Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: use Go main module version when possible #1797

Merged
merged 1 commit into from
Apr 16, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 8 additions & 5 deletions grype/matcher/golang/matcher.go
Original file line number Diff line number Diff line change
Expand Up @@ -42,11 +42,14 @@ func (m *Matcher) Match(store vulnerability.Provider, d *distro.Distro, p pkg.Pa
mainModule = m.MainModule
}

// Golang currently does not have a standard way of incorporating the vcs version
// into the compiled binary: https://github.com/golang/go/issues/50603
// current version information for the main module is incomplete leading to multiple FP
// TODO: remove this exclusion when vcs information is included in future go version
isNotCorrected := strings.HasPrefix(p.Version, "v0.0.0-") || strings.HasPrefix(p.Version, "(devel)")
// Golang currently does not have a standard way of incorporating the main
// module's version into the compiled binary:
// https://github.com/golang/go/issues/50603.
//
// Syft has some fallback mechanisms to come up with a more sane version value
// depending on the scenario. But if none of these apply, the Go-set value of
// "(devel)" is used, which is altogether unhelpful for vulnerability matching.
isNotCorrected := strings.HasPrefix(p.Version, "(devel)")
if p.Name == mainModule && isNotCorrected {
return matches, nil
}
Expand Down
8 changes: 4 additions & 4 deletions grype/matcher/golang/matcher_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ import (
syftPkg "github.com/anchore/syft/syft/pkg"
)

func TestMatcher_DropMainPackage(t *testing.T) {
func TestMatcher_DropMainPackageIfNoVersion(t *testing.T) {

mainModuleMetadata := pkg.GolangBinMetadata{
MainModule: "istio.io/istio",
Expand Down Expand Up @@ -43,7 +43,7 @@ func TestMatcher_DropMainPackage(t *testing.T) {
assert.Len(t, preTest, 1, "should have matched the package when there is not a main module")

actual, _ := matcher.Match(store, nil, subjectWithMainModule)
assert.Len(t, actual, 0, "unexpected match count; should not match main module")
assert.Len(t, actual, 1, "should match the main module (i.e. 1 match)")

actual, _ = matcher.Match(store, nil, subjectWithMainModuleAsDevel)
assert.Len(t, actual, 0, "unexpected match count; should not match main module (devel)")
Expand Down Expand Up @@ -174,13 +174,13 @@ type mockProvider struct {
}

func (mp *mockProvider) Get(id, namespace string) ([]vulnerability.Vulnerability, error) {
//TODO implement me
// TODO implement me
panic("implement me")
}

func (mp *mockProvider) populateData() {
mp.data[syftPkg.Go] = map[string][]vulnerability.Vulnerability{
// for TestMatcher_DropMainPackage
// for TestMatcher_DropMainPackageIfNoVersion
"istio.io/istio": {
{
Constraint: version.MustGetConstraint("< 5.0.7", version.UnknownFormat),
Expand Down
12 changes: 12 additions & 0 deletions grype/version/golang_version_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,18 @@ func TestCompareGolangVersions(t *testing.T) {
otherVersion: "v0.0.0-20180116102854-5a71ef0e047d",
want: 1,
},
{
name: "pseudoversion less than other pseudoversion",
thisVersion: "v0.0.0-20170116102854-1ef0e047d5a7",
otherVersion: "v0.0.0-20180116102854-5a71ef0e047d",
want: -1,
},
{
name: "pseudoversion greater than other pseudoversion",
thisVersion: "v0.0.0-20190116102854-8a3f0e047d5a",
otherVersion: "v0.0.0-20180116102854-5a71ef0e047d",
want: 1,
},
{
name: "+incompatible doesn't break equality",
thisVersion: "v3.2.0",
Expand Down
Loading