# Go Modules & Binaries

## StellaOps implementation
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/GoLanguageAnalyzer.cs` scans executables for Go build info (`module.Version`, `build Settings`) and reads DWARF metadata when available.
- Captures full module graphs (main + dependencies) with PURLs; for stripped binaries, falls back to hashed component keys via `GoBinaryScanner.TryClassifyStrippedBinary`.
- Metadata records Go toolchain settings, build IDs, and replacements; evidence references binary paths and entrypoint usage (`LanguageAnalyzerContext.UsageHints`).
- Ensures deterministic ordering and retains hashed fallback components for binaries lacking Go metadata.

## Trivy implementation
- Analyzer registry includes `pkg/fanal/analyzer/language/golang/binary/binary.go` (Go binaries) and `.../mod/mod.go` (`go.mod` + `go.sum`).
- Binary parser utilises `pkg/dependency/parser/golang/binary` to extract module data; non-Go or unrecognised binaries return nil without fallback components.
- Module analyzer parses dependency requirements and classifies direct vs indirect modules but does not capture runtime usage or binary hashes.

## Snyk implementation
- `src/lib/plugins/index.ts` dispatches Go projects to `snyk-go-plugin` (golangdep, gomodules, govendor).[s1]
- CLI scans require authenticated connectivity and send dependency graphs to Snyk’s SaaS backend (`snyk test`, `snyk monitor`) for analysis; binaries are not inspected locally.[s2]
- No fallback hashing or runtime usage metadata accompanies the results.

## Grype implementation
- SBOM generation via Syft feeds Go modules/binaries into Grype (`grype/pkg/syft_provider.go`).
- The Go matcher consumes `syftPkg.GoModulePkg`, applying ecosystem+/-CPE logic and skipping binaries with pseudo-version metadata when build info is insufficient (`grype/matcher/golang/matcher.go`).
- No fallback hashing beyond Syft’s catalog; runtime usage and DWARF metadata are not surfaced.

## Key differences
- **Fallback handling**: StellaOps emits explicit hashed components when build info is missing; Trivy and Grype skip binaries without usable metadata.
- **Runtime linkage**: StellaOps ties modules to binary paths and EntryTrace usage; Trivy, Snyk, and Grype output inventory without execution context.
- **Build metadata**: StellaOps records DWARF/VCS settings; Trivy, Snyk, and Grype rely on module info exposed by their parsers without extended metadata.

### References
- [s1] `/tmp/snyk-cli/src/lib/plugins/index.ts`
- [s2] `/tmp/snyk-cli/README.md`