@@ -58,8 +58,17 @@ func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependenc
5858
5959 ldflags := p .ldFlags (info .Settings )
6060 pkgs := make (ftypes.Packages , 0 , len (info .Deps )+ 2 )
61- pkgs = append (pkgs , []ftypes.Package {
62- {
61+ pkgs = append (pkgs , ftypes.Package {
62+ // Add the Go version used to build this binary.
63+ Name : "stdlib" ,
64+ Version : stdlibVersion ,
65+ Relationship : ftypes .RelationshipDirect , // Considered a direct dependency as the main module depends on the standard packages.
66+ })
67+
68+ // There are times when gobinaries don't contain Main information.
69+ // e.g. `Go` binaries (e.g. `go`, `gofmt`, etc.)
70+ if info .Main .Path != "" {
71+ pkgs = append (pkgs , ftypes.Package {
6372 // Add main module
6473 Name : info .Main .Path ,
6574 // Only binaries installed with `go install` contain semver version of the main module.
@@ -69,14 +78,8 @@ func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependenc
6978 // See https://github.com/aquasecurity/trivy/issues/1837#issuecomment-1832523477.
7079 Version : cmp .Or (p .checkVersion (info .Main .Path , info .Main .Version ), p .ParseLDFlags (info .Main .Path , ldflags )),
7180 Relationship : ftypes .RelationshipRoot ,
72- },
73- {
74- // Add the Go version used to build this binary.
75- Name : "stdlib" ,
76- Version : stdlibVersion ,
77- Relationship : ftypes .RelationshipDirect , // Considered a direct dependency as the main module depends on the standard packages.
78- },
79- }... )
81+ })
82+ }
8083
8184 for _ , dep := range info .Deps {
8285 // binaries with old go version may incorrectly add module in Deps
0 commit comments