Clearing Go main module version makes creating a CycloneDX 1.3 JSON document difficult

[ryanmoran]

One of the minor changes between CycloneDX JSON 1.3 and 1.4 is that the requirement of the version field for a component has been removed.

Additionally, there was a recent set of changes that resulted in the decision to convert a Go main modules' version from the value reported by Go, (devel), to an empty string.

syft/syft/pkg/cataloger/golang/parse_go_bin.go

Line 32 in 25bf679

main.Version = ""

Unfortunately, we are now in a state where generating a CycloneDX JSON 1.3 document from the latest codebase means we need to reverse engineer whether the package we are looking at is the main module by looking for the presence of build settings. This feels like a kludge.

Would it be possible to consider a value other than empty string in this case? Maybe latest?

[spiffcs]

@jonasagx I tagged you on this issue since I saw you had done a lot of deep work on #894

[luhring]

Hi @ryanmoran, I agree, we should be explicit about whether a given package is a main module. We're tracking that in #908:

This output doesn't explicitly communicate to users [...] whether a given package is a main module or not

IMHO, I think Syft should be explicit about whether a module is the main module, rather than communicate this through a particular version value.

---

Re: the removal of the version field, it looks like the CycloneDX library has set the version field to omitempty, so it disappears when we use an empty string value.

At the moment, I can't think of a better solution here than to put back the (devel) value in these cases (meaning, read this value "as is" from the buildinfo section).