Parse java php nodejs binary version

[laurentdelosieresmano]

Hello,

This PR parses the versions of standalone binaries (PHP / Java / Node.js) that are extracted from tarballs and not packages. Let me know if you wish to add more conditions to avoid false positives. Unfortunately, the filename was not passed to the "Parse()" function; otherwise, I could have added an extra condition on the filename (e.g. if the file starts with "java", or "node").

This resolves aquasecurity/trivy#1064.

Best,
Laurent

[bhbitter]

What is the status of merging this feature? I have the same issue where trivy doesn't report the vulnerable version of nodejs.

[CLAassistant]

All committers have signed the CLA.

[dasmfm]

This PR could be really useful, right now trivy can't detect that, i.e., PHP version contains vulnerabilities.

trivy image php:8.1.16-zts-alpine3.17 - no php in output

But there are some in PHP 8.1.16:
https://nvd.nist.gov/vuln/detail/CVE-2023-3824

[kovacs-levent]

Same is also happening for Python binaries, this feature of scanning standalone binaries would be helpful in general... Encountered the issue while generating SBOMs with trivy aquasecurity/trivy#6457.