Closed LaurentGoderre closed 2 months ago
wallyqs
commented
3 months ago Thanks for the contribution, I think this would make syft recognize the version but we use --trimpath during the release and that removes the ldflags in Go at the moment due to this issue: https://github.com/golang/go/issues/63432
I think it would still show as (devel) after including the changes on a release (unless we stop using the --trimpath option)
LaurentGoderre
commented
3 months ago The way it is done we can do cat nats-server| grep -aPo '\x00[0-9]+\.[0-9]+\.[0-9]+\x00 to extract the version
wallyqs
commented
3 months ago Thanks I see, ok looks like more recent syft has been able to workaround the issue of ldflags. Confirmed locally:
$ go build --trimpath -ldflags="-X github.com/nats-io/nats-server/v2/server.serverVersion=2.10.17" .
$ syft nats-server
NAME VERSION TYPE
github.com/klauspost/compress v1.17.9 go-module
github.com/minio/highwayhash v1.0.2 go-module
github.com/nats-io/jwt/v2 v2.5.7 go-module
github.com/nats-io/nats-server/v2 2.10.17 go-module
github.com/nats-io/nkeys v0.4.7 go-module
github.com/nats-io/nuid v1.0.1 go-module
go.uber.org/automaxprocs v1.5.3 go-module
golang.org/x/crypto v0.24.0 go-module
golang.org/x/time v0.5.0 go-module
stdlib go1.22.4 go-module although go version still shows as (devel) but syft found it in an alternative way now:
go version -m nats-server
nats-server: go1.22.4
path github.com/nats-io/nats-server/v2
mod github.com/nats-io/nats-server/v2 (devel)
dep github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA=
dep github.com/minio/highwayhash v1.0.2 h1:Aak5U0nElisjDCfPSG79Tgzkn2gl66NxOMspRrKnA/g=
dep github.com/nats-io/jwt/v2 v2.5.7 h1:j5lH1fUXCnJnY8SsQeB/a/z9Azgu2bYIDvtPVNdxe2c=
dep github.com/nats-io/nkeys v0.4.7 h1:RwNJbbIdYCoClSDNY7QVKZlyb/wfT6ugvFCiKy6vDvI=
dep github.com/nats-io/nuid v1.0.1 h1:5iA8DT8V7q8WK2EScv2padNa/rTESc1KdnPw4TC2paw=
dep go.uber.org/automaxprocs v1.5.3 h1:kWazyxZUrS3Gs4qUpbwo5kEIMGe/DAvi5Z4tl2NW4j8=
dep golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI=
dep golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
build -buildmode=exe
build -compiler=gc
build -trimpath=true
build DefaultGODEBUG=httplaxcontentlength=1,httpmuxgo121=1,tls10server=1,tlsrsakex=1,tlsunsafeekm=1
build CGO_ENABLED=1
build GOARCH=arm64
build GOOS=darwin
build vcs=git
build vcs.revision=e99bb7010424bd7446b34c307ff9b0b03e918343
build vcs.time=2024-06-26T20:19:13Z
build vcs.modified=true@derekcollison can I get an updated review?
LaurentGoderre
commented
2 months ago @wallyqs I created what I believe is a more comprehensive solution. The first pass made the version searchable but still required some manual intervention in Syft. The new implementation (using version.Version) gets it picked up automatically. This makes the version management in line with other popular golang binaries like prometheus https://github.com/anchore/syft/blob/37245a21ccb99d4195b414beb06b0c8433bfa97b/syft/pkg/cataloger/golang/parse_go_binary_test.go#L1034C11-L1038
wallyqs
commented
2 months ago @LaurentGoderre thanks again for the PR and raising the issue, I would rather not remove the VERSION constant and instead introduce less breaking changes if possible to help syft detect the version from the metadata. I have opened the following PR based on yours which I think will help add the version for syft for now relying on it extracting the info from the binary: https://github.com/nats-io/nats-server/pull/5650
In the future I think the right fix would be that the ldflags metadata is not removed during the go build so that it is present via go version -m (meaning this issue is addressed: https://github.com/golang/go/issues/63432)
LaurentGoderre
commented
2 months ago Closing in favor of https://github.com/nats-io/nats-server/pull/5650
Use the tag name for the version on release. This also makes the version easier to detect in scanners such as Syft. Otherwise the version that gets detected is listed as
(devel).Signed-off-by: Laurent Goderre laurent.goderre@docker.com