-
Notifications
You must be signed in to change notification settings - Fork 17.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cmd/go: factor version reading into debug/buildinfo #39301
Comments
To clarify, you're asking for a package to read the BuildInfo from a compiled executable? |
From the bytes of a compiled executable. Something like |
Can you clarify why? If you need to inspect Go binaries, having Go installed seems pretty reasonable. |
Have you considered the |
For why I prefer this to shelling out: The product I work with is GCP's container image vulnerability scanner. It scans XX thousand container images per minute. Each of those container images has hundreds, thousands of files. I want to find Go binaries and report on how they were made so we can do vulnerability analysis, contributor history, etc. Shelling out to For consideration of rsc.io/goversion/version: I did see that, and it does to approximately what I want. However, it does not have the interface I'd like (give it a file path rather than bytes, which increases the overhead per invocation significantly), and it's also not covered by any compatibility guarantees. For instance, the code it uses to load information from the executable and extract the mod string is different than that used by What I have done is copied, with light modifications to make it fit, the code that is used by |
Thanks @skelterjohn for posting this. Vulnerability scanning is a use case we had in mind when embedding module version information in binaries. This would help complete the picture. I think it would make sense to do this somewhere in |
We discussed this some on #35667, where we decided it was OK to add So this probably doesn't need to be a proposal, since we've already decided to do it. |
Change https://golang.org/cl/348016 mentions this issue: |
Change https://golang.org/cl/353887 mentions this issue: |
Change https://golang.org/cl/356013 mentions this issue: |
Fixes #37475 For #39301 Change-Id: I765bc667004931ff8973b947f2e95624a4a0375d Reviewed-on: https://go-review.googlesource.com/c/go/+/356013 Reviewed-by: Bryan C. Mills <[email protected]> Trust: Jay Conrod <[email protected]>
With go version 1.14 and go modules, we get a nice report from
go version -m <binary>
. The code backing this command is not available to use outside the binary, as it uses internal packages.Supply chain analysis tools, which I work on, would benefit greatly from being able to reliably get this information using a package in the standard library. Instead, I'm copying and lightly modifying the code used to run the
go version -m
command since shelling out to a binary is not always an option.The text was updated successfully, but these errors were encountered: