Skip to content

Commit

Permalink
fix: use Go main module version (#1797)
Browse files Browse the repository at this point in the history
When its helpful, that is. This doesnt change the behavior of matching a main module with "(devel") as the version, but in cases where a more useful version is provided, such as when Syft was able to compute a reasonable pseudoversion, we use the version in for best effort matching.

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
  • Loading branch information
luhring authored Apr 16, 2024
1 parent a7cbe3a commit 6dde5ce
Show file tree
Hide file tree
Showing 3 changed files with 24 additions and 9 deletions.
13 changes: 8 additions & 5 deletions grype/matcher/golang/matcher.go
Original file line number Diff line number Diff line change
Expand Up @@ -42,11 +42,14 @@ func (m *Matcher) Match(store vulnerability.Provider, d *distro.Distro, p pkg.Pa
mainModule = m.MainModule
}

// Golang currently does not have a standard way of incorporating the vcs version
// into the compiled binary: https://github.com/golang/go/issues/50603
// current version information for the main module is incomplete leading to multiple FP
// TODO: remove this exclusion when vcs information is included in future go version
isNotCorrected := strings.HasPrefix(p.Version, "v0.0.0-") || strings.HasPrefix(p.Version, "(devel)")
// Golang currently does not have a standard way of incorporating the main
// module's version into the compiled binary:
// https://github.com/golang/go/issues/50603.
//
// Syft has some fallback mechanisms to come up with a more sane version value
// depending on the scenario. But if none of these apply, the Go-set value of
// "(devel)" is used, which is altogether unhelpful for vulnerability matching.
isNotCorrected := strings.HasPrefix(p.Version, "(devel)")
if p.Name == mainModule && isNotCorrected {
return matches, nil
}
Expand Down
8 changes: 4 additions & 4 deletions grype/matcher/golang/matcher_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ import (
syftPkg "github.com/anchore/syft/syft/pkg"
)

func TestMatcher_DropMainPackage(t *testing.T) {
func TestMatcher_DropMainPackageIfNoVersion(t *testing.T) {

mainModuleMetadata := pkg.GolangBinMetadata{
MainModule: "istio.io/istio",
Expand Down Expand Up @@ -43,7 +43,7 @@ func TestMatcher_DropMainPackage(t *testing.T) {
assert.Len(t, preTest, 1, "should have matched the package when there is not a main module")

actual, _ := matcher.Match(store, nil, subjectWithMainModule)
assert.Len(t, actual, 0, "unexpected match count; should not match main module")
assert.Len(t, actual, 1, "should match the main module (i.e. 1 match)")

actual, _ = matcher.Match(store, nil, subjectWithMainModuleAsDevel)
assert.Len(t, actual, 0, "unexpected match count; should not match main module (devel)")
Expand Down Expand Up @@ -174,13 +174,13 @@ type mockProvider struct {
}

func (mp *mockProvider) Get(id, namespace string) ([]vulnerability.Vulnerability, error) {
//TODO implement me
// TODO implement me
panic("implement me")
}

func (mp *mockProvider) populateData() {
mp.data[syftPkg.Go] = map[string][]vulnerability.Vulnerability{
// for TestMatcher_DropMainPackage
// for TestMatcher_DropMainPackageIfNoVersion
"istio.io/istio": {
{
Constraint: version.MustGetConstraint("< 5.0.7", version.UnknownFormat),
Expand Down
12 changes: 12 additions & 0 deletions grype/version/golang_version_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,18 @@ func TestCompareGolangVersions(t *testing.T) {
otherVersion: "v0.0.0-20180116102854-5a71ef0e047d",
want: 1,
},
{
name: "pseudoversion less than other pseudoversion",
thisVersion: "v0.0.0-20170116102854-1ef0e047d5a7",
otherVersion: "v0.0.0-20180116102854-5a71ef0e047d",
want: -1,
},
{
name: "pseudoversion greater than other pseudoversion",
thisVersion: "v0.0.0-20190116102854-8a3f0e047d5a",
otherVersion: "v0.0.0-20180116102854-5a71ef0e047d",
want: 1,
},
{
name: "+incompatible doesn't break equality",
thisVersion: "v3.2.0",
Expand Down

0 comments on commit 6dde5ce

Please sign in to comment.