Value

In order to better understand what software is present in a given context, Syft could inspect compiled Go binaries in order to determine the dependencies (called Go modules) that have been included in the compiled binary.

This is especially valuable for scans of container images, where the only artifact present is the Go binary, and there are no manifest-like files (such as go.mod or go.sum) remaining in the image.

Hypothesis

A complete list of a binary's included Go modules is included in the binary itself, and can be inspected by the natively available Go tooling. This can be done on the CLI using go version -m <path/to/Go/binary>, as well as with the Go standard library functionality used by this CLI command.

Implementation considerations

1. In order to prevent Syft from needing to inspect every file present in the scan target to test if the file is a Go binary, Syft could potentially search through only a prefiltered set of files — specifically, files that are binaries. If Add magic number classification in the FileMetadata cataloger/indexer #336 is implemented first, Syft (when scanning images) could shorten its execution time by querying Stereoscope for files that are binaries.
2. It's important to remember that the version of Go that Syft uses might differ from the version of Go that a discovered binary file uses. Care should be taken to ensure that Syft's Go binary analysis can be done with as many versions of Go as possible.