golang binary version parsing fails if GOEXPERIMENT was enabled #6695

lyoung-confluent · 2024-05-15T22:46:41Z

lyoung-confluent
May 15, 2024

Description

When running trivy on a Golang binary that was compiled with GOEXPERIMENT such as boringcrypto or loopvar the version extraction for stdlib will fail:

2024-05-15T15:20:45-07:00	WARN	Version matching error	err="version error (1.21.5 X:boringcrypto): malformed version: 1.21.5 X:boringcrypto"

This is because the returned GoVersion includes the additional experiment tags as part of the "version".

Desired Behavior

Trivy successfully extracts the Go version and reports the vulnerabilities

Actual Behavior

Trivy fails to extract the Go version and as such does not detect/report Go stdlib vulnerabilities

Reproduction Steps

Build the following Dockerfile (docker build -t goexperiment-test .):

FROM golang:1.22.1 AS builder
COPY <<EOF /example.go
package main

func main() {
    println("Hello World")
}
EOF
RUN GOEXPERIMENT=loopvar go build -o /example /example.go

FROM scratch
COPY --from=builder /example /example

Scan the image using trivy, observe that no stdlib vulnerabilities are reported and an error is found in the output:

$ trivy image goexperiment-test
2024-05-15T15:44:09-07:00	INFO	[gobinary] Detecting vulnerabilities...
2024-05-15T15:44:09-07:00	WARN	Version matching error	err="version error (1.22.1 X:loopvar): malformed version: 1.22.1 X:loopvar"

Target

Container Image

Scanner

Vulnerability

Output Format

None

Mode

None

Debug Output

N/A

Operating System

macOS Sonoma

Version

Version: 0.51.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-05-15 18:11:03.121256649 +0000 UTC
  NextUpdate: 2024-05-16 00:11:03.121256348 +0000 UTC
  DownloadedAt: 2024-05-15 21:46:24.370291 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-05-13 01:02:16.958984562 +0000 UTC
  NextUpdate: 2024-05-16 01:02:16.958984372 +0000 UTC
  DownloadedAt: 2024-05-13 04:31:47.140417 +0000 UTC
Check Bundle:
  Digest: sha256:6d0771effa53c6cf8130861fc3ac28f5515c35a028edb4bb1e67261b9218c80e
  DownloadedAt: 2024-05-14 17:56:45.102444 +0000 UTC

Checklist

Run trivy image --reset
Read the troubleshooting

lyoung-confluent · 2024-05-16T00:08:08Z

lyoung-confluent
May 16, 2024
Author

Should be fixed via #6696 when merged

1 reply

knqyf263 May 16, 2024
Maintainer

Thanks. Created #6698

brandond · 2026-06-09T19:50:30Z

brandond
Jun 9, 2026

I am still seeing this error with trivy v0.71:

2026-06-09T19:48:33Z	INFO	[vuln] Vulnerability scanning is enabled
2026-06-09T19:48:33Z	INFO	[secret] Secret scanning is enabled
2026-06-09T19:48:33Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2026-06-09T19:48:33Z	INFO	[secret] Please see https://trivy.dev/docs/v0.71/guide/scanner/secret#recommendation for faster secret detection
2026-06-09T19:48:36Z	INFO	Detected OS	family="sles" version="16.0"
2026-06-09T19:48:36Z	INFO	[sles] Detecting vulnerabilities...	os_version="16.0" pkg_num=7
2026-06-09T19:48:36Z	INFO	Number of language-specific files	num=6
2026-06-09T19:48:36Z	INFO	[gobinary] Detecting vulnerabilities...
2026-06-09T19:48:36Z	WARN	Version matching error	err="version error (v1.26.2-X:boringcrypto): malformed version: v1.26.2-X:boringcrypto"
2026-06-09T19:48:36Z	WARN	Version matching error	err="version error (v1.26.2-X:boringcrypto): malformed version: v1.26.2-X:boringcrypto"
2026-06-09T19:48:36Z	WARN	Version matching error	err="version error (v1.26.2-X:boringcrypto): malformed version: v1.26.2-X:boringcrypto"
2026-06-09T19:48:36Z	WARN	Version matching error	err="version error (v1.26.2-X:boringcrypto): malformed version: v1.26.2-X:boringcrypto"
2026-06-09T19:48:36Z	WARN	Version matching error	err="version error (v1.26.2-X:boringcrypto): malformed version: v1.26.2-X:boringcrypto"
2026-06-09T19:48:36Z	WARN	Version matching error	err="version error (v1.26.2-X:boringcrypto): malformed version: v1.26.2-X:boringcrypto"

2 replies

nikpivkin Jun 10, 2026
Maintainer

Hi @brandond !

Thanks for the report — I think this is a stale cache, not a regression.

The Go 1.26 GOEXPERIMENT fix (#10351) is in v0.71.0, and I reproduced a fresh GOEXPERIMENT=boringcrypto Go 1.26 binary scanning cleanly on v0.71. The version in your log (v1.26.2-X:boringcrypto) can't actually be produced by the current code — the -X: suffix is stripped before the v prefix is added — so Trivy is most likely reusing a cached analysis from an older version.

Please clear the cache and re-scan:

trivy clean --scan-cache
trivy image <your-image>

If the warnings persist, share trivy --version and go version -m <one-of-the-binaries>.

brandond Jun 10, 2026

Thanks - I updated my Trivy binary, and was confused why I got the same error after upgrading. I wasn't aware that the new version would just keep outputting the same scan results produced by the old version. Should the scan results perhaps be invalidated if they were cached by an older version than is currently being used?

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

golang binary version parsing fails if GOEXPERIMENT was enabled #6695

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 2 comments 3 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

golang binary version parsing fails if GOEXPERIMENT was enabled #6695

Uh oh!

Uh oh!

lyoung-confluent May 15, 2024

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 2 comments · 3 replies

Uh oh!

lyoung-confluent May 16, 2024 Author

Uh oh!

knqyf263 May 16, 2024 Maintainer

Uh oh!

brandond Jun 9, 2026

Uh oh!

nikpivkin Jun 10, 2026 Maintainer

Uh oh!

brandond Jun 10, 2026

lyoung-confluent
May 15, 2024

Replies: 2 comments 3 replies

lyoung-confluent
May 16, 2024
Author

knqyf263 May 16, 2024
Maintainer

brandond
Jun 9, 2026

nikpivkin Jun 10, 2026
Maintainer