feat(go): parse main module of go binary files

[DmitriyLewen]

Description

We currently skip main module when parsing Go binary files because these versions have always been (devel) and we couldn't detect vulnerabilities for these packages.

But modules installed using go install (see #1837 (comment)) use semver versions.
It will also be correct to add core modules to SBOM formats even with the (devel) version.

Related issues

• Close Detect the version of the Go binary itself #1837

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[knqyf263]

I want to use an empty string rather than (devel). What do you think?

[DmitriyLewen]

I thought about it.
I am concerned about user questions:
(devel) indicates that we have determined version. It's not correct version, but it's version that the Go binary contains.
If we use empty version - some users may say: this is bug, because some dependencies don't have versions (for example #6456 - the problem here is different, but even in such situations questions arise).

But we can write about this in the documentation.

---

So I checked a bit:
looks like it work good. e.g. purl simply doesn't contain version.
CycloneDX and SPDX work well:

{
      "bom-ref": "pkg:golang/github.com/aquasecurity/trivy",
      "type": "library",
      "name": "github.com/aquasecurity/trivy",
      "purl": "pkg:golang/github.com/aquasecurity/trivy",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "gobinary"
        }
      ]
    },

"name": "github.com/aquasecurity/trivy",
      "SPDXID": "SPDXRef-Package-5290f6d6347a1886",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: trivy",
      "licenseConcluded": "NONE",
      "licenseDeclared": "NONE",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:golang/github.com/aquasecurity/trivy"
        }
      ],
      "attributionTexts": [
        "PkgType: gobinary"
      ],
      "primaryPackagePurpose": "LIBRARY"

So I like your solution. We will get more correct purl. The (devel) version will not force users to look at the docs to understand what it is.

But then we also need to overwrite (devel) for dependencies.

[DmitriyLewen]

Used empty string instead of (devel) - 35f6401

[DmitriyLewen]

To avoid user confusion, we might want to add debug log where we hide (devel) version.
@knqyf263 wdyt?

[knqyf263]

Agree

[DmitriyLewen]

added in 8edf7c5