Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Attempt to extract go main module versions from available ldflags #1785

Closed
wagoodman opened this issue May 4, 2023 · 1 comment · Fixed by #1832
Closed

Attempt to extract go main module versions from available ldflags #1785

wagoodman opened this issue May 4, 2023 · 1 comment · Fixed by #1832
Assignees
Labels
ecosystem:go relating to the golang ecosystem enhancement New feature or request

Comments

@wagoodman
Copy link
Contributor

What would you like to be added:
(from anchore/grype#1167 (comment) and conversations from @westonsteimel )

Go modules cannot yet represent the main module version in a standard way golang/go#29228 . This would allow syft to be able to attempt to extract semantic versions for main applications where today we are surfacing output like v0.0.0-20221108103842-64017e8ca682.

But we do have access to ldflags, which is a common way to bake in the version at build time:

{
   "id": "e0096f6e58724f2e",
   "name": "github.com/grafana/grafana",
   "version": "v0.0.0-20221108103842-64017e8ca682",
   "type": "go-module",
   "foundBy": "go-module-binary-cataloger",
   "locations": [
    {
     "path": "/usr/share/grafana/bin/grafana-cli",
     "layerID": "sha256:245c77c48e91231cb9493c35992535f049af4cfa20a2300cf872fa1ed28d0133"
    }
   ],
   "licenses": [],
   "language": "go",
   "cpes": [
    "cpe:2.3:a:grafana:grafana:v0.0.0-20221108103842-64017e8ca682:*:*:*:*:*:*:*"
   ],
   "purl": "pkg:golang/github.com/grafana/grafana@v0.0.0-20221108103842-64017e8ca682",
   "metadataType": "GolangBinMetadata",
   "metadata": {
    "goBuildSettings": {
     "-compiler": "gc",
     "-ldflags": "-linkmode=external -extldflags=-static -w -X main.version=9.2.4 -X main.commit=64017e8ca6 -X main.buildstamp=1667903922 -X main.buildBranch=HEAD",
     "CGO_CFLAGS": "",
     "CGO_CPPFLAGS": "",
     "CGO_CXXFLAGS": "",
     "CGO_ENABLED": "1",
     "CGO_LDFLAGS": "",
     "GOAMD64": "v1",
     "GOARCH": "amd64",
     "GOOS": "linux",
     "vcs": "git",
     "vcs.modified": "false",
     "vcs.revision": "64017e8ca6825b79a2acb887a1c1d9088e47ed72",
     "vcs.time": "2022-11-08T10:38:42Z"
    },
    "goCompiledVersion": "go1.19.3",
    "architecture": "amd64",
    "mainModule": "github.com/grafana/grafana"
   }
  },

From "-ldflags": "-linkmode=external -extldflags=-static -w -X main.version=9.2.4 -X main.commit=64017e8ca6 -X main.buildstamp=1667903922 -X main.buildBranch=HEAD", it would be ideal to be able to extract 9.2.4 such that the version in pkg.Package could be more accurate.

This does not cover all approaches where version is baked into an application, but again, this is a fairly common pattern.

Since this would be inherently a fuzzy process there should be a way via application configuration to opt out of this.

Why is this needed:
This would tremendously help vulnerability matching downstream of syft and allow for more accurate SBOMs to be generated.

Additional context:

@westonsteimel prototype branch: https://github.com/anchore/syft/compare/extract-go-binary-versions-from-known-build-flags

@wagoodman wagoodman added the enhancement New feature or request label May 4, 2023
@wagoodman wagoodman added the ecosystem:go relating to the golang ecosystem label May 16, 2023
@wagoodman
Copy link
Contributor Author

this regex might work better \.(git)?[vV]ersion=(\S+\/)*(?<Version>v?\d+.\d+.\d+[-+\S]*), but not a lot of time yet to dig too deep. Saving for posterity.

@wagoodman wagoodman self-assigned this May 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
ecosystem:go relating to the golang ecosystem enhancement New feature or request
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant