bug(gobinary): Trivy fails when ldflags contain nested flags

[DmitriyLewen]

Description

There are flags that use nested flags (e.g. -extldflags '-static -lm -ldl -lz -lpthread').

We trim flags with spaces:

trivy/pkg/dependency/parser/golang/binary/parse.go

Line 148 in bcdc0bb

return strings.Fields(setting.Value)

So we try to parse flags that contain ' (e.g. ` '-static) and see error:

ERROR	[gobinary] Could not parse -ldflags found in build info	err="pflag: help requested"

Solution

We only need -X flags at this time. So I suggest just trimming ' before splitting the flags
We need to save nested flags as one element of slice. This element must include '.
e.g.:

"-extldflags",
"'-static -lm -ldl -lz -lpthread'",

Discussed in #8363

[knqyf263]

I ran go version -m on k3s, and it shows below.

-X github.com/k3s-io/k3s/pkg/version.Version=v1.28.6+k3s2 -X github.com/k3s-io/k3s/pkg/version.GitCommit=c9f49a3b -X github.com/k3s-io/k3s/pkg/version.UpstreamGolang=go1.20.13 -X k8s.io/client-go/pkg/version.gitVersion=v1.28.6+k3s2 -X k8s.io/client-go/pkg/version.gitCommit=c9f49a3b06cd7ebe793f8cc1dcd0293168e743d9 -X k8s.io/client-go/pkg/version.gitTreeState=clean -X k8s.io/client-go/pkg/version.buildDate=2024-02-06T01:58:54Z -X k8s.io/component-base/version.gitVersion=v1.28.6+k3s2 -X k8s.io/component-base/version.gitCommit=c9f49a3b06cd7ebe793f8cc1dcd0293168e743d9 -X k8s.io/component-base/version.gitTreeState=clean -X k8s.io/component-base/version.buildDate=2024-02-06T01:58:54Z -X github.com/kubernetes-sigs/cri-tools/pkg/version.Version=v1.26.0-rc.0-k3s1 -X github.com/containerd/containerd/version.Version=v1.7.11-k3s2 -X github.com/containerd/containerd/version.Package=github.com/k3s-io/containerd -X github.com/containernetworking/plugins/pkg/utils/buildversion.BuildVersion=v1.3.0-k3s1 -X github.com/containernetworking/plugins/plugins/meta/flannel.Program=flannel -X github.com/containernetworking/plugins/plugins/meta/flannel.Version=v0.22.2 -X github.com/containernetworking/plugins/plugins/meta/flannel.Commit=HEAD -X github.com/containernetworking/plugins/plugins/meta/flannel.buildDate=2024-02-06T01:58:54Z -X github.com/cloudnativelabs/kube-router/v2/pkg/version.Version=v2.0.0-20230925161250-364f994b140b -X github.com/cloudnativelabs/kube-router/v2/pkg/version.BuildDate=2024-02-06T01:58:54Z -X github.com/Mirantis/cri-dockerd/cmd/version.Version=v0.3.4-k3s3 -X github.com/Mirantis/cri-dockerd/cmd/version.GitCommit=HEAD -X github.com/Mirantis/cri-dockerd/cmd/version.BuildTime=2024-02-06T01:58:54Z -X go.etcd.io/etcd/api/version.GitSHA=HEAD -w -s -extldflags -static -lm -ldl -lz -lpthread

Where did you see -extldflags '-static -lm -ldl -lz -lpthread'? I saw -extldflags -static -lm -ldl -lz -lpthread.
Regardless, we might be able to use https://github.com/google/shlex for splitting a string. This library is archived, but it looks mature.

pflag: help requested

I think this error occurs because -lpthread contains h. Disabling help or trimming h would help.

[DmitriyLewen]

Settings from buildInfo contain quotes:

Same as in build script - https://github.com/k3s-io/k3s/blob/34ae4da57ec4c81d1e62414a2c2fcb457498b3d5/scripts/build#L64

Disabling help

IIUC we can't disable help for github.com/spf13/pflag.

or trimming h

We check only -X flags, so it should work.(updated #8368 - 76f6a3c)

It seems that github.com/spf13/pflag correctly works with nested flags (but nested flags need to be quoted, so we can't use the shell package).
Do you see problems with this way?

[kerringtonwells]

Wasn't sure where to add this feedback. Not trying to spam but I added it to the original bug as well.

@knqyf263 @DmitriyLewen
Still getting the ldflags error in version 0.59.1. I'm no longer seeing the pflag error from before:
(err="pflag: help requested")

Current execution logs:
[2025-02-13T14:30:54Z] [INFO] Running Trivy...
[2025-02-13T14:30:56Z] [INFO] [Trivy] Skipping namespace: 360-cloud-platforms

[2025-02-13T14:30:56Z] [INFO] [Trivy] Scanning namespace: cattle-fleet-clusters-system

[2025-02-13T14:31:01Z] [INFO] [Trivy] Scanning namespace: cattle-fleet-local-system

[2025-02-13T14:31:16Z] [INFO] [Trivy] Scanning namespace: cattle-fleet-system

[2025-02-13T14:31:32Z] [INFO] [Trivy] Scanning namespace: cattle-global-data

[2025-02-13T14:31:38Z] [INFO] [Trivy] Scanning namespace: cattle-global-nt

[2025-02-13T14:31:42Z] [INFO] [Trivy] Scanning namespace: cattle-impersonation-system

[2025-02-13T14:31:47Z] [INFO] [Trivy] Scanning namespace: cattle-provisioning-capi-system

[2025-02-13T14:31:56Z] [INFO] [Trivy] Scanning namespace: cattle-system
Usage of ldflags:
-X, -- stringToString (default [])
Usage of ldflags:
-X, -- stringToString (default [])
Usage of ldflags:
-X, -- stringToString (default [])

k exec -it trivy-scanner -n security-scanners -- sh

trivy --version
Version: 0.59.1