The upstream go-scanner that we're based on top of, cyclonedx-gomod, is currently (in its v1.9.0) bundling GoLang v1.23.4.

[flyingwish]

Hello,

We use Go Scanner which is a mirror of cyclonedx/cyclonedx-gomod
provides the cyclonedx-gomod scanner for use in pipelines on
our company GitLab repository.

When the go scanner image is used to generate golang_create_bom job,

create job gives an error with "go: go.mod requires go >= 1.23.5 (running go 1.23.4; GOTOOLCHAIN=local)" where you could also find its payload in below screenshot in line 48.

As of I have seen , you have already updated here , but didnt release yet.

Could you support on this issue?
Regards,
Dilek

[nscuro]

I strongly suggest not running cyclonedx-gomod in a container image in this case. You'll have a much easier time simply invoking the binary directly, or putting the binary in whatever base image your org uses for Go applications. Otherwise you're needlessly restricting yourself when it comes to which Go versions your applications can use.

Also, as noted here:

When using the app command, please keep in mind that the Go version may influence module selection.
We generally recommend using a precompiled binary and running it in the same environment in which you're building your application in.