Trivy not detecting vulnerabilities in out-of-date golang mono-binary scratch-based docker image

[tanguy-platsec]

Hi all :)

I've been working on some weird things lately, and crafted a scratch-based docker image containing only one simple go binary that prints Hello World.
This binary was compiled (by myself) using an old docker image (golang:1.16) and then copied into my useless docker image.

The main.go code:

package main

import "fmt"

func main() {
    fmt.Println("Hello Doctolib!")
}

My dockerfile:

FROM scratch
COPY ./main /main
ENTRYPOINT ["/main"]

When scanning this newly created docker image that simply prints Hello World, trivy does not detect anything, as the following outputs shows:

❯ trivy image gotest
2022-02-24T16:06:04.433+0100	INFO	Number of language-specific files: 1

But I also tried scanning the same image with twistcli and it detects that the compiler I used was out of date and that the go version 1.16 indeed had one known vulnerability.

I quickly tried to scan more complex images based on alpine containing golang binaries and trivy seems to detect all of the vulnerabilities in them, so I am curious to know if you had any idea about that, and why trivy does not detect the vulnerability in this case.

Thank you for your time !

---

EDIT: just in case you do not know about twistcli, here is the piece of docs I used
-> https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/tools/twistcli_scan_images

[afdesk]

@TanguySeg thanks for your interest in trivy!
Could you show a vulnerability list (IDs) from twistcli?

[tanguy-platsec]

Thank you for your answer!

twistcli only detects the CVE-2021-29923, because it checks the go compiler version used to compile the binary contained in the image, as this mistake was fixed in go1.17.

[knqyf263]

Unfortunately, Trivy doesn't scan Go version for now. it scans dependencies of the binary only.

[tanguy-platsec]

Yup okay! Thank you for your answer!
Out of curiosity, is this feature something you want to add soon or not at all?