From ad640c4e6578757e3967d4871539f9a7b50f12e7 Mon Sep 17 00:00:00 2001 From: RTann Date: Thu, 14 Nov 2024 13:10:22 -0800 Subject: [PATCH] gobin: ignore flags in stdlib version Signed-off-by: RTann --- gobin/exe.go | 16 ++++++++++++---- gobin/gobin.go | 2 +- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/gobin/exe.go b/gobin/exe.go index 21bf612c6..ec9498de8 100644 --- a/gobin/exe.go +++ b/gobin/exe.go @@ -54,7 +54,11 @@ func toPackages(ctx context.Context, out *[]*claircore.Package, p string, r io.R // TODO(hank) The "go version" is documented as the toolchain that produced // the binary, which may be distinct from the version of the stdlib used? // Need to investigate. - runtimeVer, err := ParseVersion(strings.TrimPrefix(bi.GoVersion, "go")) + // GoVersion only documents "go1.19.2" as an example, but something like + // "go1.20.12 X:strictfipsruntime" has been seen in the wild, hence the call + // to [strings.Cut]. This is necessary for accurate vulnerability matching. + goVer, _, _ := strings.Cut(strings.TrimPrefix(bi.GoVersion, "go"), " ") + runtimeVer, err := ParseVersion(goVer) switch { case errors.Is(err, nil): case errors.Is(err, ErrInvalidSemVer): @@ -64,9 +68,13 @@ func toPackages(ctx context.Context, out *[]*claircore.Package, p string, r io.R } *out = append(*out, &claircore.Package{ - Kind: claircore.BINARY, - Name: "stdlib", - Version: bi.GoVersion, + Kind: claircore.BINARY, + Name: "stdlib", + // This was previously bi.GoVersion, + // but it must be changed to ensure an entry + // with the fixed NormalizedVersion is added to the + // package table without requiring a migration. + Version: goVer, PackageDB: pkgdb, Filepath: p, NormalizedVersion: runtimeVer, diff --git a/gobin/gobin.go b/gobin/gobin.go index 9b6c7defd..a2eb7ff82 100644 --- a/gobin/gobin.go +++ b/gobin/gobin.go @@ -35,7 +35,7 @@ type Detector struct{} const ( detectorName = `gobin` - detectorVersion = `5` + detectorVersion = `6` detectorKind = `package` )