Invalid SBOMs are created when GO replace directive is used #4415
Description
What happened:
If Go replace directive is used within a go.mod file and the Go module gets built with the image and this image is scanned using Syft, the resulting SBOM will contain a relationship that points to a non-existent package.
What you expected to happen:
All SBOMs created by Syft should be valid SBOMs.
Steps to reproduce the issue:
- Set up this file structure:
syft-bug-reproducer/
├── Dockerfile.mock-app # 4-line minimal reproducer Dockerfile
└── mock-app/ # Minimal Go application (~400 bytes)
├── go.mod # Has: replace example.com/mylib => ./mylib
├── main.go # Simple hello world with import
└── mylib/ # Local submodule
├── go.mod # Submodule definition
└── lib.go # One simple function
- The
Dockerfile.mock-appshould contain:
FROM golang:1.24
COPY mock-app /app
WORKDIR /app
RUN go build -o mockapp main.gomock-app/go.modshould contain the replace directive:
module example.com/testapp
go 1.21
require example.com/mylib v0.0.0
replace example.com/mylib => ./mylib
mock-app/main.goshould contain
package main
import (
"fmt"
_ "example.com/mylib"
)
func main() {
fmt.Println("Hello, World!")
}mock-app/mylib/go.modshould contain:
module example.com/mylib
go 1.21
mock-app/mylib/lib.goshould contain:
package mylib
func Hello() string {
return "Hello from mylib"
}- Build the image with
buildah bud -f Dockerfile.mock-app -t test . - Scan the built image with
syft localhost/test:latest -o [email protected]=sbom.spdx.json - Validate the created image with
pyspdxtools -i sbom.spdx.json - The validation fails
Anything else we need to know?:
This affects many projects, invalid SBOMs are generated even if this directive is used within a project whose source files are copied and built within the scanned container image.
Environment:
- Output of
syft version: 1.38.0 - OS (e.g:
cat /etc/os-releaseor similar):
NAME="Fedora Linux"
VERSION="42 (Workstation Edition)"
RELEASE_TYPE=stable