fix(go): handle Go 1.26 GOEXPERIMENT version format change#10393
Closed
VoidChecksum wants to merge 1 commit intoaquasecurity:mainfrom
Closed
fix(go): handle Go 1.26 GOEXPERIMENT version format change#10393VoidChecksum wants to merge 1 commit intoaquasecurity:mainfrom
VoidChecksum wants to merge 1 commit intoaquasecurity:mainfrom
Conversation
Go 1.26 changed the GOEXPERIMENT suffix separator from space to dash: - Go <=1.25: "go1.25.3 X:boringcrypto" - Go >=1.26: "go1.26.0-X:nodwarf5" Add a second strings.Cut for the new "-X:" separator to correctly extract stdlib versions from binaries built with Go 1.26+. Fixes #10350
|
VoidChecksum seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
1 similar comment
|
VoidChecksum seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates Trivy’s Go binary build-info parsing to correctly extract the stdlib version when Go 1.26+ embeds GOEXPERIMENT flags using the new -X: separator, preventing malformed semver strings from reaching version matching.
Changes:
- Strip
-X:GOEXPERIMENT suffix inParser.Parseto support Go 1.26+ build-info format. - Add a test-only helper for GOEXPERIMENT stripping and a new table-driven unit test covering common cases.
- Update test bridge exports/imports to support the new helper from the external
binary_testpackage.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
pkg/dependency/parser/golang/binary/parse.go |
Extends stdlib version extraction to handle Go 1.26+ -X: GOEXPERIMENT suffix. |
pkg/dependency/parser/golang/binary/parse_test.go |
Adds TestStripGoExperiment to validate suffix stripping behavior. |
pkg/dependency/parser/golang/binary/export_test.go |
Exposes a test-only StripGoExperiment helper to the binary_test package. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
Comment on lines
+64
to
71
| // Strip GOEXPERIMENT suffix: | ||
| // Go <=1.25: "go1.25.3 X:boringcrypto" (space separator) | ||
| // Go >=1.26: "go1.26.0-X:nodwarf5" (dash separator) | ||
| // Ref: https://github.com/golang/go/commit/9daaab305c4d1dede9e4f6efdc5e1268a69327e6 | ||
| stdlibVersion := strings.TrimPrefix(info.GoVersion, "go") | ||
| stdlibVersion, _, _ = strings.Cut(stdlibVersion, " ") | ||
| stdlibVersion, _, _ = strings.Cut(stdlibVersion, "-X:") | ||
| // Add the `v` prefix to be consistent with module and dependency versions. |
Comment on lines
+375
to
+406
| func TestStripGoExperiment(t *testing.T) { | ||
| tests := []struct { | ||
| name string | ||
| input string | ||
| want string | ||
| }{ | ||
| { | ||
| name: "Go 1.26+ dash separator", | ||
| input: "1.26.0-X:nodwarf5", | ||
| want: "1.26.0", | ||
| }, | ||
| { | ||
| name: "Go <=1.25 space separator (boringcrypto)", | ||
| input: "1.25.3 X:boringcrypto", | ||
| want: "1.25.3", | ||
| }, | ||
| { | ||
| name: "Go <=1.25 space separator (loopvar)", | ||
| input: "1.22.1 X:loopvar", | ||
| want: "1.22.1", | ||
| }, | ||
| { | ||
| name: "No GOEXPERIMENT suffix", | ||
| input: "1.26.0", | ||
| want: "1.26.0", | ||
| }, | ||
| { | ||
| name: "Regular version without experiment", | ||
| input: "1.22.3", | ||
| want: "1.22.3", | ||
| }, | ||
| } |
Contributor
|
Hi @VoidChecksum ! Thanks for the contribution! There is already a PR addressing this issue: #10351 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Go 1.26 changed the format used to embed
GOEXPERIMENTflags in binary build info, switching the separator from a space to a dash:info.GoVersionformatgo1.25.3 X:nodwarf5go1.26.0-X:nodwarf5Trivy's Go binary parser only stripped the suffix using
strings.Cut(stdlibVersion, " "), which fails for the new format, producingv1.26.0-X:nodwarf5— a malformed semver that can't match against the vulnerability DB.Changes
strings.Cut(stdlibVersion, "-X:")to handle the Go 1.26+ formatBefore
After
Test plan
TestStripGoExperimentwith 7 test cases (both separators, multiple experiments, no experiment, patch-only)go test ./pkg/dependency/parser/golang/binary/...Fixes #10350