diff --git a/gobin/exe.go b/gobin/exe.go index ec9498de8..2b522846f 100644 --- a/gobin/exe.go +++ b/gobin/exe.go @@ -84,15 +84,22 @@ func toPackages(ctx context.Context, out *[]*claircore.Package, p string, r io.R vs := map[string]string{ "stdlib": bi.GoVersion, } - var mmv string - mainVer, err := ParseVersion(bi.Main.Version) + + // The go main module version is reported differently depending on the go + // toolchain, pre-go1.24 module versions built with `go build` will report + // `(devel)`, go1.24 and above will report this version like this: + // v1.5.36-0.20250212170732-e3af313feaab+dirty i.e. the version stamped in + // the compiled binary is based on the version control system tag and/or commit. + // A +dirty suffix will be appended if there are uncommitted changes. Previous + // behavior can be obtained by using the flag `-buildvcs=false`. + mmv := bi.Main.Version + mainVer, err := ParseVersion(mmv) switch { case errors.Is(err, nil): case bi.Main.Version == `(devel)`, bi.Main.Version == ``: - // This is currently the state of any main module built from source; see - // the package documentation. Don't record it as a "bad" version and - // pull out any vcs metadata that's been stamped in. - mmv = bi.Main.Version + // This is currently the state of any main module built from source + // before go1.24; see the package documentation. Don't record it as + // a "bad" version and pull out any vcs metadata that's been stamped in. var v []string for _, s := range bi.Settings { switch s.Key { @@ -122,7 +129,6 @@ func toPackages(ctx context.Context, out *[]*claircore.Package, p string, r io.R } case errors.Is(err, ErrInvalidSemVer): badVers[bi.Main.Path] = bi.Main.Version - mmv = bi.Main.Version default: return fmt.Errorf("error parsing main version: %q: %w", bi.Main.Version, err) } diff --git a/gobin/gobin.go b/gobin/gobin.go index a2eb7ff82..0a43a676d 100644 --- a/gobin/gobin.go +++ b/gobin/gobin.go @@ -3,13 +3,11 @@ // // # Main module versioning // -// The go toolchain currently only fills in version information for modules +// The go toolchain before go1.24 only fills in version information for modules // obtained as a module. Most go executables are built from source checkouts, -// meaning they are not in module form. See [issue 50603] for details on why and -// what's being explored to provide this information. Accordingly, claircore -// cannot report advisories for main modules. -// -// [issue 50603]: https://golang.org/issues/50603 +// meaning they are not in module form pre-go1.24. Accordingly, claircore cannot +// report advisories for main modules built pre-go1.24. See relevant go commit: +// https://cs.opensource.google/go/go/+/8aa2eed8fb90303c0876e51e097105eca7299734 package gobin import ( diff --git a/gobin/gobin_test.go b/gobin/gobin_test.go index c9c9c2f0e..633fe06b1 100644 --- a/gobin/gobin_test.go +++ b/gobin/gobin_test.go @@ -7,7 +7,6 @@ import ( "os" "os/exec" "path/filepath" - "regexp" "strings" "testing" @@ -159,7 +158,7 @@ func TestScanner(t *testing.T) { case v.Kind != claircore.BINARY: case v.PackageDB != "go:bin/bisect": t.Errorf("unexpected package DB: %s: %q", v.Name, v.PackageDB) - case !verRegexp.MatchString(v.Version): + case !versionRegex.MatchString(v.Version): t.Errorf("unexpected version: %s: %q", v.Name, v.Version) case !strings.Contains(v.Name, "/"): t.Errorf("unexpected module name: %q", v.Name) @@ -169,5 +168,3 @@ func TestScanner(t *testing.T) { t.Errorf("unexpected entry: %v", v) } } - -var verRegexp = regexp.MustCompile(`^v([0-9]+\.){2}[0-9]+(-[.0-9]+-[0-9a-f]+)?(\+incompatible)?$`)