Extract go module versions from ldflags for binaries built by go (anc…

…hore#1832) * wip Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * with golang bin ldflags refactor Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add test for golang binary cataloger for ldflag extraction Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * remove binary classfiers that overlap with new go ldflags detection Signed-off-by: Alex Goodman <alex.goodman@anchore.com> --------- Signed-off-by: Weston Steimel <weston.steimel@anchore.com> Signed-off-by: Alex Goodman <alex.goodman@anchore.com> Co-authored-by: Weston Steimel <weston.steimel@anchore.com>
GijsCalis · May 23, 2023 · 5f7c791 · 5f7c791
1 parent c104ec9
commit 5f7c791
Show file tree

Hide file tree

Showing 6 changed files with 329 additions and 176 deletions.
diff --git a/syft/pkg/cataloger/binary/cataloger_test.go b/syft/pkg/cataloger/binary/cataloger_test.go
@@ -239,30 +239,6 @@ func Test_Cataloger_DefaultClassifiers_PositiveCases(t *testing.T) {
 				Metadata:  metadata("redis-binary"),
 			},
 		},
-		{
-			name:       "positive-argocd-2.5.11",
-			fixtureDir: "test-fixtures/classifiers/dynamic/argocd-2.5.11",
-			expected: pkg.Package{
-				Name:      "argocd",
-				Version:   "2.5.11",
-				Type:      "binary",
-				PURL:      "pkg:golang/github.com/argoproj/argo-cd@2.5.11",
-				Locations: locations("argocd"),
-				Metadata:  metadata("argocd"),
-			},
-		},
-		{
-			name:       "positive-argocd-2.6.4",
-			fixtureDir: "test-fixtures/classifiers/dynamic/argocd-2.6.4",
-			expected: pkg.Package{
-				Name:      "argocd",
-				Version:   "2.6.4",
-				Type:      "binary",
-				PURL:      "pkg:golang/github.com/argoproj/argo-cd@2.6.4",
-				Locations: locations("argocd"),
-				Metadata:  metadata("argocd"),
-			},
-		},
 		{
 			name:       "positive-helm-3.11.1",
 			fixtureDir: "test-fixtures/classifiers/dynamic/helm-3.11.1",
@@ -287,66 +263,6 @@ func Test_Cataloger_DefaultClassifiers_PositiveCases(t *testing.T) {
 				Metadata:  metadata("helm"),
 			},
 		},
-		{
-			name:       "positive-kubectl-1.24.11",
-			fixtureDir: "test-fixtures/classifiers/dynamic/kubectl-1.24.11",
-			expected: pkg.Package{
-				Name:      "kubectl",
-				Version:   "1.24.11",
-				Type:      "binary",
-				PURL:      "pkg:golang/k8s.io/kubectl@1.24.11",
-				Locations: locations("kubectl"),
-				Metadata:  metadata("kubectl"),
-			},
-		},
-		{
-			name:       "positive-kubectl-1.25.7",
-			fixtureDir: "test-fixtures/classifiers/dynamic/kubectl-1.25.7",
-			expected: pkg.Package{
-				Name:      "kubectl",
-				Version:   "1.25.7",
-				Type:      "binary",
-				PURL:      "pkg:golang/k8s.io/kubectl@1.25.7",
-				Locations: locations("kubectl"),
-				Metadata:  metadata("kubectl"),
-			},
-		},
-		{
-			name:       "positive-kubectl-1.26.2",
-			fixtureDir: "test-fixtures/classifiers/dynamic/kubectl-1.26.2",
-			expected: pkg.Package{
-				Name:      "kubectl",
-				Version:   "1.26.2",
-				Type:      "binary",
-				PURL:      "pkg:golang/k8s.io/kubectl@1.26.2",
-				Locations: locations("kubectl"),
-				Metadata:  metadata("kubectl"),
-			},
-		},
-		{
-			name:       "positive-kustomize-4.5.7",
-			fixtureDir: "test-fixtures/classifiers/dynamic/kustomize-4.5.7",
-			expected: pkg.Package{
-				Name:      "kustomize",
-				Version:   "4.5.7",
-				Type:      "binary",
-				PURL:      "pkg:golang/sigs.k8s.io/kustomize@4.5.7",
-				Locations: locations("kustomize"),
-				Metadata:  metadata("kustomize"),
-			},
-		},
-		{
-			name:       "positive-kustomize-5.0.0",
-			fixtureDir: "test-fixtures/classifiers/dynamic/kustomize-5.0.0",
-			expected: pkg.Package{
-				Name:      "kustomize",
-				Version:   "5.0.0",
-				Type:      "binary",
-				PURL:      "pkg:golang/sigs.k8s.io/kustomize@5.0.0",
-				Locations: locations("kustomize"),
-				Metadata:  metadata("kustomize"),
-			},
-		},
 		{
 			name:       "positive-redis-4.0.11",
 			fixtureDir: "test-fixtures/classifiers/positive/redis-server-4.0.11",

diff --git a/syft/pkg/cataloger/binary/default_classifiers.go b/syft/pkg/cataloger/binary/default_classifiers.go
@@ -46,15 +46,6 @@ var defaultClassifiers = []classifier{
 		PURL:    mustPURL("pkg:generic/go@version"),
 		CPEs:    singleCPE("cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*"),
 	},
-	{
-		Class:    "argocd",
-		FileGlob: "**/argocd",
-		EvidenceMatcher: fileContentsVersionMatcher(
-			`(?m)common\.version=(?P<version>[0-9]+\.[0-9]+\.[0-9]+)`),
-		Package: "argocd",
-		PURL:    mustPURL("pkg:golang/github.com/argoproj/argo-cd@version"),
-		CPEs:    singleCPE("cpe:2.3:a:argoproj:argocd:*:*:*:*:*:*:*"),
-	},
 	{
 		Class:    "helm",
 		FileGlob: "**/helm",
@@ -64,24 +55,6 @@ var defaultClassifiers = []classifier{
 		PURL:    mustPURL("pkg:golang/helm.sh/helm@version"),
 		CPEs:    singleCPE("cpe:2.3:a:helm:helm:*:*:*:*:*:*:*"),
 	},
-	{
-		Class:    "kustomize",
-		FileGlob: "**/kustomize",
-		EvidenceMatcher: fileContentsVersionMatcher(
-			`(?m)version=kustomize/v(?P<version>[0-9]+\.[0-9]+\.[0-9]+)`),
-		Package: "kustomize",
-		PURL:    mustPURL("pkg:golang/sigs.k8s.io/kustomize@version"),
-		CPEs:    singleCPE("cpe:2.3:a:kustomize:kustomize:*:*:*:*:*:*:*"),
-	},
-	{
-		Class:    "kubectl",
-		FileGlob: "**/kubectl",
-		EvidenceMatcher: fileContentsVersionMatcher(
-			`(?m)\x00v(?P<version>[0-9]+\.[0-9]+\.[0-9]+)\x00`),
-		Package: "kubectl",
-		PURL:    mustPURL("pkg:golang/k8s.io/kubectl@version"),
-		CPEs:    singleCPE("cpe:2.3:a:kubectl:kubectl:*:*:*:*:*:*:*"),
-	},
 	{
 		Class:    "redis-binary",
 		FileGlob: "**/redis-server",

diff --git a/syft/pkg/cataloger/binary/test-fixtures/Makefile b/syft/pkg/cataloger/binary/test-fixtures/Makefile
@@ -7,15 +7,8 @@ all: \
 	classifiers/dynamic/ruby-library-3.2.1 \
 	classifiers/dynamic/ruby-library-2.7.7 \
 	classifiers/dynamic/ruby-library-2.6.10 \
-	classifiers/dynamic/argocd-2.5.11 \
-	classifiers/dynamic/argocd-2.6.4 \
 	classifiers/dynamic/helm-3.11.1 \
 	classifiers/dynamic/helm-3.10.3 \
-	classifiers/dynamic/kubectl-1.24.11 \
-	classifiers/dynamic/kubectl-1.25.7 \
-	classifiers/dynamic/kubectl-1.26.2 \
-	classifiers/dynamic/kustomize-4.5.7 \
-	classifiers/dynamic/kustomize-5.0.0 \
 	classifiers/dynamic/consul-1.15.2
 
 
@@ -89,18 +82,6 @@ classifiers/dynamic/ruby-library-2.6.10:
 		/usr/local/lib/libruby.so.2.6 \
 		$@/libruby.so.2.6
 
-classifiers/dynamic/argocd-2.5.11:
-	$(eval $@_image := "argoproj/argocd:v2.5.11@sha256:d1062935b3256ec69422843ebcb50debb54fd389436961586000c8ce6ee7f249")
-	./get-image-file.sh $($@_image) \
-		/usr/local/bin/argocd \
-		$@/argocd
-
-classifiers/dynamic/argocd-2.6.4:
-	$(eval $@_image := "argoproj/argocd:v2.6.4@sha256:61fcbba187ff53c00696cb580edf70cada59c45cf399d8477631acf43cf522ee")
-	./get-image-file.sh $($@_image) \
-		/usr/local/bin/argocd \
-		$@/argocd
-
 classifiers/dynamic/helm-3.11.1:
 	$(eval $@_image := "alpine/helm:3.11.1@sha256:8628e3695fb743a8b9de89626f1b7a221280c2152c0e288c2504e59b68233e8b")
 	./get-image-file.sh $($@_image) \
@@ -113,36 +94,6 @@ classifiers/dynamic/helm-3.10.3:
 		/usr/local/bin/helm \
 		$@/helm
 
-classifiers/dynamic/kubectl-1.24.11:
-	$(eval $@_image := "bitnami/kubectl:1.24.11@sha256:79d60c5ac8a1dc84e2c39f56d8e8cc0053159b5ed88f283bdf8fbda1ee86c8bc")
-	./get-image-file.sh $($@_image) \
-		/opt/bitnami/kubectl/bin/kubectl \
-		$@/kubectl
-
-classifiers/dynamic/kubectl-1.25.7:
-	$(eval $@_image := "bitnami/kubectl:1.25.7@sha256:d7b00dbfdc6d8890aefe40edfb6c1d4c90cbb6c978794bb51a21744edc34ba7a")
-	./get-image-file.sh $($@_image) \
-		/opt/bitnami/kubectl/bin/kubectl \
-		$@/kubectl
-
-classifiers/dynamic/kubectl-1.26.2:
-	$(eval $@_image := "line/kubectl-kustomize:1.26.2-5.0.0@sha256:9ee3b4a9a21f0777fc1d8c64208290f818a2e68c5e9e892e931621bda089bf06")
-	./get-image-file.sh $($@_image) \
-		/usr/local/bin/kubectl \
-		$@/kubectl
-
-classifiers/dynamic/kustomize-4.5.7:
-	$(eval $@_image := "argoproj/argocd:v2.6.4@sha256:61fcbba187ff53c00696cb580edf70cada59c45cf399d8477631acf43cf522ee")
-	./get-image-file.sh $($@_image) \
-		/usr/local/bin/kustomize \
-		$@/kustomize
-
-classifiers/dynamic/kustomize-5.0.0:
-	$(eval $@_image := "line/kubectl-kustomize:1.26.2-5.0.0@sha256:9ee3b4a9a21f0777fc1d8c64208290f818a2e68c5e9e892e931621bda089bf06")
-	./get-image-file.sh $($@_image) \
-		/usr/local/bin/kustomize \
-		$@/kustomize
-
 classifiers/dynamic/consul-1.15.2:
 	$(eval $@_image := "hashicorp/consul:1.15.2@sha256:c2169f3bb18dd947ae8eb5f6766896695c71fb439f050a3343e0007d895615b8")
 	./get-image-file.sh $($@_image) \

diff --git a/syft/pkg/cataloger/golang/package.go b/syft/pkg/cataloger/golang/package.go
@@ -18,7 +18,7 @@ func (c *goBinaryCataloger) newGoBinaryPackage(resolver source.FileResolver, dep
 
 	licenses, err := c.licenses.getLicenses(resolver, dep.Path, dep.Version)
 	if err != nil {
-		log.Tracef("error getting licenses for package: %s %v", dep.Path, err)
+		log.Tracef("error getting licenses for golang package: %s %v", dep.Path, err)
 	}
 
 	p := pkg.Package{

diff --git a/syft/pkg/cataloger/golang/parse_go_binary.go b/syft/pkg/cataloger/golang/parse_go_binary.go
@@ -8,6 +8,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"regexp"
 	"runtime/debug"
 	"strings"
 	"time"
@@ -34,6 +35,11 @@ var (
 	// devel is used to recognize the current default version when a golang main distribution is built
 	// https://github.com/golang/go/issues/29228 this issue has more details on the progress of being able to
 	// inject the correct version into the main module of the build process
+
+	knownBuildFlagPatterns = []*regexp.Regexp{
+		regexp.MustCompile(`(?m)\.([gG]it)?([bB]uild)?[vV]ersion=(\S+/)*(?P<version>v?\d+.\d+.\d+[-\w]*)`),
+		regexp.MustCompile(`(?m)\.([tT]ag)=(\S+/)*(?P<version>v?\d+.\d+.\d+[-\w]*)`),
+	}
 )
 
 const devel = "(devel)"
@@ -71,27 +77,82 @@ func (c *goBinaryCataloger) makeGoMainPackage(resolver source.FileResolver, mod
 		gbs,
 		location.WithAnnotation(pkg.EvidenceAnnotationKey, pkg.PrimaryEvidenceAnnotation),
 	)
-	if main.Version == devel {
-		if version, ok := gbs["vcs.revision"]; ok {
-			if timestamp, ok := gbs["vcs.time"]; ok {
-				//NOTE: err is ignored, because if parsing fails
-				// we still use the empty Time{} struct to generate an empty date, like 00010101000000
-				// for consistency with the pseudo-version format: https://go.dev/ref/mod#pseudo-versions
-				ts, _ := time.Parse(time.RFC3339, timestamp)
-				if len(version) >= 12 {
-					version = version[:12]
-				}
-				version = module.PseudoVersion("", "", ts, version)
+
+	if main.Version != devel {
+		return main
+	}
+
+	version, hasVersion := gbs["vcs.revision"]
+	timestamp, hasTimestamp := gbs["vcs.time"]
+
+	if hasVersion {
+		if hasTimestamp {
+			//NOTE: err is ignored, because if parsing fails
+			// we still use the empty Time{} struct to generate an empty date, like 00010101000000
+			// for consistency with the pseudo-version format: https://go.dev/ref/mod#pseudo-versions
+			ts, _ := time.Parse(time.RFC3339, timestamp)
+			if len(version) >= 12 {
+				version = version[:12]
+			}
+
+			var ldflags string
+			if metadata, ok := main.Metadata.(pkg.GolangBinMetadata); ok {
+				ldflags = metadata.BuildSettings["-ldflags"]
+			}
+
+			majorVersion, fullVersion := extractVersionFromLDFlags(ldflags)
+			if fullVersion != "" {
+				// we've found a specific version from the ldflags! use it as the version.
+				// why not combine that with the pseudo version (e.g. v1.2.3-0.20210101000000-abcdef123456)?
+				// short answer: we're assuming that if a specific semver was provided in the ldflags that
+				// there is a matching vcs tag to match that could be referenced. This assumption could
+				// be incorrect in terms of the go.mod contents, but is not incorrect in terms of the logical
+				// version of the package.
+				version = fullVersion
+			} else {
+				version = module.PseudoVersion(majorVersion, fullVersion, ts, version)
 			}
-			main.Version = version
-			main.PURL = packageURL(main.Name, main.Version)
-			main.SetID()
 		}
+
+		main.Version = version
+		main.PURL = packageURL(main.Name, main.Version)
+
+		main.SetID()
 	}
 
 	return main
 }
 
+func extractVersionFromLDFlags(ldflags string) (majorVersion string, fullVersion string) {
+	if ldflags == "" {
+		return "", ""
+	}
+
+	for _, pattern := range knownBuildFlagPatterns {
+		groups := internal.MatchNamedCaptureGroups(pattern, ldflags)
+		v, ok := groups["version"]
+
+		if !ok {
+			continue
+		}
+
+		fullVersion = v
+		if !strings.HasPrefix(v, "v") {
+			fullVersion = fmt.Sprintf("v%s", v)
+		}
+		components := strings.Split(v, ".")
+
+		if len(components) == 0 {
+			continue
+		}
+
+		majorVersion = strings.TrimPrefix(components[0], "v")
+		return majorVersion, fullVersion
+	}
+
+	return "", ""
+}
+
 // getArchs finds a binary architecture by two ways:
 // 1) reading build info from binaries compiled by go1.18+
 // 2) reading file headers from binaries compiled by < go1.18