Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make the build consistent across archs for Go to correctly report the package path inside the binary #32

Merged
merged 1 commit into from
Dec 1, 2024
Merged

Make the build consistent across archs for Go to correctly report the package path inside the binary #32

merged 1 commit into from
Dec 1, 2024

Conversation

macedogm
Copy link
Member

@macedogm macedogm commented Nov 28, 2024
edited
Loading

The amd64 build process is passing directly the ./main.go file for the build. According to golang/go#36793, this results in Go not properly identifying the package and module path and then marking the compiled binary as command-line-arguments. This doesn't happen with the arm64 build.

The resulting effect is the following:

wharfie-amd64

go version -m wharfie-amd64 | head -n 3
wharfie-amd64: go1.22.7
	path	command-line-arguments
	dep	github.com/NYTimes/gziphandler	v1.1.1	h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I=

wharfie-arm64

go version -m wharfie-arm64 | head -n 3
wharfie-arm64: go1.22.7
	path	github.com/rancher/wharfie
	mod	github.com/rancher/wharfie	(devel)

The wharfie-amd64 binary lacks the mod github.com/rancher/wharfie identification. Although this is a minor thing and that doesn't affect the binary itself, it actually blocks security scanners, for example Trivy, from correctly matching the binary (and its path/module origin) with a VEX entry, as an example, see this entry.

This was identified internally when a false-positive vulnerability that was supposed to be suppressed was still being reported in the scanning reports.

@macedogm
Make the build consistent across archs for Go to correctly report the…
c2ae717 
… package path inside the binary

Signed-off-by: Guilherme Macedo <[email protected]>
@macedogm
Copy link
Member Author

PTAL @brandond / @dereknola

After this is merged, if approved, can we cut a new patch version, please?

@macedogm
Copy link
Member Author

@knqyf263 pinging you in case of curiosity.

@knqyf263
Copy link

Great!

@brandond brandond merged commit 16ec24e into rancher:main Dec 1, 2024
1 check passed
@macedogm macedogm deleted the update-build branch December 2, 2024 10:31
This was referenced Dec 2, 2024
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brandond brandond brandond approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@macedogm @knqyf263 @brandond