Support extracting go dependencies from test binaries

[audunmo]

What would you like to be added:

Test binaries, generated using go test -c path/to/package_test.go, seem to contain dependency information. I would like to be able to analyze these

Why is this needed:

I'm working on Syft-based SBOM tooling for a go monorepo. One of the things I'm attempting to achieve is to seperate out SBOMs per service, and additionally produce an SBOM for the tests of each service. The idea is to help devs with understanding if a given package update is going to affect a service, a test, or both

Additional context:

Running go tool nm ./package.test I see output like:

... lots of similar lines
metadata.test:  14c90e0 T type:.eq.google.golang.org/protobuf/encoding/protojson.MarshalOptions
... lots of similar lines

So to me, it seems like this is doable, though it seems to not be supported today

[spiffcs]

👍 Thanks for the issue @audunmo - I've added this to the tools backlog so that anyone can go and pick this up.

Developer note:
Here is the documentation for the nm command. The implementer can probably follow the above docs to see how we can pull symbol information and catalog a compiled go test.

To be determined - how can we get the version of the package found above:

google.golang.org/protobuf/encoding/protojson