Revert "fix: use Go main module version (#1797)"

This reverts commit 6dde5ce. Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
anchore · Apr 18, 2024 · c00a3f0 · c00a3f0
1 parent 4584423
commit c00a3f0
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 24 deletions.
diff --git a/grype/matcher/golang/matcher.go b/grype/matcher/golang/matcher.go
@@ -42,14 +42,11 @@ func (m *Matcher) Match(store vulnerability.Provider, d *distro.Distro, p pkg.Pa
 		mainModule = m.MainModule
 	}
 
-	// Golang currently does not have a standard way of incorporating the main
-	// module's version into the compiled binary:
-	// https://github.com/golang/go/issues/50603.
-	//
-	// Syft has some fallback mechanisms to come up with a more sane version value
-	// depending on the scenario. But if none of these apply, the Go-set value of
-	// "(devel)" is used, which is altogether unhelpful for vulnerability matching.
-	isNotCorrected := strings.HasPrefix(p.Version, "(devel)")
+	// Golang currently does not have a standard way of incorporating the vcs version
+	// into the compiled binary: https://github.com/golang/go/issues/50603
+	// current version information for the main module is incomplete leading to multiple FP
+	// TODO: remove this exclusion when vcs information is included in future go version
+	isNotCorrected := strings.HasPrefix(p.Version, "v0.0.0-") || strings.HasPrefix(p.Version, "(devel)")
 	if p.Name == mainModule && isNotCorrected {
 		return matches, nil
 	}

diff --git a/grype/matcher/golang/matcher_test.go b/grype/matcher/golang/matcher_test.go
@@ -15,7 +15,7 @@ import (
 	syftPkg "github.com/anchore/syft/syft/pkg"
 )
 
-func TestMatcher_DropMainPackageIfNoVersion(t *testing.T) {
+func TestMatcher_DropMainPackage(t *testing.T) {
 
 	mainModuleMetadata := pkg.GolangBinMetadata{
 		MainModule: "istio.io/istio",
@@ -43,7 +43,7 @@ func TestMatcher_DropMainPackageIfNoVersion(t *testing.T) {
 	assert.Len(t, preTest, 1, "should have matched the package when there is not a main module")
 
 	actual, _ := matcher.Match(store, nil, subjectWithMainModule)
-	assert.Len(t, actual, 1, "should match the main module (i.e. 1 match)")
+	assert.Len(t, actual, 0, "unexpected match count; should not match main module")
 
 	actual, _ = matcher.Match(store, nil, subjectWithMainModuleAsDevel)
 	assert.Len(t, actual, 0, "unexpected match count; should not match main module (devel)")
@@ -174,13 +174,13 @@ type mockProvider struct {
 }
 
 func (mp *mockProvider) Get(id, namespace string) ([]vulnerability.Vulnerability, error) {
-	// TODO implement me
+	//TODO implement me
 	panic("implement me")
 }
 
 func (mp *mockProvider) populateData() {
 	mp.data[syftPkg.Go] = map[string][]vulnerability.Vulnerability{
-		// for TestMatcher_DropMainPackageIfNoVersion
+		// for TestMatcher_DropMainPackage
 		"istio.io/istio": {
 			{
 				Constraint: version.MustGetConstraint("< 5.0.7", version.UnknownFormat),

diff --git a/grype/version/golang_version_test.go b/grype/version/golang_version_test.go
@@ -131,18 +131,6 @@ func TestCompareGolangVersions(t *testing.T) {
 			otherVersion: "v0.0.0-20180116102854-5a71ef0e047d",
 			want:         1,
 		},
-		{
-			name:         "pseudoversion less than other pseudoversion",
-			thisVersion:  "v0.0.0-20170116102854-1ef0e047d5a7",
-			otherVersion: "v0.0.0-20180116102854-5a71ef0e047d",
-			want:         -1,
-		},
-		{
-			name:         "pseudoversion greater than other pseudoversion",
-			thisVersion:  "v0.0.0-20190116102854-8a3f0e047d5a",
-			otherVersion: "v0.0.0-20180116102854-5a71ef0e047d",
-			want:         1,
-		},
 		{
 			name:         "+incompatible doesn't break equality",
 			thisVersion:  "v3.2.0",