You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Go modules cannot yet represent the main module version in a standard way golang/go#29228 . This would allow syft to be able to attempt to extract semantic versions for main applications where today we are surfacing output like v0.0.0-20221108103842-64017e8ca682.
But we do have access to ldflags, which is a common way to bake in the version at build time:
From "-ldflags": "-linkmode=external -extldflags=-static -w -X main.version=9.2.4 -X main.commit=64017e8ca6 -X main.buildstamp=1667903922 -X main.buildBranch=HEAD", it would be ideal to be able to extract 9.2.4 such that the version in pkg.Package could be more accurate.
This does not cover all approaches where version is baked into an application, but again, this is a fairly common pattern.
Since this would be inherently a fuzzy process there should be a way via application configuration to opt out of this.
Why is this needed:
This would tremendously help vulnerability matching downstream of syft and allow for more accurate SBOMs to be generated.
this regex might work better \.(git)?[vV]ersion=(\S+\/)*(?<Version>v?\d+.\d+.\d+[-+\S]*), but not a lot of time yet to dig too deep. Saving for posterity.
What would you like to be added:
(from anchore/grype#1167 (comment) and conversations from @westonsteimel )
Go modules cannot yet represent the main module version in a standard way golang/go#29228 . This would allow syft to be able to attempt to extract semantic versions for main applications where today we are surfacing output like
v0.0.0-20221108103842-64017e8ca682
.But we do have access to ldflags, which is a common way to bake in the version at build time:
From
"-ldflags": "-linkmode=external -extldflags=-static -w -X main.version=9.2.4 -X main.commit=64017e8ca6 -X main.buildstamp=1667903922 -X main.buildBranch=HEAD",
it would be ideal to be able to extract9.2.4
such that the version inpkg.Package
could be more accurate.This does not cover all approaches where version is baked into an application, but again, this is a fairly common pattern.
Since this would be inherently a fuzzy process there should be a way via application configuration to opt out of this.
Why is this needed:
This would tremendously help vulnerability matching downstream of syft and allow for more accurate SBOMs to be generated.
Additional context:
@westonsteimel prototype branch: https://github.com/anchore/syft/compare/extract-go-binary-versions-from-known-build-flags
The text was updated successfully, but these errors were encountered: