feat: replace TinyGo with standard Go for WebAssembly modules (#8496)

.github/workflows/cache-test-images.yaml

@@ -57,10 +57,8 @@ jobs:
           go-version-file: go.mod
           cache: false
 
-      - name: Install tools
-        uses: aquaproj/aqua-installer@v3.1.1
-        with:
-          aqua_version: v1.25.0
+      - name: Install Go tools
+        run: go install tool # GOBIN is added to the PATH by the setup-go action
 
       - name: Generate image list digest
         if: github.ref_name == 'main'

.github/workflows/test.yaml

@@ -51,10 +51,7 @@ jobs:
         if: ${{ failure() && steps.lint.conclusion == 'failure' }}
 
       - name: Install tools
-        uses: aquaproj/aqua-installer@v3.1.1
-        with:
-          aqua_version: v1.25.0
-          aqua_opts: ""
+        run: go install tool # GOBIN is added to the PATH by the setup-go action
 
       - name: Check if CLI references are up-to-date
         run: |
@@ -136,10 +133,7 @@ jobs:
           cache: false
 
       - name: Install tools
-        uses: aquaproj/aqua-installer@v3.1.1
-        with:
-          aqua_version: v1.25.0
-          aqua_opts: ""
+        run: go install tool # GOBIN is added to the PATH by the setup-go action
 
       - name: Generate image list digest
         id: image-digest

docs/docs/advanced/modules.md

@@ -12,7 +12,7 @@ They provide a way to extend the core feature set of Trivy, but without updating
 
 - They can be added and removed from a Trivy installation without impacting the core Trivy tool.
 - They can be written in any programming language supporting WebAssembly.
-  - It supports only [TinyGo][tinygo] at the moment.
+  - It supports only Go at the moment.
 
 You can write your own detection logic.
 
@@ -94,9 +94,9 @@ $ trivy module uninstall ghcr.io/aquasecurity/trivy-module-spring4shell
 ```
 
 ## Building Modules
-It supports TinyGo only at the moment.
+It supports Go only at the moment.
 
-### TinyGo
+### Go
 Trivy provides Go SDK including three interfaces.
 Your own module needs to implement either or both `Analyzer` and `PostScanner` in addition to `Module`.
 
@@ -113,7 +113,7 @@ type Analyzer interface {
 
 type PostScanner interface {
     PostScanSpec() serialize.PostScanSpec
-    PostScan(serialize.Results) (serialize.Results, error)
+    PostScan(types.Results) (types.Results, error)
 }
 ```
 
@@ -142,6 +142,9 @@ const (
     name = "wordpress-module"
 )
 
+// main is required for Go to compile the Wasm module
+func main() {}  
+
 type WordpressModule struct{
 	// Cannot define fields as modules can't keep state.
 }
@@ -203,7 +206,7 @@ func (WordpressModule) Analyze(filePath string) (*serialize.AnalysisResult, erro
     }
 
     return &serialize.AnalysisResult{
-        CustomResources: []serialize.CustomResource{
+        CustomResources: []ftypes.CustomResource{
             {
                 Type:     typeWPVersion,
                 FilePath: filePath,
@@ -246,7 +249,7 @@ func (WordpressModule) PostScanSpec() serialize.PostScanSpec {
     }
 }
 
-func (WordpressModule) PostScan(results serialize.Results) (serialize.Results, error) {
+func (WordpressModule) PostScan(results types.Results) (types.Results, error) {
     // e.g. results
     // [
     //   {
@@ -288,7 +291,7 @@ func (WordpressModule) PostScan(results serialize.Results) (serialize.Results, e
 
     if vulnerable {
         // Add CVE-2020-36326
-        results = append(results, serialize.Result{
+        results = append(results, types.Result{
             Target: wpPath,
             Class:  types.ClassLangPkg,
 			Type:   "wordpress",
@@ -318,10 +321,10 @@ In the `Delete` action, `PostScan` needs to return results you want to delete.
 If `PostScan` returns an empty, Trivy will not delete anything.
 
 #### Build
-Follow [the install guide][tinygo-installation] and install TinyGo.
+Follow [the install guide][go-installation] and install Go.
 
 ```bash
-$ tinygo build -o wordpress.wasm -scheduler=none -target=wasi --no-debug wordpress.go
+$ GOOS=wasip1 GOARCH=wasm go build -o wordpress.wasm -buildmode=c-shared wordpress.go
 ```
 
 Put the built binary to the module directory that is under the home directory by default.
@@ -347,12 +350,11 @@ Digest: sha256:6416d0199d66ce52ced19f01d75454b22692ff3aa7737e45f7a189880840424f
 
 [regexp]: https://github.com/google/re2/wiki/Syntax
 
-[tinygo]: https://tinygo.org/
 [spring4shell]: https://blog.aquasec.com/zero-day-rce-vulnerability-spring4shell
 [wazero]: https://github.com/tetratelabs/wazero
 
 [trivy-module-spring4shell]: https://github.com/aquasecurity/trivy/tree/main/examples/module/spring4shell
 [trivy-module-wordpress]: https://github.com/aquasecurity/trivy-module-wordpress
 
-[tinygo-installation]: https://tinygo.org/getting-started/install/
+[go-installation]: https://go.dev/doc/install
 [oras]: https://oras.land/cli/

examples/module/spring4shell/README.md

@@ -5,7 +5,7 @@ This module provides a more in-depth investigation of Spring4Shell detection.
 ## Set up
 
 ```
-$ tinygo build -o spring4shell.wasm -scheduler=none -target=wasi --no-debug spring4shell.go 
+$ GOOS=wasip1 GOARCH=wasm go build -o spring4shell.wasm -buildmode=c-shared spring4shell.go 
 $ mkdir -p ~/.trivy/modules
 $ cp spring4shell.wasm ~/.trivy/modules
 ```

examples/module/spring4shell/spring4shell.go

@@ -1,5 +1,5 @@
-//go:generate tinygo build -o spring4shell.wasm -target=wasip1 --buildmode=c-shared spring4shell.go
-//go:build tinygo.wasm
+//go:generate go build -o spring4shell.wasm -buildmode=c-shared spring4shell.go
+//go:build wasip1
 
 package main
 
@@ -13,9 +13,11 @@ import (
 	"strconv"
 	"strings"
 
+	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/module/api"
 	"github.com/aquasecurity/trivy/pkg/module/serialize"
 	"github.com/aquasecurity/trivy/pkg/module/wasm"
+	"github.com/aquasecurity/trivy/pkg/types"
 )
 
 const (
@@ -29,6 +31,9 @@ var (
 	tomcatVersionRegex = regexp.MustCompile(`Apache Tomcat Version ([\d.]+)`)
 )
 
+// main is required for Go to compile the Wasm module
+func main() {}
+
 func init() {
 	wasm.RegisterModule(Spring4Shell{})
 }
@@ -94,7 +99,7 @@ func (Spring4Shell) parseJavaRelease(f *os.File, filePath string) (*serialize.An
 	}
 
 	return &serialize.AnalysisResult{
-		CustomResources: []serialize.CustomResource{
+		CustomResources: []ftypes.CustomResource{
 			{
 				Type:     TypeJavaMajor,
 				FilePath: filePath,
@@ -116,7 +121,7 @@ func (Spring4Shell) parseTomcatReleaseNotes(f *os.File, filePath string) (*seria
 	}
 
 	return &serialize.AnalysisResult{
-		CustomResources: []serialize.CustomResource{
+		CustomResources: []ftypes.CustomResource{
 			{
 				Type:     TypeTomcatVersion,
 				FilePath: filePath,
@@ -221,7 +226,7 @@ func (Spring4Shell) PostScanSpec() serialize.PostScanSpec {
 //	}
 //
 // ]
-func (Spring4Shell) PostScan(results serialize.Results) (serialize.Results, error) {
+func (Spring4Shell) PostScan(results types.Results) (types.Results, error) {
 	var javaMajorVersion int
 	var tomcatVersion string
 	for _, result := range results {

go.mod

@@ -421,11 +421,7 @@ require (
 )
 
 require (
-	github.com/STARRY-S/zip v0.2.1 // indirect
-	github.com/adrg/xdg v0.5.3 // indirect
 	github.com/alessio/shellescape v1.4.1 // indirect
-	github.com/andybalholm/brotli v1.1.1 // indirect
-	github.com/aquaproj/aqua/v2 v2.45.0 // indirect
 	github.com/aws/aws-sdk-go v1.55.6 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect
@@ -437,55 +433,20 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/sso v1.25.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.29.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.33.17 // indirect
-	github.com/bahlo/generic-list-go v0.2.0 // indirect
-	github.com/bodgit/plumbing v1.3.0 // indirect
-	github.com/bodgit/sevenzip v1.6.0 // indirect
-	github.com/bodgit/windows v1.0.1 // indirect
-	github.com/buger/jsonparser v1.1.1 // indirect
 	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
-	github.com/expr-lang/expr v1.16.9 // indirect
-	github.com/forPelevin/gomoji v1.3.0 // indirect
-	github.com/gdamore/encoding v1.0.0 // indirect
-	github.com/gdamore/tcell/v2 v2.6.0 // indirect
 	github.com/google/go-github/v31 v31.0.0 // indirect
-	github.com/google/go-github/v69 v69.2.0 // indirect
 	github.com/google/safetext v0.0.0-20220905092116-b49f7bc46da2 // indirect
 	github.com/google/subcommands v1.2.0 // indirect
-	github.com/invopop/jsonschema v0.13.0 // indirect
-	github.com/klauspost/pgzip v1.2.6 // indirect
 	github.com/knqyf263/labeler v0.0.0-20200423181506-7a6e545148c3 // indirect
-	github.com/ktr0731/go-ansisgr v0.1.0 // indirect
-	github.com/ktr0731/go-fuzzyfinder v0.8.0 // indirect
-	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
-	github.com/mholt/archives v0.1.0 // indirect
-	github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db // indirect
-	github.com/nsf/termbox-go v1.1.1 // indirect
-	github.com/nwaples/rardecode/v2 v2.0.0-beta.4.0.20241112120701-034e449c6e78 // indirect
 	github.com/oklog/ulid/v2 v2.1.0 // indirect
-	github.com/otiai10/copy v1.14.1 // indirect
-	github.com/otiai10/mint v1.6.3 // indirect
 	github.com/pelletier/go-toml v1.9.5 // indirect
-	github.com/pierrec/lz4/v4 v4.1.21 // indirect
 	github.com/samber/oops v1.15.0 // indirect
-	github.com/schollz/progressbar/v3 v3.18.0 // indirect
-	github.com/sorairolake/lzip-go v0.3.5 // indirect
-	github.com/suzuki-shunsuke/go-error-with-exit-code v1.0.0 // indirect
-	github.com/suzuki-shunsuke/go-findconfig v1.2.0 // indirect
-	github.com/suzuki-shunsuke/go-osenv v0.1.0 // indirect
-	github.com/suzuki-shunsuke/logrus-error v0.1.4 // indirect
-	github.com/suzuki-shunsuke/urfave-cli-help-all v0.0.4 // indirect
-	github.com/therootcompany/xz v1.0.1 // indirect
 	github.com/tonglil/versioning v0.0.0-20170205083536-8b2a4334bd1d // indirect
-	github.com/urfave/cli/v2 v2.27.5 // indirect
-	github.com/wk8/go-ordered-map/v2 v2.1.8 // indirect
-	github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect
-	go4.org v0.0.0-20230225012048-214862532bf5 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	sigs.k8s.io/kind v0.19.0 // indirect
 )
 
 tool (
-	github.com/aquaproj/aqua/v2/cmd/aqua
 	github.com/google/wire/cmd/wire
 	github.com/knqyf263/labeler
 	github.com/magefile/mage