feat: add support for build info in binaries built with go 1.18+ (#101)

* parse go 1.18+ output of `go version -m` also fix version detection to also recognize development builds of go Signed-off-by: nscuro <nscuro@protonmail.com> * handle more build settings (if available) Signed-off-by: nscuro <nscuro@protonmail.com> * also consider compiler setting Signed-off-by: nscuro <nscuro@protonmail.com> * regenerate example sboms Signed-off-by: nscuro <nscuro@protonmail.com> * add e2e test for binary built with go 1.18 Signed-off-by: nscuro <nscuro@protonmail.com> * update changelog Signed-off-by: nscuro <nscuro@protonmail.com> * add test; minor tweaks Signed-off-by: nscuro <nscuro@protonmail.com>
CycloneDX · Dec 3, 2021 · 1f15606 · 1f15606
1 parent febc262
commit 1f15606
Show file tree

Hide file tree

Showing 22 changed files with 466 additions and 229 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,7 @@
 * `app`: Add option to include packages in application SBOM ([#85](https://github.com/CycloneDX/cyclonedx-gomod/issues/85) via [#92](https://github.com/CycloneDX/cyclonedx-gomod/pull/92))
 * `app`: The `-packages` and `-files` options are now also applied to the standard library component (when `-std` is used) ([#84](https://github.com/CycloneDX/cyclonedx-gomod/issues/84) via [#92](https://github.com/CycloneDX/cyclonedx-gomod/pull/92))
   * Thanks [TheDiveO](https://github.com/TheDiveO) for reporting!
+* `bin`: Add support for build info in binaries built with Go 1.18+ ([#86](https://github.com/CycloneDX/cyclonedx-gomod/issues/86) via [#101](https://github.com/CycloneDX/cyclonedx-gomod/pull/101))
 * Package URLs now include a `type` qualifier to better differentiate between modules and packages (via [`1c4b136`](https://github.com/CycloneDX/cyclonedx-gomod/pull/92/commits/1c4b1366ac23e6a4387f1e6d4b35b67930184aed))
 
 ### Breaking Changes

diff --git a/e2e/cmd_bin_test.go b/e2e/cmd_bin_test.go
@@ -38,6 +38,18 @@ func TestBinCmdSimple(t *testing.T) {
 	runSnapshotIT(t, &binOptions.OutputOptions, func() error { return bincmd.Exec(binOptions) })
 }
 
+func TestBinCmdSimple118(t *testing.T) {
+	binOptions := bincmd.Options{
+		SBOMOptions: options.SBOMOptions{
+			Reproducible: true,
+			SerialNumber: zeroUUID.String(),
+		},
+		BinaryPath: "./testdata/bincmd/simple1.18",
+	}
+
+	runSnapshotIT(t, &binOptions.OutputOptions, func() error { return bincmd.Exec(binOptions) })
+}
+
 func TestBinCmdSimpleAssertLicenses(t *testing.T) {
 	binOptions := bincmd.Options{
 		SBOMOptions: options.SBOMOptions{

diff --git a/e2e/testdata/bincmd/simple1.18 b/e2e/testdata/bincmd/simple1.18
diff --git a/e2e/testdata/snapshots/TestBinCmdSimple b/e2e/testdata/snapshots/TestBinCmdSimple
@@ -7,12 +7,13 @@
       <purl>pkg:golang/testmod-simple@v1.0.0?type=module</purl>
     </component>
     <properties>
-      <property name="cdx:gomod:binary:name">simple</property>
       <property name="cdx:gomod:binary:hash:MD5">f2bd20870a0bc20bef23facd73a1fd21</property>
       <property name="cdx:gomod:binary:hash:SHA-1">eaff83601ad04f88d8f44b7acd97201932e8037e</property>
       <property name="cdx:gomod:binary:hash:SHA-256">2fad71e51c9d4d892036bf253a65b4555c6b72a0a0e2a4b3a1a8c47ca5e5272a</property>
       <property name="cdx:gomod:binary:hash:SHA-384">cff5f2a077c59e66f1862759212720fa74f4c2ccc81eb3c0ed93155be4b52a8659eb7d79e7ac174cc997b5fe5a5333e0</property>
       <property name="cdx:gomod:binary:hash:SHA-512">e678f2af01315f382e62260a30485ae23307d33615b1d1661c86c07a0468d676398955e8ebc0efca25b17de01eb167d628780ca4b5f768588d64c0b5761773a4</property>
+      <property name="cdx:gomod:binary:name">simple</property>
+      <property name="cdx:gomod:build:env:GOVERSION">go1.16.7</property>
     </properties>
   </metadata>
   <components>

diff --git a/e2e/testdata/snapshots/TestBinCmdSimple118 b/e2e/testdata/snapshots/TestBinCmdSimple118
@@ -0,0 +1,63 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.3" serialNumber="urn:uuid:00000000-0000-0000-0000-000000000000" version="1">
+  <metadata>
+    <component bom-ref="pkg:golang/testmod-simple@v0.0.0-20210716183230-c7ea7c975ab8?type=module" type="application">
+      <name>testmod-simple</name>
+      <version>v0.0.0-20210716183230-c7ea7c975ab8</version>
+      <purl>pkg:golang/testmod-simple@v0.0.0-20210716183230-c7ea7c975ab8?type=module</purl>
+    </component>
+    <properties>
+      <property name="cdx:gomod:binary:hash:MD5">2c07cd14d44d6755840ac54352af3b8e</property>
+      <property name="cdx:gomod:binary:hash:SHA-1">8118611f54381a50ecf93426c634cd2f252a43d9</property>
+      <property name="cdx:gomod:binary:hash:SHA-256">6cbded365fd60481e0590ea48e755a3707226b38e255ae9ad39c05acf1ef2e6d</property>
+      <property name="cdx:gomod:binary:hash:SHA-384">76386970bea6b0b8f3dd69d2fc0a73ec5e68a13f7223840bf5bde7c089663f163114daec07d2f127c543b45be40ddf85</property>
+      <property name="cdx:gomod:binary:hash:SHA-512">d46e44061199deb900cfed6087db53741a03659a478e4ba3179dedd6bfe322664c18383ccbad0b8185d507717f67e31038d54dfd612718f8ea50038ce516b32e</property>
+      <property name="cdx:gomod:binary:name">simple1.18</property>
+      <property name="cdx:gomod:build:compiler">gc</property>
+      <property name="cdx:gomod:build:env:CGO_ENABLED">1</property>
+      <property name="cdx:gomod:build:env:GOARCH">amd64</property>
+      <property name="cdx:gomod:build:env:GOOS">linux</property>
+      <property name="cdx:gomod:build:env:GOVERSION">go1.18-36be0be</property>
+      <property name="cdx:gomod:build:vcs">git</property>
+      <property name="cdx:gomod:build:vcs:modified">false</property>
+      <property name="cdx:gomod:build:vcs:revision">c7ea7c975ab86e174b22b585c63b43bcc86e8772</property>
+      <property name="cdx:gomod:build:vcs:time">2021-07-16T18:32:30Z</property>
+    </properties>
+  </metadata>
+  <components>
+    <component bom-ref="pkg:golang/github.com/google/uuid@v1.2.0?type=module" type="library">
+      <name>github.com/google/uuid</name>
+      <version>v1.2.0</version>
+      <scope>required</scope>
+      <hashes>
+        <hash alg="SHA-256">a8962d5e72515a6a5eee6ff75e5ca1aec2eb11446a1d1336931ce8c57ab2503b</hash>
+      </hashes>
+      <purl>pkg:golang/github.com/google/uuid@v1.2.0?type=module</purl>
+      <externalReferences>
+        <reference type="vcs">
+          <url>https://github.com/google/uuid</url>
+        </reference>
+      </externalReferences>
+    </component>
+  </components>
+  <dependencies>
+    <dependency ref="pkg:golang/testmod-simple@v0.0.0-20210716183230-c7ea7c975ab8?type=module">
+      <dependency ref="pkg:golang/github.com/google/uuid@v1.2.0?type=module"></dependency>
+    </dependency>
+    <dependency ref="pkg:golang/github.com/google/uuid@v1.2.0?type=module"></dependency>
+  </dependencies>
+  <compositions>
+    <composition>
+      <aggregate>complete</aggregate>
+      <dependencies>
+        <dependency ref="pkg:golang/testmod-simple@v0.0.0-20210716183230-c7ea7c975ab8?type=module"></dependency>
+      </dependencies>
+    </composition>
+    <composition>
+      <aggregate>unknown</aggregate>
+      <dependencies>
+        <dependency ref="pkg:golang/github.com/google/uuid@v1.2.0?type=module"></dependency>
+      </dependencies>
+    </composition>
+  </compositions>
+</bom>
diff --git a/e2e/testdata/snapshots/TestBinCmdSimpleAssertLicenses b/e2e/testdata/snapshots/TestBinCmdSimpleAssertLicenses
@@ -7,12 +7,13 @@
       <purl>pkg:golang/testmod-simple@v1.0.0?type=module</purl>
     </component>
     <properties>
-      <property name="cdx:gomod:binary:name">simple</property>
       <property name="cdx:gomod:binary:hash:MD5">f2bd20870a0bc20bef23facd73a1fd21</property>
       <property name="cdx:gomod:binary:hash:SHA-1">eaff83601ad04f88d8f44b7acd97201932e8037e</property>
       <property name="cdx:gomod:binary:hash:SHA-256">2fad71e51c9d4d892036bf253a65b4555c6b72a0a0e2a4b3a1a8c47ca5e5272a</property>
       <property name="cdx:gomod:binary:hash:SHA-384">cff5f2a077c59e66f1862759212720fa74f4c2ccc81eb3c0ed93155be4b52a8659eb7d79e7ac174cc997b5fe5a5333e0</property>
       <property name="cdx:gomod:binary:hash:SHA-512">e678f2af01315f382e62260a30485ae23307d33615b1d1661c86c07a0468d676398955e8ebc0efca25b17de01eb167d628780ca4b5f768588d64c0b5761773a4</property>
+      <property name="cdx:gomod:binary:name">simple</property>
+      <property name="cdx:gomod:build:env:GOVERSION">go1.16.7</property>
     </properties>
   </metadata>
   <components>

diff --git a/examples/app_minikube-v1.23.1.bom.json b/examples/app_minikube-v1.23.1.bom.json
@@ -1,35 +1,35 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.3",
-  "serialNumber": "urn:uuid:62830ae1-12d7-4292-8cb7-2b19f0406486",
+  "serialNumber": "urn:uuid:c953057f-3b8e-466b-9236-f03bd6c3f74d",
   "version": 1,
   "metadata": {
-    "timestamp": "2021-11-21T17:49:25Z",
+    "timestamp": "2021-12-03T20:53:02Z",
     "tools": [
       {
         "vendor": "CycloneDX",
         "name": "cyclonedx-gomod",
-        "version": "v0.0.0-20211121184656-d2b30765db22",
+        "version": "v0.0.0-20211203214651-0a82e7b8663b",
         "hashes": [
           {
             "alg": "MD5",
-            "content": "4590986b6f4f678a59023a0a0fe4b090"
+            "content": "82039e340a3aea1eb00dd867fd6d2d1b"
           },
           {
             "alg": "SHA-1",
-            "content": "35398c4096d5a5ac7fe934240027cc59261afea6"
+            "content": "ae403e5f2b9c9051e2b4d22feb1f6016ce8f9bf9"
           },
           {
             "alg": "SHA-256",
-            "content": "13d6933984a9adf998265588aaf783bb88c8980662dc7d99245ecb267e70e437"
+            "content": "4c793f79d0c89dc7d450d999e6ae36b59c350d499d6cb6b466557741273035d2"
           },
           {
             "alg": "SHA-384",
-            "content": "71b188febd6a61f1cb6ffbb3cf8b8915379a33c31def28a0cc53494c90970829a38b6383fabf7e688a17b658cba0d57a"
+            "content": "295eee5246caee06bbb8e626f26fb01a1026942db2cc960a37c1d57b7a7584c29675110e831b60ae212e8a0a46ce0289"
           },
           {
             "alg": "SHA-512",
-            "content": "51cd552a78b140a7cf1464385a37b1ca7e5e4eac91a912a5265d680adbbaaba4bd51b4595814569d6c8e76e4197bbd8ce49e50402f9a2b85f87178f99a1e82ae"
+            "content": "0e755e188c5d840f7a3fc2d438f33a01cf161005348edfa0d2e8f5ce625ff386f8dd38ce3a981e81d9b6392ad846560e25c7bd8ce3a707191408f26ba36b7898"
           }
         ]
       }

diff --git a/examples/app_minikube-v1.23.1_with-files.bom.json b/examples/app_minikube-v1.23.1_with-files.bom.json
@@ -1,35 +1,35 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.3",
-  "serialNumber": "urn:uuid:8fd0065d-01bd-4894-bf4b-43f4aafa5dae",
+  "serialNumber": "urn:uuid:676889ec-9ee2-4828-9da3-d8a634212f9e",
   "version": 1,
   "metadata": {
-    "timestamp": "2021-11-21T17:49:40Z",
+    "timestamp": "2021-12-03T20:53:17Z",
     "tools": [
       {
         "vendor": "CycloneDX",
         "name": "cyclonedx-gomod",
-        "version": "v0.0.0-20211121184656-d2b30765db22",
+        "version": "v0.0.0-20211203214651-0a82e7b8663b",
         "hashes": [
           {
             "alg": "MD5",
-            "content": "4590986b6f4f678a59023a0a0fe4b090"
+            "content": "82039e340a3aea1eb00dd867fd6d2d1b"
           },
           {
             "alg": "SHA-1",
-            "content": "35398c4096d5a5ac7fe934240027cc59261afea6"
+            "content": "ae403e5f2b9c9051e2b4d22feb1f6016ce8f9bf9"
           },
           {
             "alg": "SHA-256",
-            "content": "13d6933984a9adf998265588aaf783bb88c8980662dc7d99245ecb267e70e437"
+            "content": "4c793f79d0c89dc7d450d999e6ae36b59c350d499d6cb6b466557741273035d2"
           },
           {
             "alg": "SHA-384",
-            "content": "71b188febd6a61f1cb6ffbb3cf8b8915379a33c31def28a0cc53494c90970829a38b6383fabf7e688a17b658cba0d57a"
+            "content": "295eee5246caee06bbb8e626f26fb01a1026942db2cc960a37c1d57b7a7584c29675110e831b60ae212e8a0a46ce0289"
           },
           {
             "alg": "SHA-512",
-            "content": "51cd552a78b140a7cf1464385a37b1ca7e5e4eac91a912a5265d680adbbaaba4bd51b4595814569d6c8e76e4197bbd8ce49e50402f9a2b85f87178f99a1e82ae"
+            "content": "0e755e188c5d840f7a3fc2d438f33a01cf161005348edfa0d2e8f5ce625ff386f8dd38ce3a981e81d9b6392ad846560e25c7bd8ce3a707191408f26ba36b7898"
           }
         ]
       }

diff --git a/examples/app_minikube-v1.23.1_with-packages.bom.json b/examples/app_minikube-v1.23.1_with-packages.bom.json
@@ -1,35 +1,35 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.3",
-  "serialNumber": "urn:uuid:6427c91c-530e-42c5-887a-97e192f8d05c",
+  "serialNumber": "urn:uuid:e610f0d9-9d3b-44b6-ba93-ae151e42b8ec",
   "version": 1,
   "metadata": {
-    "timestamp": "2021-11-21T17:49:32Z",
+    "timestamp": "2021-12-03T20:53:10Z",
     "tools": [
       {
         "vendor": "CycloneDX",
         "name": "cyclonedx-gomod",
-        "version": "v0.0.0-20211121184656-d2b30765db22",
+        "version": "v0.0.0-20211203214651-0a82e7b8663b",
         "hashes": [
           {
             "alg": "MD5",
-            "content": "4590986b6f4f678a59023a0a0fe4b090"
+            "content": "82039e340a3aea1eb00dd867fd6d2d1b"
           },
           {
             "alg": "SHA-1",
-            "content": "35398c4096d5a5ac7fe934240027cc59261afea6"
+            "content": "ae403e5f2b9c9051e2b4d22feb1f6016ce8f9bf9"
           },
           {
             "alg": "SHA-256",
-            "content": "13d6933984a9adf998265588aaf783bb88c8980662dc7d99245ecb267e70e437"
+            "content": "4c793f79d0c89dc7d450d999e6ae36b59c350d499d6cb6b466557741273035d2"
           },
           {
             "alg": "SHA-384",
-            "content": "71b188febd6a61f1cb6ffbb3cf8b8915379a33c31def28a0cc53494c90970829a38b6383fabf7e688a17b658cba0d57a"
+            "content": "295eee5246caee06bbb8e626f26fb01a1026942db2cc960a37c1d57b7a7584c29675110e831b60ae212e8a0a46ce0289"
           },
           {
             "alg": "SHA-512",
-            "content": "51cd552a78b140a7cf1464385a37b1ca7e5e4eac91a912a5265d680adbbaaba4bd51b4595814569d6c8e76e4197bbd8ce49e50402f9a2b85f87178f99a1e82ae"
+            "content": "0e755e188c5d840f7a3fc2d438f33a01cf161005348edfa0d2e8f5ce625ff386f8dd38ce3a981e81d9b6392ad846560e25c7bd8ce3a707191408f26ba36b7898"
           }
         ]
       }

diff --git a/examples/bin_minikube-v1.23.1.bom.json b/examples/bin_minikube-v1.23.1.bom.json
@@ -1,45 +1,45 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.3",
-  "serialNumber": "urn:uuid:aeb3b709-40dd-48d3-93b7-2e9c11f62c41",
+  "serialNumber": "urn:uuid:031ac368-f610-48f4-98a3-8d37af0b7f88",
   "version": 1,
   "metadata": {
-    "timestamp": "2021-11-21T17:50:22Z",
+    "timestamp": "2021-12-03T20:54:00Z",
     "tools": [
       {
         "vendor": "CycloneDX",
         "name": "cyclonedx-gomod",
-        "version": "v0.0.0-20211121184656-d2b30765db22",
+        "version": "v0.0.0-20211203214651-0a82e7b8663b",
         "hashes": [
           {
             "alg": "MD5",
-            "content": "4590986b6f4f678a59023a0a0fe4b090"
+            "content": "82039e340a3aea1eb00dd867fd6d2d1b"
           },
           {
             "alg": "SHA-1",
-            "content": "35398c4096d5a5ac7fe934240027cc59261afea6"
+            "content": "ae403e5f2b9c9051e2b4d22feb1f6016ce8f9bf9"
           },
           {
             "alg": "SHA-256",
-            "content": "13d6933984a9adf998265588aaf783bb88c8980662dc7d99245ecb267e70e437"
+            "content": "4c793f79d0c89dc7d450d999e6ae36b59c350d499d6cb6b466557741273035d2"
           },
           {
             "alg": "SHA-384",
-            "content": "71b188febd6a61f1cb6ffbb3cf8b8915379a33c31def28a0cc53494c90970829a38b6383fabf7e688a17b658cba0d57a"
+            "content": "295eee5246caee06bbb8e626f26fb01a1026942db2cc960a37c1d57b7a7584c29675110e831b60ae212e8a0a46ce0289"
           },
           {
             "alg": "SHA-512",
-            "content": "51cd552a78b140a7cf1464385a37b1ca7e5e4eac91a912a5265d680adbbaaba4bd51b4595814569d6c8e76e4197bbd8ce49e50402f9a2b85f87178f99a1e82ae"
+            "content": "0e755e188c5d840f7a3fc2d438f33a01cf161005348edfa0d2e8f5ce625ff386f8dd38ce3a981e81d9b6392ad846560e25c7bd8ce3a707191408f26ba36b7898"
           }
         ]
       }
     ],
     "component": {
-      "bom-ref": "pkg:golang/k8s.io/minikube@v1.23.1?type=module",
+      "bom-ref": "pkg:golang/k8s.io/minikube@v1.23.1?type=module#cmd/minikube",
       "type": "application",
       "name": "k8s.io/minikube",
       "version": "v1.23.1",
-      "purl": "pkg:golang/k8s.io/minikube@v1.23.1?type=module",
+      "purl": "pkg:golang/k8s.io/minikube@v1.23.1?type=module#cmd/minikube",
       "evidence": {
         "licenses": [
           {
@@ -51,10 +51,6 @@
       }
     },
     "properties": [
-      {
-        "name": "cdx:gomod:binary:name",
-        "value": "minikube-linux-amd64"
-      },
       {
         "name": "cdx:gomod:binary:hash:MD5",
         "value": "f346763ab6291f331b7645bad6809900"
@@ -74,6 +70,14 @@
       {
         "name": "cdx:gomod:binary:hash:SHA-512",
         "value": "99c248202a757e3f936b92e97d023b01172971c4af8c282f60307bd1f1250d5dd79668cc9c3a033d660bf225425f430cddb3fbf31d0c0d32a6ecb8d8aba395e0"
+      },
+      {
+        "name": "cdx:gomod:binary:name",
+        "value": "minikube-linux-amd64"
+      },
+      {
+        "name": "cdx:gomod:build:env:GOVERSION",
+        "value": "go1.17"
       }
     ]
   },
@@ -3799,7 +3803,7 @@
   ],
   "dependencies": [
     {
-      "ref": "pkg:golang/k8s.io/minikube@v1.23.1?type=module",
+      "ref": "pkg:golang/k8s.io/minikube@v1.23.1?type=module#cmd/minikube",
       "dependsOn": [
         "pkg:golang/cloud.google.com/go@v0.93.3?type=module",
         "pkg:golang/cloud.google.com/go/storage@v1.16.1?type=module",
@@ -4356,7 +4360,7 @@
     {
       "aggregate": "complete",
       "dependencies": [
-        "pkg:golang/k8s.io/minikube@v1.23.1?type=module"
+        "pkg:golang/k8s.io/minikube@v1.23.1?type=module#cmd/minikube"
       ]
     },
     {

diff --git a/examples/mod_minikube-v1.23.1.bom.json b/examples/mod_minikube-v1.23.1.bom.json
@@ -1,35 +1,35 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.3",
-  "serialNumber": "urn:uuid:d4617720-40ed-456d-bf74-920435f14044",
+  "serialNumber": "urn:uuid:a3ed0790-489d-43fb-bd9f-98811663ae10",
   "version": 1,
   "metadata": {
-    "timestamp": "2021-11-21T17:50:04Z",
+    "timestamp": "2021-12-03T20:53:43Z",
     "tools": [
       {
         "vendor": "CycloneDX",
         "name": "cyclonedx-gomod",
-        "version": "v0.0.0-20211121184656-d2b30765db22",
+        "version": "v0.0.0-20211203214651-0a82e7b8663b",
         "hashes": [
           {
             "alg": "MD5",
-            "content": "4590986b6f4f678a59023a0a0fe4b090"
+            "content": "82039e340a3aea1eb00dd867fd6d2d1b"
           },
           {
             "alg": "SHA-1",
-            "content": "35398c4096d5a5ac7fe934240027cc59261afea6"
+            "content": "ae403e5f2b9c9051e2b4d22feb1f6016ce8f9bf9"
           },
           {
             "alg": "SHA-256",
-            "content": "13d6933984a9adf998265588aaf783bb88c8980662dc7d99245ecb267e70e437"
+            "content": "4c793f79d0c89dc7d450d999e6ae36b59c350d499d6cb6b466557741273035d2"
           },
           {
             "alg": "SHA-384",
-            "content": "71b188febd6a61f1cb6ffbb3cf8b8915379a33c31def28a0cc53494c90970829a38b6383fabf7e688a17b658cba0d57a"
+            "content": "295eee5246caee06bbb8e626f26fb01a1026942db2cc960a37c1d57b7a7584c29675110e831b60ae212e8a0a46ce0289"
           },
           {
             "alg": "SHA-512",
-            "content": "51cd552a78b140a7cf1464385a37b1ca7e5e4eac91a912a5265d680adbbaaba4bd51b4595814569d6c8e76e4197bbd8ce49e50402f9a2b85f87178f99a1e82ae"
+            "content": "0e755e188c5d840f7a3fc2d438f33a01cf161005348edfa0d2e8f5ce625ff386f8dd38ce3a981e81d9b6392ad846560e25c7bd8ce3a707191408f26ba36b7898"
           }
         ]
       }