Closed LaurentGoderre closed 2 months ago
Thanks for the contribution, I think this would make syft recognize the version but we use --trimpath
during the release and that removes the ldflags in Go at the moment due to this issue: https://github.com/golang/go/issues/63432
I think it would still show as (devel)
after including the changes on a release (unless we stop using the --trimpath
option)
The way it is done we can do cat nats-server| grep -aPo '\x00[0-9]+\.[0-9]+\.[0-9]+\x00
to extract the version
Thanks I see, ok looks like more recent syft has been able to workaround the issue of ldflags. Confirmed locally:
$ go build --trimpath -ldflags="-X github.com/nats-io/nats-server/v2/server.serverVersion=2.10.17" .
$ syft nats-server
NAME VERSION TYPE
github.com/klauspost/compress v1.17.9 go-module
github.com/minio/highwayhash v1.0.2 go-module
github.com/nats-io/jwt/v2 v2.5.7 go-module
github.com/nats-io/nats-server/v2 2.10.17 go-module
github.com/nats-io/nkeys v0.4.7 go-module
github.com/nats-io/nuid v1.0.1 go-module
go.uber.org/automaxprocs v1.5.3 go-module
golang.org/x/crypto v0.24.0 go-module
golang.org/x/time v0.5.0 go-module
stdlib go1.22.4 go-module
although go version
still shows as (devel)
but syft
found it in an alternative way now:
go version -m nats-server
nats-server: go1.22.4
path github.com/nats-io/nats-server/v2
mod github.com/nats-io/nats-server/v2 (devel)
dep github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA=
dep github.com/minio/highwayhash v1.0.2 h1:Aak5U0nElisjDCfPSG79Tgzkn2gl66NxOMspRrKnA/g=
dep github.com/nats-io/jwt/v2 v2.5.7 h1:j5lH1fUXCnJnY8SsQeB/a/z9Azgu2bYIDvtPVNdxe2c=
dep github.com/nats-io/nkeys v0.4.7 h1:RwNJbbIdYCoClSDNY7QVKZlyb/wfT6ugvFCiKy6vDvI=
dep github.com/nats-io/nuid v1.0.1 h1:5iA8DT8V7q8WK2EScv2padNa/rTESc1KdnPw4TC2paw=
dep go.uber.org/automaxprocs v1.5.3 h1:kWazyxZUrS3Gs4qUpbwo5kEIMGe/DAvi5Z4tl2NW4j8=
dep golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI=
dep golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
build -buildmode=exe
build -compiler=gc
build -trimpath=true
build DefaultGODEBUG=httplaxcontentlength=1,httpmuxgo121=1,tls10server=1,tlsrsakex=1,tlsunsafeekm=1
build CGO_ENABLED=1
build GOARCH=arm64
build GOOS=darwin
build vcs=git
build vcs.revision=e99bb7010424bd7446b34c307ff9b0b03e918343
build vcs.time=2024-06-26T20:19:13Z
build vcs.modified=true
@derekcollison can I get an updated review?
@wallyqs I created what I believe is a more comprehensive solution. The first pass made the version searchable but still required some manual intervention in Syft. The new implementation (using version.Version
) gets it picked up automatically. This makes the version management in line with other popular golang binaries like prometheus https://github.com/anchore/syft/blob/37245a21ccb99d4195b414beb06b0c8433bfa97b/syft/pkg/cataloger/golang/parse_go_binary_test.go#L1034C11-L1038
@LaurentGoderre thanks again for the PR and raising the issue, I would rather not remove the VERSION
constant and instead introduce less breaking changes if possible to help syft
detect the version from the metadata. I have opened the following PR based on yours which I think will help add the version for syft
for now relying on it extracting the info from the binary: https://github.com/nats-io/nats-server/pull/5650
In the future I think the right fix would be that the ldflags metadata is not removed during the go build so that it is present via go version -m
(meaning this issue is addressed: https://github.com/golang/go/issues/63432)
Closing in favor of https://github.com/nats-io/nats-server/pull/5650
Use the tag name for the version on release. This also makes the version easier to detect in scanners such as Syft. Otherwise the version that gets detected is listed as
(devel)
.Signed-off-by: Laurent Goderre laurent.goderre@docker.com