grype fails to scan a go binary built using go1.24 #2482
Description
What happened:
Given this pulumi binary:
# syft /usr/bin/pulumi | grep pulumi/pkg/v3
✔ Indexed file system /usr/bin/pulumi
✔ Cataloged contents 34581a5a7a042126717559e59c7817f65026ee2fdc977f2a5909bc55536f409b
├── ✔ Packages [212 packages]
├── ✔ File digests [1 files]
├── ✔ File metadata [1 locations]
└── ✔ Executables [1 executables]
github.com/pulumi/pulumi/pkg/v3 v3.152.0+incompatible+dirty go-module
grype on it fails with:
# grype /usr/bin/pulumi
✔ Indexed file system /usr/bin/pulumi
✔ Cataloged contents 34581a5a7a042126717559e59c7817f65026ee2fdc977f2a5909bc55536f409b
├── ✔ Packages [212 packages]
├── ✔ File digests [1 files]
├── ✔ File metadata [1 locations]
└── ✔ Executables [1 executables]
✔ Scanned for vulnerabilities [0 vulnerability matches]
├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
└── by status: 0 fixed, 0 not-fixed, 0 ignored
[0002] WARN could not match by package language (package=Pkg(type=go-module, name=github.com/pulumi/pulumi/pkg/v3, version=v3.152.0+incompatible+dirty, ups
No vulnerabilities found
What you expected to happen:
I expect grype to manage to scan that binary. Note that +incompatible+dirty are largely side-effects of go build processes.
How to reproduce it (as minimally and precisely as possible):
$ wget -O pulumi-3.152.0-r0.apk.tar.gz https://packages.wolfi.dev/os/x86_64/pulumi-3.152.0-r0.apk
$ grype pulumi-3.152.0-r0.apk.tar.gz
✔ Indexed file system /tmp/syft-archive-contents-2698617573
✔ Cataloged contents e89677734f8f3392b4f38191417e75fef5c46be991b49e06b32360dc7f645419
├── ✔ Packages [212 packages]
├── ✔ File digests [1 files]
├── ✔ File metadata [1 locations]
└── ✔ Executables [1 executables]
✔ Scanned for vulnerabilities [0 vulnerability matches]
├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
└── by status: 0 fixed, 0 not-fixed, 0 ignored
[0003] WARN could not match by package language (package=Pkg(type=go-module, name=github.com/pulumi/pulumi/pkg/v3, version=v3.152.0+incompatible+dirty, ups
No vulnerabilities found
There should be no warning.
If you want to build that go binary yourself, you can do:
- git clone pulumi project
- modify any file to make tree dirty
- go get go@latest => to get go 1.24
- build the binary in pkg/
Anything else we need to know?: we love grype
Full warning is visible with -v only as
[0002] WARN could not match by package language (package=Pkg(type=go-module, name=github.com/pulumi/pulumi/pkg/v3, version=v3.152.0+incompatible+dirty, upstreams=0)): matcher failed to parse version pkg="github.com/pulumi/pulumi/pkg/v3" ver="v3.152.0+incompatible+dirty": Malformed version: v3.152.0+incompatible+dirty
Environment:
- Output of
grype version: latest - OS (e.g:
cat /etc/os-releaseor similar): linux
Metadata
Metadata
Type
Projects
Status