Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add functionallity of EXHORT_GO_MVS_LOGIC_ENABLED setting #86

Merged
merged 3 commits into from
Feb 5, 2024
Merged

feat: add functionallity of EXHORT_GO_MVS_LOGIC_ENABLED setting #86

merged 3 commits into from
Feb 5, 2024

Conversation

zvigrinberg
Copy link
Collaborator

@zvigrinberg zvigrinberg commented Jan 30, 2024
edited
Loading

Description

Add functionallity of EXHORT_GO_MVS_LOGIC_ENABLED setting

Summary:

In case go modules stack analysis , it happens occasionally that the different transitive packages uses the same module( same major version) but each one, with different minor version ( packages with same namespace and name that contain different major versions are different packages, for example gopkg.in/yaml.v2 and /gopkg.in/yaml.v3 are two different packages/ modules).

In such case, the analysis showing for each package , all its transitive according to the go module tree graph, with the original version defined in the transitive module' go.mod file, and not the version picked for building the final executable binary ( using go build or go install commands)

for example, if application c has 2 modules/packages - a and b , and if module a has package pkg:golang/gopkg.in/yaml.v2@v2.2.2, and module b has package pkg:golang/gopkg.in/yaml.v2@v2.2.8, then the sbom will be generated with both versions for same package.

  "components" : [
    {
      "group" : "gopkg.in",
      "name" : "yaml.v2",
      "version" : "v2.2.2",
      "purl" : "pkg:golang/gopkg.in/yaml.v2@v2.2.2",
      "type" : "library",
      "bom-ref" : "pkg:golang/gopkg.in/yaml.v2@v2.2.2"
    },
    {
      "group" : "gopkg.in",
      "name" : "yaml.v2",
      "version" : "v2.2.8",
      "purl" : "pkg:golang/gopkg.in/yaml.v2@v2.2.8",
      "type" : "library",
      "bom-ref" : "pkg:golang/gopkg.in/yaml.v2@v2.2.8"
    }
]

In order to reflect the actual state of the application more accurately, we introducing setting EXHORT_GO_MVS_LOGIC_ENABLED.

  1. If EXHORT_GO_MVS_LOGIC_ENABLED=true, then we'll leverage go modules mechanism of MVS Algorithms, which know , per module, to determine the correct minor version for each package/module, out of several minor versions candidates ( usually and in most cases it's the latest semver version), based on the client machine and the local go binary version, and the chosen version of the module will be eventually the one that will be used in an actual binary of the application, that was built in the client' machine using the same go binary version.

for example, for the above sbom sample, with this feature new logic, the sbom will contain only the selected version now

  "components" : [
    {
      "group" : "gopkg.in",
      "name" : "yaml.v2",
      "version" : "v2.2.8",
      "purl" : "pkg:golang/gopkg.in/yaml.v2@v2.2.8",
      "type" : "library",
      "bom-ref" : "pkg:golang/gopkg.in/yaml.v2@v2.2.8"
    }
]
  1. If EXHORT_GO_MVS_LOGIC_ENABLED=false ( will remain default) - the behavior will be as it was up until today.

Jira Tickets: JIRA #2169 , JIRA #2168

Checklist

  • I have followed this repository's contributing guidelines.
  • I will adhere to the project's code of conduct.

@zvigrinberg zvigrinberg changed the title Feature/exhort golang mvs logic feat: add functionallity of EXHORT_GO_MVS_LOGIC_ENABLED setting Jan 30, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 30, 2024
edited
Loading

Test Results

94 tests   94 ✅  48s ⏱️
10 suites   0 💤
10 files     0 ❌

Results for commit dcd425e.

♻️ This comment has been updated with latest results.

@zvigrinberg zvigrinberg force-pushed the feature/exhort-golang-mvs-logic branch from ca49d5f to 9f9f80d Compare February 5, 2024 10:06
@zvigrinberg
test: add tests for Go modules Mvs Logic Enabled
dcd425e 
Signed-off-by: Zvi Grinberg <zgrinber@redhat.com>
@zvigrinberg zvigrinberg enabled auto-merge (squash) February 5, 2024 11:29
@zvigrinberg zvigrinberg merged commit f806946 into main Feb 5, 2024
6 checks passed
@zvigrinberg zvigrinberg mentioned this pull request Mar 3, 2024
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@zvigrinberg