Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vuln/cmd/govulncheck: unmask module versions in SBOM testdata #70523

Open
zpavlinovic opened this issue Nov 22, 2024 · 1 comment
Open

x/vuln/cmd/govulncheck: unmask module versions in SBOM testdata #70523

zpavlinovic opened this issue Nov 22, 2024 · 1 comment
Assignees
Labels
vulncheck or vulndb Issues for the x/vuln or x/vulndb repo

Comments

@zpavlinovic
Copy link
Contributor

zpavlinovic commented Nov 22, 2024

Go will soon release a feature where versions of the main module and dependencies built from an untagged or dirty commit produce a valid Go version. Before, those versions were (devel). The new change is already at go tip, making some of the tests fail that expect (devel) version. We currently mask the dirty versions with (devel) too, but when all builders' go versions have this feature, we should just use the actual version.

@zpavlinovic zpavlinovic self-assigned this Nov 22, 2024
@gopherbot gopherbot added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Nov 22, 2024
@gopherbot gopherbot modified the milestones: Unreleased, vuln/unplanned Nov 22, 2024
@zpavlinovic zpavlinovic changed the title x/vuln/cmd/govulncheck: unmask version of dependencies in SBOM x/vuln/cmd/govulncheck: unmask module versions in SBOM Nov 22, 2024
@zpavlinovic zpavlinovic changed the title x/vuln/cmd/govulncheck: unmask module versions in SBOM x/vuln/cmd/govulncheck: unmask module versions in SBOM testdata Nov 22, 2024
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/632155 mentions this issue: cmd/govulncheck: better mask new (sbom) versions

gopherbot pushed a commit to golang/vuln that referenced this issue Nov 27, 2024
Using +dirty to match binary versions produced by new go build stamping
feature is not sufficient. In general, the build version will depend on
the git state and the vuln repo version. We hence only emit sbom
messages for the prebuild binaries.

Updates golang/go#70523

Change-Id: Id55307b4cef2af3f4ff4685bb34f001554fa4dd4
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/632155
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Ian Cottrell <iancottrell@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
None yet
Development

No branches or pull requests

2 participants