Open wallyqs opened 8 months ago
Thanks ok I see now there are a couple of TODOs so this is a known issue: https://github.com/golang/go/blob/d252fdd630a51db206194b3c41c3d036fdd6f48a/src/cmd/go/internal/load/pkg.go#L2336
Maybe just whitelisting -X main.version
which is what sbom tooling like syft uses to detect a go build
version might be sufficient?
CC @bcmills, @matloob.
@wallyqs if you'd like to make progress on that TODO, you're welcome to send a fix! 🙃 (https://go.dev/doc/contribute)
I don't think we should add a special case for -X main.version
, though. This is a general problem and ought to have a general solution.
Change https://go.dev/cl/536795 mentions this issue: cmd/go: add -ldflags to build metadata when CGO is disabled
What about removing -ldflags
only if it contains a path separator (/
, \
)?
What about having special info in buildinfo to mention that -ldflags
was used for build but is omitted there?
@dolmen, I think the right solution here is probably to parse the ldflags
and replace absolute references in flags with with environment variables when possible (such as $GOROOT
or $GOPATH
or $GOMODCACHE
).
On the other hand, if we can't identify a specific variable that refers to the path passed in -ldflags
then I'm not sure what we should do about it. 🤔
Is go build
protected against shell injection via -ldflags
?
I'm thinking about the case where a tool that rebuilds binaries would take the raw ldflags value from a binary and pass it to go build
...
go build
disallows many flags in #cgo
directives (search for CGO_CFLAGS_ALLOW
in https://pkg.go.dev/cmd/cgo). I don't know whether the -ldflags
flag itself has those protections.
Change https://go.dev/cl/582055 mentions this issue: cmd/go: report trimpath erasing ldflags, and allow override
Hi, I am proposing to add a flag to allow override, and emit ldflags despite trimpath active.
Another option is to a heuristic to allow ldflags..... as long as it doesn't have any slashes.
Separately, other commands allow substituting prefixes, so maybe an option to regexp substitute things in ldflags would work too?
@matloob requested to discuss this further, so happy to discuss more.
Note, that my proposal to override ldflags should not result in any detrimental behavour w.r.t. reproducible builds by default.
@matloob which one of the above solutions are desired? the currently proposed PR addresses the outstanding TODO.
@matloob @michaelmatloob any comments?
I think the best option is to do what the TODO suggests and what Bryan suggested in https://github.com/golang/go/issues/63432#issuecomment-1805916772 and parse the ldflags to see if it contains known paths.
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
What did you expect to see?
What did you see instead?