     // First 16 bytes are unicodes as last 16
     // Mirrors go version source code
     if (mod.length >= 33 && mod[mod.length - 17] === "\n") {
-      return mod.slice(16, mod.length - 16);
+      return { goVersion: version, modInfo: mod.slice(16, mod.length - 16) };
     } else {
       throw Error("binary is not built with go module support");
     }
diff --git a/test/system/application-scans/__snapshots__/gomodules.spec.ts.snap b/test/system/application-scans/__snapshots__/gomodules.spec.ts.snap
@@ -990,6 +990,9 @@ Object {
                     Object {
                       "nodeId": "gopkg.in/yaml.v3@v3.0.0-20200615113413-eeeca48fe776",
                     },
+                    Object {
+                      "nodeId": "stdlib@1.15.1",
+                    },
                   ],
                   "nodeId": "root-node",
                   "pkgId": "github.com/mikefarah/yq/v3@",
@@ -1074,6 +1077,11 @@ Object {
                   "nodeId": "gopkg.in/yaml.v3@v3.0.0-20200615113413-eeeca48fe776",
                   "pkgId": "gopkg.in/yaml.v3@v3.0.0-20200615113413-eeeca48fe776",
                 },
+                Object {
+                  "deps": Array [],
+                  "nodeId": "stdlib@1.15.1",
+                  "pkgId": "stdlib@1.15.1",
+                },
               ],
               "rootNodeId": "root-node",
             },
@@ -1199,6 +1207,13 @@ Object {
                   "version": "v3.0.0-20200615113413-eeeca48fe776",
                 },
               },
+              Object {
+                "id": "stdlib@1.15.1",
+                "info": Object {
+                  "name": "stdlib",
+                  "version": "1.15.1",
+                },
+              },
             ],
             "schemaVersion": "1.3.0",
           },
@@ -1369,6 +1384,9 @@ Object {
                     Object {
                       "nodeId": "gopkg.in/yaml.v2@v2.4.0",
                     },
+                    Object {
+                      "nodeId": "stdlib@1.17.11",
+                    },
                   ],
                   "nodeId": "root-node",
                   "pkgId": "testgo@",
@@ -1423,6 +1441,11 @@ Object {
                   "nodeId": "gopkg.in/yaml.v2@v2.4.0",
                   "pkgId": "gopkg.in/yaml.v2@v2.4.0",
                 },
+                Object {
+                  "deps": Array [],
+                  "nodeId": "stdlib@1.17.11",
+                  "pkgId": "stdlib@1.17.11",
+                },
               ],
               "rootNodeId": "root-node",
             },
@@ -1506,6 +1529,13 @@ Object {
                   "version": "v2.4.0",
                 },
               },
+              Object {
+                "id": "stdlib@1.17.11",
+                "info": Object {
+                  "name": "stdlib",
+                  "version": "1.17.11",
+                },
+              },
             ],
             "schemaVersion": "1.3.0",
           },
@@ -1676,6 +1706,9 @@ Object {
                     Object {
                       "nodeId": "gopkg.in/yaml.v2@v2.4.0",
                     },
+                    Object {
+                      "nodeId": "stdlib@1.18.3",
+                    },
                   ],
                   "nodeId": "root-node",
                   "pkgId": "testgo@",
@@ -1730,6 +1763,11 @@ Object {
                   "nodeId": "gopkg.in/yaml.v2@v2.4.0",
                   "pkgId": "gopkg.in/yaml.v2@v2.4.0",
                 },
+                Object {
+                  "deps": Array [],
+                  "nodeId": "stdlib@1.18.3",
+                  "pkgId": "stdlib@1.18.3",
+                },
               ],
               "rootNodeId": "root-node",
             },
@@ -1813,6 +1851,13 @@ Object {
                   "version": "v2.4.0",
                 },
               },
+              Object {
+                "id": "stdlib@1.18.3",
+                "info": Object {
+                  "name": "stdlib",
+                  "version": "1.18.3",
+                },
+              },
             ],
             "schemaVersion": "1.3.0",
           },
diff --git a/test/system/application-scans/gomodules.spec.ts b/test/system/application-scans/gomodules.spec.ts
@@ -155,7 +155,8 @@ describe("Stripped Go binary without .gopclntab: no-pcln-tab fixture", () => {
       expect(found).toBeDefined();
     });
 
-    expect(deps.length).toBe(expectedDepsNoPcln.length);
+    // +1 for stdlib pseudo-dependency when goVersion is present
+    expect(deps.length).toBe(expectedDepsNoPcln.length + 1);
     expect(depGraph.rootPkg.name).toBe(
       "github.com/rootless-containers/rootlesskit",
     );
@@ -231,7 +232,8 @@ describe("Stripped and CGo Go binaries detection scan handler test", () => {
     });
 
     if (detectedBinaries.fleetServer) {
-      expect(detectedBinaries.fleetServer.moduleCount).toEqual(76);
+      // +1 for stdlib pseudo-dependency when goVersion is present
+      expect(detectedBinaries.fleetServer.moduleCount).toEqual(77);
     } else {
       fail("fleet-server not detected");
     }
diff --git a/test/system/operating-systems/__snapshots__/sles15.spec.ts.snap b/test/system/operating-systems/__snapshots__/sles15.spec.ts.snap
@@ -2225,6 +2225,9 @@ Object {
                     Object {
                       "nodeId": "github.com/xrash/smetrics@v0.0.0-20201216005158-039620a65673",
                     },
+                    Object {
+                      "nodeId": "stdlib@1.21.5",
+                    },
                   ],
                   "nodeId": "root-node",
                   "pkgId": "github.com/SUSE/container-suseconnect@",
@@ -2249,6 +2252,11 @@ Object {
                   "nodeId": "github.com/xrash/smetrics@v0.0.0-20201216005158-039620a65673",
                   "pkgId": "github.com/xrash/smetrics@v0.0.0-20201216005158-039620a65673",
                 },
+                Object {
+                  "deps": Array [],
+                  "nodeId": "stdlib@1.21.5",
+                  "pkgId": "stdlib@1.21.5",
+                },
               ],
               "rootNodeId": "root-node",
             },
@@ -2290,6 +2298,13 @@ Object {
                   "version": "v0.0.0-20201216005158-039620a65673",
                 },
               },
+              Object {
+                "id": "stdlib@1.21.5",
+                "info": Object {
+                  "name": "stdlib",
+                  "version": "1.21.5",
+                },
+              },
             ],
             "schemaVersion": "1.3.0",
           },
diff --git a/test/unit/go-binaries.spec.ts b/test/unit/go-binaries.spec.ts
diff --git a/test/windows/__snapshots__/application-scans.spec.ts.snap b/test/windows/__snapshots__/application-scans.spec.ts.snap
