• What are you trying to do?

Detect Go binaries built against a given toolchain version for known vulnerabities

• What feature or behavior is this required for?

For core Go vulnerabilities such as CVE-2021-44716, which is fixed by rebuilding apps with Go 1.17.5 or 1.16.12, it would be useful if we could use nancy to scan pre-built Go binaries to determine what version of Go they were built against and then lookup that version in the OSS index

• How could we solve this issue? (Not knowing is okay!)

Using something like rsc.io/goversion as a library to extract the Go version that was used from the debug info of the executable, and then lookup that version in the OSS index for any known vulnerabilities.

Note: this would rely on the Go toolchain being correctly listed and tracked in the OSS index. Whilst it does partially appear to be indexed here the versions and vulnerabilities listed there are not accurate.

Whilst I know currently nancy is more geared towards scanning go.mod pre-compilation to find vulnerabilties, I think it would also be useful if it could be used post-compilation to scan binaries. The obvious advantage is the one mentioned here (scanning for core Go vulns), but it is also worth pointing out that the module / dependency information is also available from the compiled binary and can be parsed (e.g., see mitchellh/golicense/module/module.go)

cc @bhamail / @DarthHater

Thinking about it, in this particular case (for the CVE mentioned) it is technically a fix on golang.org/x/net/http2 so should be detectable as a module issue, although I notice it's not tracked on https://ossindex.sonatype.org/component/pkg:golang/golang.org/x/net/http2 atm

Is there some way we can report the CVE to be included in the ossindex at sonatype and test if nancy correctly flags it ?