Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

golang -trimpath is hiding information #17647

Closed
xnox opened this issue Apr 24, 2024 · 2 comments · Fixed by #18454
Closed

golang -trimpath is hiding information #17647

xnox opened this issue Apr 24, 2024 · 2 comments · Fixed by #18454

Comments

@xnox
Copy link
Contributor

xnox commented Apr 24, 2024

trimpath reduces binary size a lot by stripping filepaths from binaries.

For privacy reasons it also strips ldflags from binaries; even if they don't contain any paths.

That hides useful information - ie.

build   -ldflags="-s -w -w -X main.version=0.27.2 -X main.commit=29919209f2a1088a754fe050a5416ee1b203edcb -X main.date=2024-04-03T17:06:41Z"

We should patch our golang toolchain to not hide ldflags from binaries, when they are built using trimpath.

As this hides information from security scanners.

See also:

golang/go#50603
golang/go#63432

@dustinkirkland
Copy link
Contributor

In order to potentially upstream this, should we split the functionality into -trimpath and -trimflags (and we just won't use -trimflags)?

@xnox
Copy link
Contributor Author

xnox commented Apr 26, 2024

Proposing golang/go#67072

xnox added a commit to xnox/os that referenced this issue May 2, 2024
Even when -trimpath is active, emit full ldflags in the version
information ELF note. Vulnerability scanners typically parse ldflags
field to detect main package version, thus binaries that are built
with -trimpath are currently actively evading vulnerability scanners.

Fixes: wolfi-dev#17647
Fixes: golang/go#63432
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants