Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
GitHub is where the world builds software
Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.
Modules information (runtime.modinfo) cannot be stripped from final binary #41895
What did you do?
Compiled a striped go binary.
What did you expect to see?
Module information stripped from the binary.
What did you see instead?
Go includes module information in the binary in runtime.modinfo.
$ go version -m hello hello: go1.14.2 path example.com/user/hello mod example.com/user/hello (devel) dep github.com/google/go-cmp v0.5.2 h1:X2ev0eStA3AbceY54o37/0PQ/UWqKEiiO2dKL5OPaFM=
In production environments, this kind of information can be used by attackers to target vulnerable dependencies. Consider allowing users to strip that information either through the current stripping flags or via a new flag.