Handle GOEXPERIMENTs in go version (#2893)

* Handle GOEXPERIMENTs in go version

Signed-off-by: Jon Johnson <jon.johnson@chainguard.dev>

* bump JSON schema

Signed-off-by: Will Murphy <will.murphy@anchore.com>

---------

Signed-off-by: Jon Johnson <jon.johnson@chainguard.dev>
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Co-authored-by: Will Murphy <will.murphy@anchore.com>

internal/constants.go

@@ -3,5 +3,5 @@ package internal
 const (
 	// JSONSchemaVersion is the current schema version output by the JSON encoder
 	// This is roughly following the "SchemaVer" guidelines for versioning the JSON schema. Please see schema/json/README.md for details on how to increment.
-	JSONSchemaVersion = "16.0.11"
+	JSONSchemaVersion = "16.0.12"
 )

schema/json/README.md

@@ -22,7 +22,7 @@ Given a version number format `MODEL.REVISION.ADDITION`:
 
 ## Adding a New `pkg.*Metadata` Type
 
-When adding a new `pkg.*Metadata` that is assigned to the `pkg.Package.Metadata` struct field you must add a test case to `test/integration/catalog_packages_cases_test.go` that exercises the new package type with the new metadata.
+When adding a new `pkg.*Metadata` that is assigned to the `pkg.Package.Metadata` struct field you must add a test case to `cmd/syft/internal/test/integration/catalog_packages_cases_test.go` that exercises the new package type with the new metadata.
 
 Additionally it is important to generate a new JSON schema since the `pkg.Package.Metadata` field is covered by the schema.
 

schema/json/schema-16.0.12.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "anchore.io/schema/syft/json/16.0.10/document",
+  "$id": "anchore.io/schema/syft/json/16.0.12/document",
   "$ref": "#/$defs/Document",
   "$defs": {
     "AlpmDbEntry": {
@@ -870,6 +870,12 @@
             "type": "string"
           },
           "type": "array"
+        },
+        "goExperiments": {
+          "items": {
+            "type": "string"
+          },
+          "type": "array"
         }
       },
       "type": "object",
@@ -1973,6 +1979,21 @@
         },
         "directUrlOrigin": {
           "$ref": "#/$defs/PythonDirectURLOriginInfo"
+        },
+        "requiresPython": {
+          "type": "string"
+        },
+        "requiresDist": {
+          "items": {
+            "type": "string"
+          },
+          "type": "array"
+        },
+        "providesExtra": {
+          "items": {
+            "type": "string"
+          },
+          "type": "array"
         }
       },
       "type": "object",

schema/json/schema-latest.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "anchore.io/schema/syft/json/16.0.11/document",
+  "$id": "anchore.io/schema/syft/json/16.0.12/document",
   "$ref": "#/$defs/Document",
   "$defs": {
     "AlpmDbEntry": {
@@ -870,6 +870,12 @@
             "type": "string"
           },
           "type": "array"
+        },
+        "goExperiments": {
+          "items": {
+            "type": "string"
+          },
+          "type": "array"
         }
       },
       "type": "object",

syft/pkg/cataloger/golang/package.go

@@ -10,7 +10,7 @@ import (
 	"github.com/anchore/syft/syft/pkg"
 )
 
-func (c *goBinaryCataloger) newGoBinaryPackage(resolver file.Resolver, dep *debug.Module, mainModule, goVersion, architecture string, buildSettings pkg.KeyValues, cryptoSettings []string, locations ...file.Location) pkg.Package {
+func (c *goBinaryCataloger) newGoBinaryPackage(resolver file.Resolver, dep *debug.Module, mainModule, goVersion, architecture string, buildSettings pkg.KeyValues, cryptoSettings, experiments []string, locations ...file.Location) pkg.Package {
 	if dep.Replace != nil {
 		dep = dep.Replace
 	}
@@ -35,6 +35,7 @@ func (c *goBinaryCataloger) newGoBinaryPackage(resolver file.Resolver, dep *debu
 			BuildSettings:     buildSettings,
 			MainModule:        mainModule,
 			GoCryptoSettings:  cryptoSettings,
+			GoExperiments:     experiments,
 		},
 	}
 

syft/pkg/cataloger/golang/parse_go_binary.go

@@ -91,14 +91,17 @@ func (c *goBinaryCataloger) buildGoPkgInfo(resolver file.Resolver, location file
 		if dep == nil {
 			continue
 		}
+
+		gover, experiments := getExperimentsFromVersion(mod.GoVersion)
 		p := c.newGoBinaryPackage(
 			resolver,
 			dep,
 			mod.Main.Path,
-			mod.GoVersion,
+			gover,
 			arch,
 			nil,
 			mod.cryptoSettings,
+			experiments,
 			location.WithAnnotation(pkg.EvidenceAnnotationKey, pkg.PrimaryEvidenceAnnotation),
 		)
 		if pkg.IsValid(&p) {
@@ -118,14 +121,16 @@ func (c *goBinaryCataloger) buildGoPkgInfo(resolver file.Resolver, location file
 
 func (c *goBinaryCataloger) makeGoMainPackage(resolver file.Resolver, mod *extendedBuildInfo, arch string, location file.Location, reader io.ReadSeekCloser) pkg.Package {
 	gbs := getBuildSettings(mod.Settings)
+	gover, experiments := getExperimentsFromVersion(mod.GoVersion)
 	main := c.newGoBinaryPackage(
 		resolver,
 		&mod.Main,
 		mod.Main.Path,
-		mod.GoVersion,
+		gover,
 		arch,
 		gbs,
 		mod.cryptoSettings,
+		experiments,
 		location.WithAnnotation(pkg.EvidenceAnnotationKey, pkg.PrimaryEvidenceAnnotation),
 	)
 
@@ -316,6 +321,23 @@ func getBuildSettings(settings []debug.BuildSetting) pkg.KeyValues {
 	return m
 }
 
+func getExperimentsFromVersion(version string) (string, []string) {
+	// See: https://github.com/anchore/grype/issues/1851
+	var experiments []string
+	version, rest, ok := strings.Cut(version, " ")
+	if ok {
+		// Assume they may add more non-version chunks in the future, so only look for "X:".
+		for _, chunk := range strings.Split(rest, " ") {
+			if strings.HasPrefix(rest, "X:") {
+				csv := strings.TrimPrefix(chunk, "X:")
+				experiments = append(experiments, strings.Split(csv, ",")...)
+			}
+		}
+	}
+
+	return version, experiments
+}
+
 func createMainModuleFromPath(path string) (mod debug.Module) {
 	mod.Path = path
 	mod.Version = devel

syft/pkg/cataloger/golang/parse_go_binary_test.go

@@ -908,6 +908,44 @@ func TestBuildGoPkgInfo(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "parse a mod with go experiments",
+			mod: &extendedBuildInfo{
+				BuildInfo: &debug.BuildInfo{
+					GoVersion: "go1.22.2 X:nocoverageredesign,noallocheaders,noexectracer2",
+					Main:      debug.Module{Path: "github.com/anchore/syft", Version: "(devel)"},
+					Settings: []debug.BuildSetting{
+						{Key: "GOARCH", Value: archDetails},
+						{Key: "GOOS", Value: "darwin"},
+						{Key: "GOAMD64", Value: "v1"},
+					},
+				},
+				cryptoSettings: nil,
+				arch:           archDetails,
+			},
+			expected: []pkg.Package{{
+				Name:     "github.com/anchore/syft",
+				Language: pkg.Go,
+				Type:     pkg.GoModulePkg,
+				Version:  "(devel)",
+				PURL:     "pkg:golang/github.com/anchore/syft@(devel)",
+				Locations: file.NewLocationSet(
+					file.NewLocationFromCoordinates(
+						file.Coordinates{
+							RealPath:     "/a-path",
+							FileSystemID: "layer-id",
+						},
+					).WithAnnotation(pkg.EvidenceAnnotationKey, pkg.PrimaryEvidenceAnnotation),
+				),
+				Metadata: pkg.GolangBinaryBuildinfoEntry{
+					GoCompiledVersion: "go1.22.2",
+					Architecture:      archDetails,
+					BuildSettings:     defaultBuildSettings,
+					MainModule:        "github.com/anchore/syft",
+					GoExperiments:     []string{"nocoverageredesign", "noallocheaders", "noexectracer2"},
+				},
+			}},
+		},
 	}
 
 	for _, test := range tests {

syft/pkg/golang.go

@@ -8,6 +8,7 @@ type GolangBinaryBuildinfoEntry struct {
 	H1Digest          string    `json:"h1Digest,omitempty" cyclonedx:"h1Digest"`
 	MainModule        string    `json:"mainModule,omitempty" cyclonedx:"mainModule"`
 	GoCryptoSettings  []string  `json:"goCryptoSettings,omitempty" cyclonedx:"goCryptoSettings"`
+	GoExperiments     []string  `json:"goExperiments,omitempty" cyclonedx:"goExperiments"`
 }
 
 // GolangModuleEntry represents all captured data for a Golang source scan with go.mod/go.sum