Skip to content

Commit

Permalink
fix(go): Do not trim v prefix from versions in Go Mod Analyzer (#7733)
Browse files Browse the repository at this point in the history 
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
  • Loading branch information
@Rutam21 @DmitriyLewen
Rutam21 and DmitriyLewen authored Oct 31, 2024
1 parent 7882776 commit e872ec0
Show file tree
Hide file tree
Showing 23 changed files with 510 additions and 506 deletions.
8 changes: 4 additions & 4 deletions docs/docs/supply-chain/vex/file.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ $ cat <<EOF > trivy.vex.cdx
},
"affects": [
{
"ref": "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#pkg:golang/github.com/aws/aws-sdk-go@1.44.234"
"ref": "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#pkg:golang/github.com/aws/aws-sdk-go@v1.44.234"
}
]
}
Expand Down Expand Up @@ -115,7 +115,7 @@ Total: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
┌───────────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├───────────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ github.com/aws/aws-sdk-go │ CVE-2020-8912 │ LOW │ 1.44.234 │ │ aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto │
│ github.com/aws/aws-sdk-go │ CVE-2020-8912 │ LOW │ v1.44.234 │ │ aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto │
│ │ │ │ │ │ SDK for golang... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-8912 │
└───────────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
Expand Down Expand Up @@ -497,9 +497,9 @@ Now, suppose a VEX statement is issued for `Module B` as follows:
"vulnerability": {"name": "CVE-XXXX-YYYY"},
"products": [
{
"@id": "pkg:golang/module-b@1.0.0",
"@id": "pkg:golang/module-b@v1.0.0",
"subcomponents": [
{ "@id": "pkg:golang/module-c@2.0.0" }
{ "@id": "pkg:golang/module-c@v2.0.0" }
]
}
],
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/fixtures/vex/file/openvex.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
{
"@id": "pkg:golang/github.com/testdata/testdata",
"subcomponents": [
{ "@id": "pkg:golang/github.com/open-policy-agent/opa@0.35.0" }
{ "@id": "pkg:golang/github.com/open-policy-agent/opa@v0.35.0" }
]
}
],
Expand Down
24 changes: 12 additions & 12 deletions integration/testdata/gomod-skip.json.golden
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,10 +26,10 @@
"PkgID": "github.com/docker/distribution@v2.7.1+incompatible",
"PkgName": "github.com/docker/distribution",
"PkgIdentifier": {
"PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible",
"UID": "de19cd663ca047a8"
"PURL": "pkg:golang/github.com/docker/distribution@v2.7.1%2Bincompatible",
"UID": "9d949a7b01249e68"
},
"InstalledVersion": "2.7.1+incompatible",
"InstalledVersion": "v2.7.1+incompatible",
"FixedVersion": "v2.8.0",
"Status": "fixed",
"Layer": {},
Expand All @@ -53,10 +53,10 @@
"PkgID": "github.com/open-policy-agent/opa@v0.35.0",
"PkgName": "github.com/open-policy-agent/opa",
"PkgIdentifier": {
"PURL": "pkg:golang/github.com/open-policy-agent/opa@0.35.0",
"UID": "6b685002e082ffc5"
"PURL": "pkg:golang/github.com/open-policy-agent/opa@v0.35.0",
"UID": "e89e2b0d8977e2a"
},
"InstalledVersion": "0.35.0",
"InstalledVersion": "v0.35.0",
"FixedVersion": "0.37.0",
"Status": "fixed",
"Layer": {},
Expand Down Expand Up @@ -100,10 +100,10 @@
"PkgID": "golang.org/x/text@v0.3.6",
"PkgName": "golang.org/x/text",
"PkgIdentifier": {
"PURL": "pkg:golang/golang.org/x/text@0.3.6",
"UID": "825dc613c0f39d45"
"PURL": "pkg:golang/golang.org/x/text@v0.3.6",
"UID": "3050088ce9eb2ce4"
},
"InstalledVersion": "0.3.6",
"InstalledVersion": "v0.3.6",
"FixedVersion": "0.3.7",
"Status": "fixed",
"Layer": {},
Expand Down Expand Up @@ -133,10 +133,10 @@
"PkgID": "github.com/docker/distribution@v2.7.1+incompatible",
"PkgName": "github.com/docker/distribution",
"PkgIdentifier": {
"PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible",
"UID": "94376dc37054a7e8"
"PURL": "pkg:golang/github.com/docker/distribution@v2.7.1%2Bincompatible",
"UID": "2f7f0fa81860b8f1"
},
"InstalledVersion": "2.7.1+incompatible",
"InstalledVersion": "v2.7.1+incompatible",
"FixedVersion": "v2.8.0",
"Status": "fixed",
"Layer": {},
Expand Down
24 changes: 12 additions & 12 deletions integration/testdata/gomod-vex.json.golden
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,10 +26,10 @@
"PkgID": "github.com/docker/distribution@v2.7.1+incompatible",
"PkgName": "github.com/docker/distribution",
"PkgIdentifier": {
"PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible",
"UID": "de19cd663ca047a8"
"PURL": "pkg:golang/github.com/docker/distribution@v2.7.1%2Bincompatible",
"UID": "9d949a7b01249e68"
},
"InstalledVersion": "2.7.1+incompatible",
"InstalledVersion": "v2.7.1+incompatible",
"FixedVersion": "v2.8.0",
"Status": "fixed",
"Layer": {},
Expand All @@ -53,10 +53,10 @@
"PkgID": "golang.org/x/text@v0.3.6",
"PkgName": "golang.org/x/text",
"PkgIdentifier": {
"PURL": "pkg:golang/golang.org/x/text@0.3.6",
"UID": "825dc613c0f39d45"
"PURL": "pkg:golang/golang.org/x/text@v0.3.6",
"UID": "3050088ce9eb2ce4"
},
"InstalledVersion": "0.3.6",
"InstalledVersion": "v0.3.6",
"FixedVersion": "0.3.7",
"Status": "fixed",
"Layer": {},
Expand Down Expand Up @@ -86,10 +86,10 @@
"PkgID": "github.com/docker/distribution@v2.7.1+incompatible",
"PkgName": "github.com/docker/distribution",
"PkgIdentifier": {
"PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible",
"UID": "94376dc37054a7e8"
"PURL": "pkg:golang/github.com/docker/distribution@v2.7.1%2Bincompatible",
"UID": "2f7f0fa81860b8f1"
},
"InstalledVersion": "2.7.1+incompatible",
"InstalledVersion": "v2.7.1+incompatible",
"FixedVersion": "v2.8.0",
"Status": "fixed",
"Layer": {},
Expand Down Expand Up @@ -120,10 +120,10 @@
"PkgID": "github.com/docker/distribution@v2.7.1+incompatible",
"PkgName": "github.com/docker/distribution",
"PkgIdentifier": {
"PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible",
"UID": "94306cdcf85fb50a"
"PURL": "pkg:golang/github.com/docker/distribution@v2.7.1%2Bincompatible",
"UID": "3ad40723ed2fce22"
},
"InstalledVersion": "2.7.1+incompatible",
"InstalledVersion": "v2.7.1+incompatible",
"FixedVersion": "v2.8.0",
"Status": "fixed",
"Layer": {},
Expand Down
30 changes: 15 additions & 15 deletions integration/testdata/gomod.json.golden
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,10 +26,10 @@
"PkgID": "github.com/docker/distribution@v2.7.1+incompatible",
"PkgName": "github.com/docker/distribution",
"PkgIdentifier": {
"PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible",
"UID": "de19cd663ca047a8"
"PURL": "pkg:golang/github.com/docker/distribution@v2.7.1%2Bincompatible",
"UID": "9d949a7b01249e68"
},
"InstalledVersion": "2.7.1+incompatible",
"InstalledVersion": "v2.7.1+incompatible",
"FixedVersion": "v2.8.0",
"Status": "fixed",
"Layer": {},
Expand All @@ -53,10 +53,10 @@
"PkgID": "github.com/open-policy-agent/opa@v0.35.0",
"PkgName": "github.com/open-policy-agent/opa",
"PkgIdentifier": {
"PURL": "pkg:golang/github.com/open-policy-agent/opa@0.35.0",
"UID": "6b685002e082ffc5"
"PURL": "pkg:golang/github.com/open-policy-agent/opa@v0.35.0",
"UID": "e89e2b0d8977e2a"
},
"InstalledVersion": "0.35.0",
"InstalledVersion": "v0.35.0",
"FixedVersion": "0.37.0",
"Status": "fixed",
"Layer": {},
Expand Down Expand Up @@ -100,10 +100,10 @@
"PkgID": "golang.org/x/text@v0.3.6",
"PkgName": "golang.org/x/text",
"PkgIdentifier": {
"PURL": "pkg:golang/golang.org/x/text@0.3.6",
"UID": "825dc613c0f39d45"
"PURL": "pkg:golang/golang.org/x/text@v0.3.6",
"UID": "3050088ce9eb2ce4"
},
"InstalledVersion": "0.3.6",
"InstalledVersion": "v0.3.6",
"FixedVersion": "0.3.7",
"Status": "fixed",
"Layer": {},
Expand Down Expand Up @@ -133,10 +133,10 @@
"PkgID": "github.com/docker/distribution@v2.7.1+incompatible",
"PkgName": "github.com/docker/distribution",
"PkgIdentifier": {
"PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible",
"UID": "94376dc37054a7e8"
"PURL": "pkg:golang/github.com/docker/distribution@v2.7.1%2Bincompatible",
"UID": "2f7f0fa81860b8f1"
},
"InstalledVersion": "2.7.1+incompatible",
"InstalledVersion": "v2.7.1+incompatible",
"FixedVersion": "v2.8.0",
"Status": "fixed",
"Layer": {},
Expand Down Expand Up @@ -167,10 +167,10 @@
"PkgID": "github.com/docker/distribution@v2.7.1+incompatible",
"PkgName": "github.com/docker/distribution",
"PkgIdentifier": {
"PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible",
"UID": "94306cdcf85fb50a"
"PURL": "pkg:golang/github.com/docker/distribution@v2.7.1%2Bincompatible",
"UID": "3ad40723ed2fce22"
},
"InstalledVersion": "2.7.1+incompatible",
"InstalledVersion": "v2.7.1+incompatible",
"FixedVersion": "v2.8.0",
"Status": "fixed",
"Layer": {},
Expand Down
2 changes: 1 addition & 1 deletion pkg/dependency/id_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ func TestID(t *testing.T) {
args: args{
ltype: types.GoModule,
name: "test",
version: "1.0.0",
version: "v1.0.0",
},
want: "test@v1.0.0",
},
Expand Down
3 changes: 3 additions & 0 deletions pkg/dependency/parser/golang/binary/parse.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package binary
import (
"cmp"
"debug/buildinfo"
"fmt"
"runtime/debug"
"slices"
"sort"
Expand Down Expand Up @@ -56,6 +57,8 @@ func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependenc
// Ex: "go1.22.3 X:boringcrypto"
stdlibVersion := strings.TrimPrefix(info.GoVersion, "go")
stdlibVersion, _, _ = strings.Cut(stdlibVersion, " ")
// Add the `v` prefix to be consistent with module and dependency versions.
stdlibVersion = fmt.Sprintf("v%s", stdlibVersion)

ldflags := p.ldFlags(info.Settings)
pkgs := make(ftypes.Packages, 0, len(info.Deps)+2)
Expand Down
10 changes: 5 additions & 5 deletions pkg/dependency/parser/golang/binary/parse_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ func TestParse(t *testing.T) {
},
{
Name: "stdlib",
Version: "1.15.2",
Version: "v1.15.2",
Relationship: ftypes.RelationshipDirect,
},
{
Expand Down Expand Up @@ -69,7 +69,7 @@ func TestParse(t *testing.T) {
},
{
Name: "stdlib",
Version: "1.16.4",
Version: "v1.16.4",
Relationship: ftypes.RelationshipDirect,
},
{
Expand All @@ -93,7 +93,7 @@ func TestParse(t *testing.T) {
},
{
Name: "stdlib",
Version: "1.20.6",
Version: "v1.20.6",
Relationship: ftypes.RelationshipDirect,
},
},
Expand All @@ -109,7 +109,7 @@ func TestParse(t *testing.T) {
},
{
Name: "stdlib",
Version: "1.22.1",
Version: "v1.22.1",
Relationship: ftypes.RelationshipDirect,
},
},
Expand All @@ -120,7 +120,7 @@ func TestParse(t *testing.T) {
want: []ftypes.Package{
{
Name: "stdlib",
Version: "1.22.1",
Version: "v1.22.1",
Relationship: ftypes.RelationshipDirect,
},
},
Expand Down
25 changes: 13 additions & 12 deletions pkg/dependency/parser/golang/mod/parse.go
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package mod

import (
"fmt"
"io"
"regexp"
"strconv"
Expand Down Expand Up @@ -90,21 +91,22 @@ func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependenc
if p.useMinVersion {
if toolchainVer := toolchainVersion(modFileParsed.Toolchain, modFileParsed.Go); toolchainVer != "" {
pkgs["stdlib"] = ftypes.Package{
ID: packageID("stdlib", toolchainVer),
Name: "stdlib",
Version: toolchainVer,
ID: packageID("stdlib", toolchainVer),
Name: "stdlib",
// Our versioning library doesn't support canonical (goX.Y.Z) format,
// So we need to add `v` prefix for consistency (with module and dependency versions).
Version: fmt.Sprintf("v%s", toolchainVer),
Relationship: ftypes.RelationshipDirect, // Considered a direct dependency as the main module depends on the standard packages.
}
}
}

// Main module
if m := modFileParsed.Module; m != nil {
ver := strings.TrimPrefix(m.Mod.Version, "v")
pkgs[m.Mod.Path] = ftypes.Package{
ID: packageID(m.Mod.Path, ver),
ID: packageID(m.Mod.Path, m.Mod.Version),
Name: m.Mod.Path,
Version: ver,
Version: m.Mod.Version,
ExternalReferences: p.GetExternalRefs(m.Mod.Path),
Relationship: ftypes.RelationshipRoot,
}
Expand All @@ -116,11 +118,10 @@ func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependenc
if skipIndirect && require.Indirect {
continue
}
ver := strings.TrimPrefix(require.Mod.Version, "v")
pkgs[require.Mod.Path] = ftypes.Package{
ID: packageID(require.Mod.Path, ver),
ID: packageID(require.Mod.Path, require.Mod.Version),
Name: require.Mod.Path,
Version: ver,
Version: require.Mod.Version,
Relationship: lo.Ternary(require.Indirect, ftypes.RelationshipIndirect, ftypes.RelationshipDirect),
ExternalReferences: p.GetExternalRefs(require.Mod.Path),
}
Expand All @@ -136,7 +137,7 @@ func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependenc
}

// If the replace directive has a version on the left side, make sure it matches the version that was imported.
if rep.Old.Version != "" && old.Version != rep.Old.Version[1:] {
if rep.Old.Version != "" && old.Version != rep.Old.Version {
continue
}

Expand All @@ -153,9 +154,9 @@ func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependenc

// Add replaced package to package register.
pkgs[rep.New.Path] = ftypes.Package{
ID: packageID(rep.New.Path, rep.New.Version[1:]),
ID: packageID(rep.New.Path, rep.New.Version),
Name: rep.New.Path,
Version: rep.New.Version[1:],
Version: rep.New.Version,
Relationship: old.Relationship,
ExternalReferences: p.GetExternalRefs(rep.New.Path),
}
Expand Down
Loading

0 comments on commit e872ec0

Please sign in to comment.