feat: update to go 1.18 (#139)

* test against go 1.18rc1 Signed-off-by: nscuro <nscuro@protonmail.com> * rewrite `LoadBinaryInfo` to use new stdlib functionality Signed-off-by: nscuro <nscuro@protonmail.com> * fix tests that download modules `go get` cannot be used outside a module dir anymore, so switching to `go mod download` instead Signed-off-by: nscuro <nscuro@protonmail.com> * update setup-go action to v3 Signed-off-by: nscuro <nscuro@protonmail.com> * update dockerfiles to use go1.18rc1 Signed-off-by: nscuro <nscuro@protonmail.com> * update `go` directive in `go.mod` to 1.18 Signed-off-by: nscuro <nscuro@protonmail.com> * update go versions in readme Signed-off-by: nscuro <nscuro@protonmail.com> * update docker images to 1.18.0 Signed-off-by: nscuro <nscuro@protonmail.com> * update go version in workflows to 1.18 Signed-off-by: nscuro <nscuro@protonmail.com> * force usage of golangci-lint v1.45.0 Signed-off-by: nscuro <nscuro@protonmail.com> * update go version in goreleaser-ci.yml Signed-off-by: nscuro <nscuro@protonmail.com>
CycloneDX · Mar 26, 2022 · 0d7dfab · 0d7dfab
1 parent 052a7a7
commit 0d7dfab
Show file tree

Hide file tree

Showing 14 changed files with 64 additions and 195 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -33,9 +33,9 @@ jobs:
     - name: Checkout Repository
       uses: actions/checkout@v3
     - name: Setup Go
-      uses: actions/setup-go@v2
+      uses: actions/setup-go@v3
       with:
-        go-version: "1.17"
+        go-version: "1.18"
         check-latest: true
     - name: Run golangci-lint
       uses: golangci/golangci-lint-action@v3.1.0
@@ -47,9 +47,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Setup Go
-      uses: actions/setup-go@v2
+      uses: actions/setup-go@v3
       with:
-        go-version: "1.17"
+        go-version: "1.18"
         check-latest: true
     - name: Setup CycloneDX CLI
       run: |
@@ -61,4 +61,4 @@ jobs:
     - name: Checkout Repository
       uses: actions/checkout@v3
     - name: Test
-      run: make test
+      run: make test
diff --git a/.github/workflows/goreleaser-ci.yml b/.github/workflows/goreleaser-ci.yml
@@ -17,7 +17,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v2
       with:
-        go-version: "1.17"
+        go-version: "1.18"
         check-latest: true
     - name: Set up QEMU
       uses: docker/setup-qemu-action@v1

diff --git a/.github/workflows/goreleaser.yml b/.github/workflows/goreleaser.yml
@@ -16,7 +16,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v2
       with:
-        go-version: "1.17"
+        go-version: "1.18"
         check-latest: true
     - name: Set up QEMU
       uses: docker/setup-qemu-action@v1

diff --git a/Dockerfile b/Dockerfile
@@ -1,11 +1,11 @@
-FROM golang:1.17.8-alpine3.15@sha256:b35984144ec2c2dfd6200e112a9b8ecec4a8fd9eff0babaff330f1f82f14cb2a as build
+FROM golang:1.18.0-alpine3.15@sha256:bb6ae029f163091e27c15094dba9b63429e301a7a6856cf1427439efe94e95f1 as build
 ARG VERSION=latest
 WORKDIR /tmp/cyclonedx-gomod
 RUN apk --no-cache add git make
 COPY . .
 RUN make install
 
-FROM golang:1.17.8-alpine3.15@sha256:b35984144ec2c2dfd6200e112a9b8ecec4a8fd9eff0babaff330f1f82f14cb2a
+FROM golang:1.18.0-alpine3.15@sha256:bb6ae029f163091e27c15094dba9b63429e301a7a6856cf1427439efe94e95f1
 COPY --from=build /go/bin/cyclonedx-gomod /usr/local/bin/
 USER 1000
 ENTRYPOINT ["cyclonedx-gomod"]

diff --git a/Dockerfile.examples b/Dockerfile.examples
@@ -10,7 +10,7 @@
 # for linux/amd64. If you're on a different platform, you'll have to run
 #   GOOS=linux GOARCH=amd64 make examples-image
 # instead.
-FROM golang:1.17.8-bullseye@sha256:6f49eeaceb65a5e46d3e6199583beadbe3c8d028a225b680c5b34b4c13ec5105
+FROM golang:1.18.0-bullseye@sha256:ada87de4d857ada7d975fd143bee1a58a9cb597639233a8adcd92bf2cbbfe7fe
 
 VOLUME /examples
 

diff --git a/Dockerfile.goreleaser b/Dockerfile.goreleaser
@@ -1,6 +1,6 @@
 # This Dockerfile is meant for GoReleaser exclusively, see .goreleaser.yml.
 # For manual builds, please use the regular Dockerfile or simply run "make docker".
-FROM golang:1.17.8-alpine3.15@sha256:b35984144ec2c2dfd6200e112a9b8ecec4a8fd9eff0babaff330f1f82f14cb2a
+FROM golang:1.18.0-alpine3.15@sha256:bb6ae029f163091e27c15094dba9b63429e301a7a6856cf1427439efe94e95f1
 COPY cyclonedx-gomod /usr/local/bin/
 USER 1000
 ENTRYPOINT ["cyclonedx-gomod"]

diff --git a/README.md b/README.md
@@ -22,7 +22,7 @@ Prebuilt binaries are available on the [releases](https://github.com/CycloneDX/c
 go install github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@latest
 ```
 
-Building from source requires Go 1.17 or newer.
+Building from source requires Go 1.18 or newer.
 
 ## Compatibility
 
@@ -281,7 +281,7 @@ $ docker run -it --rm \
     cyclonedx/cyclonedx-gomod:v1 mod -json -output /out/bom.json /usr/src/mymodule
 ```
 
-> The image is based on `golang:1.17-alpine`.  
+> The image is based on `golang:1.18-alpine`.  
 > When using the `app` command, please keep in mind that the Go version may influence module selection.  
 > We generally recommend using a [precompiled binary](https://github.com/CycloneDX/cyclonedx-gomod/releases) 
 > and running it in the same environment in which you're building your application in.

diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/CycloneDX/cyclonedx-gomod
 
-go 1.17
+go 1.18
 
 require (
 	github.com/CycloneDX/cyclonedx-go v0.5.1

diff --git a/go.sum b/go.sum
@@ -161,7 +161,6 @@ golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210324051608-47abb6519492/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210502180810-71e4cd670f79/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e h1:WUoyKPm6nCo1BnNUvPGnFG3T5DUVem42yDJZZ4CNxMA=
 golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E=

diff --git a/internal/gomod/binary.go b/internal/gomod/binary.go
@@ -18,12 +18,8 @@
 package gomod
 
 import (
-	"bufio"
-	"bytes"
-	"io"
-	"strings"
-
-	"github.com/rs/zerolog"
+	"debug/buildinfo"
+	"fmt"
 
 	"github.com/CycloneDX/cyclonedx-gomod/internal/gocmd"
 )
@@ -38,78 +34,61 @@ type BuildInfo struct {
 	Settings  map[string]string // Other information about the build.
 }
 
-func LoadBuildInfo(logger zerolog.Logger, binaryPath string) (*BuildInfo, error) {
-	buf := new(bytes.Buffer)
-	err := gocmd.LoadBuildInfo(logger, binaryPath, buf)
+func LoadBuildInfo(binaryPath string) (*BuildInfo, error) {
+	stdBuildInfo, err := buildinfo.ReadFile(binaryPath)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("failed to read build info: %w", err)
+	}
+
+	buildInfo := BuildInfo{
+		Path: stdBuildInfo.Path,
+		Main: &Module{
+			Path:    stdBuildInfo.Main.Path,
+			Version: stdBuildInfo.Main.Version,
+			Main:    true,
+			Sum:     stdBuildInfo.Main.Sum,
+		},
 	}
 
-	buildInfo, err := parseBuildInfo(binaryPath, buf)
+	buildInfo.GoVersion, err = gocmd.ParseVersion(stdBuildInfo.GoVersion)
 	if err != nil {
 		return nil, err
 	}
 
-	return &buildInfo, nil
-}
-
-func parseBuildInfo(binaryPath string, reader io.Reader) (bi BuildInfo, err error) {
-	moduleIndex := 0
-	scanner := bufio.NewScanner(reader)
-	for scanner.Scan() {
-		line := scanner.Text()
-		if strings.TrimSpace(line) == "" {
-			continue
+	var deps []Module
+	for i := range stdBuildInfo.Deps {
+		dep := Module{
+			Path:    stdBuildInfo.Deps[i].Path,
+			Version: stdBuildInfo.Deps[i].Version,
+			Sum:     stdBuildInfo.Deps[i].Sum,
 		}
-
-		fields := strings.Fields(line)
-		switch fields[0] {
-		case binaryPath + ":":
-			var gv string
-			gv, err = gocmd.ParseVersion(line)
-			if err != nil {
-				return
-			} else {
-				bi.GoVersion = gv
-			}
-		case "path": // Path of main package of main module
-			bi.Path = fields[1]
-		case "mod": // Main module
-			bi.Main = &Module{
-				Path:    fields[1],
-				Version: fields[2],
-				Main:    true,
-			}
-		case "dep": // Dependency module
-			module := Module{
-				Path:    fields[1],
-				Version: fields[2],
-			}
-			if len(fields) == 4 {
-				// Hash won't be available when the module is replaced
-				module.Sum = fields[3]
-			}
-			bi.Deps = append(bi.Deps, module)
-			moduleIndex += 1
-		case "=>": // Replacement
-			module := Module{
-				Path:    fields[1],
-				Version: fields[2],
-			}
-			if len(fields) == 4 {
-				module.Sum = fields[3]
-			}
-			bi.Deps[moduleIndex-1].Replace = &module
-		case "build": // Build settings (Go 1.18+)
-			kv := strings.SplitN(fields[1], "=", 2)
-			if len(kv) == 2 {
-				if bi.Settings == nil {
-					bi.Settings = make(map[string]string)
-				}
-				bi.Settings[kv[0]] = kv[1]
+		if stdBuildInfo.Deps[i].Replace != nil {
+			dep.Replace = &Module{
+				Path:    stdBuildInfo.Deps[i].Replace.Path,
+				Version: stdBuildInfo.Deps[i].Replace.Version,
+				Sum:     stdBuildInfo.Deps[i].Replace.Sum,
 			}
 		}
+		deps = append(deps, dep)
+	}
+	if len(deps) > 0 {
+		// Make all deps a direct dependency of main
+		buildInfo.Main.Dependencies = make([]*Module, len(deps))
+		for i := range deps {
+			buildInfo.Main.Dependencies[i] = &deps[i]
+		}
+		sortDependencies(buildInfo.Main.Dependencies)
+
+		buildInfo.Deps = deps
 	}
 
-	return
+	settings := make(map[string]string)
+	for _, setting := range stdBuildInfo.Settings {
+		settings[setting.Key] = setting.Value
+	}
+	if len(settings) > 0 {
+		buildInfo.Settings = settings
+	}
+
+	return &buildInfo, nil
 }
diff --git a/internal/gomod/binary_test.go b/internal/gomod/binary_test.go
diff --git a/internal/gomod/module_test.go b/internal/gomod/module_test.go
@@ -41,7 +41,7 @@ func TestModule_Coordinates(t *testing.T) {
 
 func TestModule_Hash(t *testing.T) {
 	// Download a specific version of a module
-	cmd := exec.Command("go", "get", "github.com/google/uuid@v1.2.0")
+	cmd := exec.Command("go", "mod", "download", "github.com/google/uuid@v1.2.0")
 	cmd.Dir = t.TempDir() // Just has to be outside of this module's directory to prevent modification of go.mod
 	require.NoError(t, cmd.Run())
 

diff --git a/internal/sbom/convert/module/module_test.go b/internal/sbom/convert/module/module_test.go
@@ -105,7 +105,7 @@ func TestWithLicenses(t *testing.T) {
 
 func TestWithModuleHashes(t *testing.T) {
 	// Download a specific version of a module
-	cmd := exec.Command("go", "get", "github.com/google/uuid@v1.2.0")
+	cmd := exec.Command("go", "mod", "download", "github.com/google/uuid@v1.2.0")
 	cmd.Dir = t.TempDir() // Just has to be outside of this module's directory to prevent modification of go.mod
 	require.NoError(t, cmd.Run())
 

diff --git a/pkg/generate/bin/generator.go b/pkg/generate/bin/generator.go
@@ -63,7 +63,7 @@ func NewGenerator(binaryPath string, opts ...Option) (generate.Generator, error)
 
 // Generate implements the generate.Generator interface.
 func (g generator) Generate() (*cdx.BOM, error) {
-	bi, err := gomod.LoadBuildInfo(g.logger, g.binaryPath)
+	bi, err := gomod.LoadBuildInfo(g.binaryPath)
 	if err != nil {
 		return nil, fmt.Errorf("failed to load build info: %w", err)
 	} else if bi.Main == nil {
@@ -97,11 +97,6 @@ func (g generator) Generate() (*cdx.BOM, error) {
 		}
 	}
 
-	// Make all modules a direct dependency of the main module
-	for i := 1; i < len(modules); i++ {
-		modules[0].Dependencies = append(modules[0].Dependencies, &modules[i])
-	}
-
 	main, err := modConv.ToComponent(g.logger, modules[0],
 		modConv.WithComponentType(cdx.ComponentTypeApplication),
 		modConv.WithLicenses(g.licenseDetector))