Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle GOEXPERIMENTs in go version #2893

Merged
merged 2 commits into from
May 25, 2024
Merged

Handle GOEXPERIMENTs in go version #2893

merged 2 commits into from
May 25, 2024

Conversation

jonjohnsonjr
Copy link
Contributor

See anchore/grype#1851 for more context.

I was originally going to put this into scanFile, but the existing tests made it a little easier to test if I did it in parse_go_binary.go instead.

I've also tested this manually, before:

$ git checkout main && go install ./cmd/syft && syft ghcr.io/projectcontour/contour | grep stdlib
Switched to branch 'main'
Your branch is up to date with 'origin/main'.
 ✔ Loaded image                                                                                                                                                                                                         ghcr.io/projectcontour/contour:latest
 ✔ Parsed image                                                                                                                                                                       sha256:3538357182affbd790c9ecaffc62c3022d8e2cc46816eaa8a8fb8acb1a82ad8b
 ✔ Cataloged contents                                                                                                                                                                        bd7b5d7ab8063fa560c1164fbfea7cb4d6b90cc61b534bc2720f34f80d18db18
   ├── ✔ Packages                        [73 packages]
   └── ✔ Executables                     [1 executables]
stdlib                                              go1.22.2 X:nocoverageredesign,noallocheaders,noexectracer2  go-module

And after:

$ git checkout go-experiments && go install ./cmd/syft && syft ghcr.io/projectcontour/contour | grep stdlib
Switched to branch 'go-experiments'
 ✔ Loaded image                                                                                                                                                                                                         ghcr.io/projectcontour/contour:latest
 ✔ Parsed image                                                                                                                                                                       sha256:3538357182affbd790c9ecaffc62c3022d8e2cc46816eaa8a8fb8acb1a82ad8b
 ✔ Cataloged contents                                                                                                                                                                        bd7b5d7ab8063fa560c1164fbfea7cb4d6b90cc61b534bc2720f34f80d18db18
   ├── ✔ Packages                        [73 packages]
   └── ✔ Executables                     [1 executables]
stdlib                                              go1.22.2                               go-module

I can also confirm that after modifying grype to use my branch, it no longer emits a warning:

$ git diff | head
diff --git a/go.mod b/go.mod
index 4116608..2852d36 100644
--- a/go.mod
+++ b/go.mod
@@ -2,6 +2,8 @@ module github.com/anchore/grype

 go 1.21.1

+replace github.com/anchore/syft => ../syft
+

$ grype ghcr.io/projectcontour/contour
 ✔ Vulnerability DB                [updated]
 ✔ Loaded image                                                                                                                                                                                                         ghcr.io/projectcontour/contour:latest
 ✔ Parsed image                                                                                                                                                                       sha256:3538357182affbd790c9ecaffc62c3022d8e2cc46816eaa8a8fb8acb1a82ad8b
 ✔ Cataloged contents                                                                                                                                                                        bd7b5d7ab8063fa560c1164fbfea7cb4d6b90cc61b534bc2720f34f80d18db18
   ├── ✔ Packages                        [73 packages]
   └── ✔ Executables                     [1 executables]
 ✔ Scanned for vulnerabilities     [2 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible (2 unknown)
   └── by status:   0 fixed, 2 not-fixed, 0 ignored
NAME    INSTALLED  FIXED-IN  TYPE       VULNERABILITY   SEVERITY
stdlib  go1.22.2             go-module  CVE-2024-24788  Unknown
stdlib  go1.22.2             go-module  CVE-2024-24787  Unknown

Interestingly, grype still picks up these CVEs even without my change, so maybe this warning isn't all that necessary? I don't have a super firm grasp on how this works.

$ git checkout -- . && go install ./cmd/grype && grype ghcr.io/projectcontour/contour
 ✔ Vulnerability DB                [no update available]
 ✔ Loaded image                                                                                                                                                                                                         ghcr.io/projectcontour/contour:latest
 ✔ Parsed image                                                                                                                                                                       sha256:3538357182affbd790c9ecaffc62c3022d8e2cc46816eaa8a8fb8acb1a82ad8b
 ✔ Cataloged contents                                                                                                                                                                        bd7b5d7ab8063fa560c1164fbfea7cb4d6b90cc61b534bc2720f34f80d18db18
   ├── ✔ Packages                        [73 packages]
   └── ✔ Executables                     [1 executables]
 ✔ Scanned for vulnerabilities     [2 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible (2 unknown)
   └── by status:   0 fixed, 2 not-fixed, 0 ignored
[0000]  WARN could not match by package language (package=Pkg(type=go-module, name=stdlib, version=go1.22.2 X:nocoverageredesign,noallocheaders,noexectracer2, upstreams=0)): matcher failed to parse version pkg="stdlib" ver="go1.22.2 X:nocoverageredesign,n
NAME    INSTALLED                                                   FIXED-IN  TYPE       VULNERABILITY   SEVERITY
stdlib  go1.22.2 X:nocoverageredesign,noallocheaders,noexectracer2            go-module  CVE-2024-24788  Unknown
stdlib  go1.22.2 X:nocoverageredesign,noallocheaders,noexectracer2            go-module  CVE-2024-24787  Unknown

@jonjohnsonjr jonjohnsonjr mentioned this pull request May 23, 2024
Closed
@willmurphyscode willmurphyscode self-assigned this May 24, 2024
@github-actions github-actions bot added the json-schema Changes the json schema label May 24, 2024
@wagoodman
Copy link
Contributor

I'm about to merge another PR that will cause a conflict -- I can go ahead and rebase this and get it in just after that 👍

jonjohnsonjr and others added 2 commits May 25, 2024 16:12
@jonjohnsonjr @wagoodman
Handle GOEXPERIMENTs in go version
229d6e0 
Signed-off-by: Jon Johnson <jon.johnson@chainguard.dev>
@willmurphyscode @wagoodman
bump JSON schema
c109e4f 
Signed-off-by: Will Murphy <will.murphy@anchore.com>
wagoodman
wagoodman approved these changes May 25, 2024
View reviewed changes
Copy link
Contributor

@wagoodman wagoodman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I rarely have experiments enabled, so this snuck by -- thanks for the fix 🙌 !

@wagoodman wagoodman enabled auto-merge (squash) May 25, 2024 20:15
@wagoodman wagoodman merged commit c314e05 into anchore:main May 25, 2024
11 checks passed
@wagoodman wagoodman added the bug Something isn't working label May 25, 2024
@BrewTestBot BrewTestBot mentioned this pull request May 28, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wagoodman wagoodman wagoodman approved these changes

Assignees

@willmurphyscode willmurphyscode

Labels
bug Something isn't working json-schema Changes the json schema
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jonjohnsonjr @wagoodman @willmurphyscode