Trivy fails to parse Rancher binary's -ldflags due to unsupported flags like -extldflags

[kerringtonwells]

Description

Trivy is encountering issues parsing strings from the Rancher binary and extracting version information. This prevents it from correctly mapping the Rancher version to known CVEs.

Function that is failing to parse -ldflags for reference:
https://github.com/aquasecurity/trivy/blob/main/pkg/dependency/parser/golang/binary/parse.go#L154

The function above is unable to properly parse the following:
-ldflags="-X github.com/rancher/rancher/pkg/version.Version=v2.8.4 -X github.com/rancher/rancher/pkg/version.GitCommit=29572e61e -X github.com/rancher/rancher/pkg/settings.InjectDefaults={"rke-version":"v1.5.9"} -extldflags -static -s"

Desired Behavior

Trivy should:

1. Correctly parse -ldflags from binaries like Rancher.
2. Extract version information from -X flags (e.g., github.com/rancher/rancher/pkg/version.Version=v2.8.4).
3. Ignore unsupported flags such as -extldflags, -static, and -s.
4. Successfully map the extracted version to known CVEs.

Actual Behavior

1. Trivy attempts to parse all flags in -ldflags without filtering out unsupported flags like -extldflags:

strings rancher |grep ldflags
-ldflags="-X github.com/rancher/rancher/pkg/version.Version=v2.8.4 -X github.com/rancher/rancher/pkg/version.GitCommit=29572e61e -X github.com/rancher/rancher/pkg/settings.InjectDefaults={"rke-version":"v1.5.9"} -extldflags -static -s"

2. This causes the pflag library to fail with the error:
   pflag: help requested

3. Trivy is unable to extract the Rancher version or map it to CVEs.

4. The function below in Trivy's code fails to correctly parse the -ldflags strings from the Rancher binary.
   https://github.com/aquasecurity/trivy/blob/main/pkg/dependency/parser/golang/binary/parse.go#L154

Reproduction Steps

1. strings rancher |grep ldflags             
-ldflags="-X github.com/rancher/rancher/pkg/version.Version=v2.8.4    -X github.com/rancher/rancher/pkg/version.GitCommit=29572e61e    -X github.com/rancher/rancher/pkg/settings.InjectDefaults={\"rke-version\":\"v1.5.9\"} -extldflags -static -s"

2. trivy image --cache-dir /scanner rancher/rancher:v2.8.4
2025-02-05T21:09:27Z	INFO	[vulndb] Need to update DB
2025-02-05T21:09:27Z	INFO	[vulndb] Downloading vulnerability DB...
2025-02-05T21:09:27Z	INFO	[vulndb] Downloading artifact...	repo="mirror.gcr.io/aquasec/trivy-db:2"
58.83 MiB / 58.83 MiB [----------------------------------------------------------------------------] 100.00% 6.20 MiB p/s 9.7s
2025-02-05T21:09:38Z	INFO	[vulndb] Artifact successfully downloaded	repo="mirror.gcr.io/aquasec/trivy-db:2"
2025-02-05T21:09:38Z	INFO	[vuln] Vulnerability scanning is enabled
2025-02-05T21:09:38Z	INFO	[secret] Secret scanning is enabled
2025-02-05T21:09:38Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-05T21:09:38Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.59/docs/scanner/secret#recommendation for faster secret detection
Usage of ldflags:
  -X, -- stringToString    (default [])
2025-02-05T21:10:31Z	ERROR	[gobinary] Could not parse -ldflags found in build info	err="pflag: help requested"
Usage of ldflags:
  -X, -- stringToString    (default [])
2025-02-05T21:10:34Z	ERROR	[gobinary] Could not parse -ldflags found in build info	err="pflag: help requested"

Target

Container Image

Scanner

Vulnerability

Output Format

JSON

Mode

Standalone

Debug Output

trivy image --cache-dir /scanner --debug rancher/rancher:v2.8.4
2025-02-05T21:29:53Z	DEBUG	No plugins loaded
2025-02-05T21:29:53Z	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-02-05T21:29:53Z	DEBUG	Cache dir	dir="/scanner"
2025-02-05T21:29:53Z	DEBUG	Cache dir	dir="/scanner"
2025-02-05T21:29:53Z	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-02-05T21:29:53Z	DEBUG	Ignore statuses	statuses=[]
2025-02-05T21:29:53Z	DEBUG	DB update was skipped because the local DB is the latest
2025-02-05T21:29:53Z	DEBUG	DB info	schema=2 updated_at=2025-02-05T18:16:59.099531402Z next_update=2025-02-06T18:16:59.099531232Z downloaded_at=2025-02-05T21:09:38.28957759Z
2025-02-05T21:29:53Z	DEBUG	[pkg] Package types	types=[os library]
2025-02-05T21:29:53Z	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2025-02-05T21:29:53Z	INFO	[vuln] Vulnerability scanning is enabled
2025-02-05T21:29:53Z	INFO	[secret] Secret scanning is enabled
2025-02-05T21:29:53Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-05T21:29:53Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.59/docs/scanner/secret#recommendation for faster secret detection
2025-02-05T21:29:53Z	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-02-05T21:29:53Z	DEBUG	Initializing scan cache...	type="fs"
2025-02-05T21:29:54Z	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2025-02-05T21:29:54Z	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2025-02-05T21:29:54Z	DEBUG	[image] Detected image ID	image_id="sha256:2f1f849157f0ed6ba8ebc5e0a1c0a1431ffd17495b8b360c37f4cb6fd47e32ed"
2025-02-05T21:29:54Z	DEBUG	[image] Detected diff ID	diff_ids=[sha256:37d2224a2406dd41273abcc30134beb6708b671255b3cfec29f71cef7800a8b5 sha256:446cf25e2100424456330eef0376db56ab2cc8272545826fd7970c4524dcdfd1 sha256:035c64b336e2b15369dd7b1a07e296f02dedbd5011cbc2bbb82142c67a293863 sha256:46c97cef48b8ba7a50be0b09a5eef372439134ec848f4c6ba05a172bb9cf27c6 sha256:c40886cb41d44d60ce0640616ed7dcf3ae83ba3eebe3dc50016903a6a6502645 sha256:186a26959e37a1b37ec261c401a22257ef78aa4cb92a143f5181304988959cf0 sha256:6d3215983281feba2604acf9a689a7ba88deb2138d1a96d99e90a82b6fda9855 sha256:22c5b578c75a58e7b1487058b0daf4ff7e6ed7ae4cafecb0d2a32036bd27ebc9 sha256:fb6ae2c936da16f0e259a7fc26896247654d1f0012946f50ce472d8d4e5e3f8a sha256:60beefb18d65e89e265650e0f5d1b97f5f9029e83f6cce2ac29c9d2d91e4c1ff sha256:13ba8d82176cdc7c20acbf41fbe8605d53f693ce921032a6ce93e277757302f1 sha256:ce30f158971142d032300f65b407d10dc3734b518ae4e6cdc6a861f2909b2224 sha256:68413aeb375e7e509d8dfb1e362a65f440d04f83d2136cabcb57084b801c7116 sha256:7203378de58ee3abfd1ee948f7b6616885f30ddc94211801f0981a94514a5f52 sha256:6667304821143477d18d0813be93afcefab1ecfac7b46f2a2a3e1d419b748372 sha256:b7a494c4368a58626297e49f60b26a59819e7031a40ac6082e4425a406fb4a28 sha256:2c771e361882a6c693ff92ac1427ba16c3f0c3525689a31956f6fbc5d0440198 sha256:e1cf9e005cdd3e8c50dc93c28ffaa5b2e6cbad1fd72ea7662c3ffc344bcd63f1 sha256:8b5c52e7f1f40fcdcbf99d5107b97eac80772f6d99e236c2e3c884ffb132eb74 sha256:b7a494c4368a58626297e49f60b26a59819e7031a40ac6082e4425a406fb4a28 sha256:90f4de295cb6cf37ca03603502c1bdac1ff08a3a45ba80704c5bf6ac0bc821d7]
2025-02-05T21:29:54Z	DEBUG	[image] Detected base layers	diff_ids=[]
2025-02-05T21:29:54Z	DEBUG	[image] Missing image ID in cache	image_id="sha256:2f1f849157f0ed6ba8ebc5e0a1c0a1431ffd17495b8b360c37f4cb6fd47e32ed"
2025-02-05T21:29:54Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:46c97cef48b8ba7a50be0b09a5eef372439134ec848f4c6ba05a172bb9cf27c6"

Usage of ldflags:
  -X, -- stringToString    (default [])
2025-02-05T21:10:31Z	ERROR	[gobinary] Could not parse -ldflags found in build info	err="pflag: help requested"
Usage of ldflags:
  -X, -- stringToString    (default [])
2025-02-05T21:10:34Z	ERROR	[gobinary] Could not parse -ldflags found in build info	err="pflag: help requested"

Operating System

debian:bookworm-slim

Version

Version: 0.59.0

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

Hello @kerringtonwells
Thanks for your report!

Created #8365 for this task.

Rehards, Dmitriy

[kerringtonwells]

@DmitriyLewen I'm still getting the ldflags error in version 0.59.1. I'm no longer seeing the pflag error from before:
(err="pflag: help requested")

Current execution logs:
[2025-02-13T14:30:54Z] [INFO] Running Trivy...
[2025-02-13T14:30:56Z] [INFO] [Trivy] Skipping namespace: 360-cloud-platforms

[2025-02-13T14:30:56Z] [INFO] [Trivy] Scanning namespace: cattle-fleet-clusters-system

[2025-02-13T14:31:01Z] [INFO] [Trivy] Scanning namespace: cattle-fleet-local-system

[2025-02-13T14:31:16Z] [INFO] [Trivy] Scanning namespace: cattle-fleet-system

[2025-02-13T14:31:32Z] [INFO] [Trivy] Scanning namespace: cattle-global-data

[2025-02-13T14:31:38Z] [INFO] [Trivy] Scanning namespace: cattle-global-nt

[2025-02-13T14:31:42Z] [INFO] [Trivy] Scanning namespace: cattle-impersonation-system

[2025-02-13T14:31:47Z] [INFO] [Trivy] Scanning namespace: cattle-provisioning-capi-system

[2025-02-13T14:31:56Z] [INFO] [Trivy] Scanning namespace: cattle-system
Usage of ldflags:
-X, -- stringToString (default [])
Usage of ldflags:
-X, -- stringToString (default [])
Usage of ldflags:
-X, -- stringToString (default [])

k exec -it trivy-scanner -n security-scanners -- sh

trivy --version

Version: 0.59.1