gobin: always report the main version in Package.Version

gobin/exe.go

@@ -84,15 +84,22 @@ func toPackages(ctx context.Context, out *[]*claircore.Package, p string, r io.R
 	vs := map[string]string{
 		"stdlib": bi.GoVersion,
 	}
-	var mmv string
-	mainVer, err := ParseVersion(bi.Main.Version)
+
+	// The go main module version is reported differently depending on the go
+	// toolchain, pre-go1.24 module versions built with `go build` will report
+	// `(devel)`, go1.24 and above will report this version like this:
+	// v1.5.36-0.20250212170732-e3af313feaab+dirty i.e. the version stamped in
+	// the compiled binary is based on the version control system tag and/or commit.
+	// A +dirty suffix will be appended if there are uncommitted changes. Previous
+	// behavior can be obtained by using the flag `-buildvcs=false`.
+	mmv := bi.Main.Version
+	mainVer, err := ParseVersion(mmv)
 	switch {
 	case errors.Is(err, nil):
 	case bi.Main.Version == `(devel)`, bi.Main.Version == ``:
-		// This is currently the state of any main module built from source; see
-		// the package documentation. Don't record it as a "bad" version and
-		// pull out any vcs metadata that's been stamped in.
-		mmv = bi.Main.Version
+		// This is currently the state of any main module built from source
+		// before go1.24; see the package documentation. Don't record it as
+		// a "bad" version and pull out any vcs metadata that's been stamped in.
 		var v []string
 		for _, s := range bi.Settings {
 			switch s.Key {
@@ -122,7 +129,6 @@ func toPackages(ctx context.Context, out *[]*claircore.Package, p string, r io.R
 		}
 	case errors.Is(err, ErrInvalidSemVer):
 		badVers[bi.Main.Path] = bi.Main.Version
-		mmv = bi.Main.Version
 	default:
 		return fmt.Errorf("error parsing main version: %q: %w", bi.Main.Version, err)
 	}

gobin/gobin.go

@@ -3,13 +3,11 @@
 //
 // # Main module versioning
 //
-// The go toolchain currently only fills in version information for modules
+// The go toolchain before go1.24 only fills in version information for modules
 // obtained as a module. Most go executables are built from source checkouts,
-// meaning they are not in module form. See [issue 50603] for details on why and
-// what's being explored to provide this information. Accordingly, claircore
-// cannot report advisories for main modules.
-//
-// [issue 50603]: https://golang.org/issues/50603
+// meaning they are not in module form pre-go1.24. Accordingly, claircore cannot
+// report advisories for main modules built pre-go1.24. See relevant go commit:
+// https://cs.opensource.google/go/go/+/8aa2eed8fb90303c0876e51e097105eca7299734
 package gobin
 
 import (

gobin/gobin_test.go

@@ -7,7 +7,6 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
-	"regexp"
 	"strings"
 	"testing"
 
@@ -159,7 +158,7 @@ func TestScanner(t *testing.T) {
 		case v.Kind != claircore.BINARY:
 		case v.PackageDB != "go:bin/bisect":
 			t.Errorf("unexpected package DB: %s: %q", v.Name, v.PackageDB)
-		case !verRegexp.MatchString(v.Version):
+		case !versionRegex.MatchString(v.Version):
 			t.Errorf("unexpected version: %s: %q", v.Name, v.Version)
 		case !strings.Contains(v.Name, "/"):
 			t.Errorf("unexpected module name: %q", v.Name)
@@ -169,5 +168,3 @@ func TestScanner(t *testing.T) {
 		t.Errorf("unexpected entry: %v", v)
 	}
 }
-
-var verRegexp = regexp.MustCompile(`^v([0-9]+\.){2}[0-9]+(-[.0-9]+-[0-9a-f]+)?(\+incompatible)?$`)