forked from wolfi-dev/os
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
go: always emit ldflags version information
Even when -trimpath is active, emit full ldflags in the version information ELF note. Vulnerability scanners typically parse ldflags field to detect main package version, thus binaries that are built with -trimpath are currently actively evading vulnerability scanners. Fixes: wolfi-dev#17647 Fixes: golang/go#63432
- Loading branch information
Showing
7 changed files
with
83 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| go |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| go |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
35 changes: 35 additions & 0 deletions
35
go-fips-1.21/cmd-go-always-emit-ldflags-version-information.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| From b9f7deea41be0adeff7eee35f29ee096b9f2ff20 Mon Sep 17 00:00:00 2001 | ||
| From: Dimitri John Ledkov <dimitri.ledkov@chainguard.dev> | ||
| Date: Thu, 2 May 2024 18:16:47 +0100 | ||
| Subject: [PATCH] cmd/go: always emit ldflags version information | ||
|
|
||
| Even when -trimpath is active, emit full ldflags in the version | ||
| information ELF note. Vulnerability scanners typically parse ldflags | ||
| field to detect main package version, thus binaries that are built | ||
| with -trimpath are currently actively evading vulnerability scanners. | ||
|
|
||
| Fixes: https://github.com/golang/go/issues/63432 | ||
|
|
||
| Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@chainguard.dev> | ||
| --- | ||
| src/cmd/go/internal/load/pkg.go | 4 +--- | ||
| 1 file changed, 1 insertion(+), 3 deletions(-) | ||
|
|
||
| diff --git a/src/cmd/go/internal/load/pkg.go b/src/cmd/go/internal/load/pkg.go | ||
| index 1549800afb..010d60a9d1 100644 | ||
| --- a/src/cmd/go/internal/load/pkg.go | ||
| +++ b/src/cmd/go/internal/load/pkg.go | ||
| @@ -2393,9 +2393,7 @@ func (p *Package) setBuildInfo(ctx context.Context, autoVCS bool) { | ||
| // determine whether they may refer to system paths. If we do that, we can | ||
| // redact only those paths from the recorded -ldflags setting and still | ||
| // record the system-independent parts of the flags. | ||
| - if !cfg.BuildTrimpath { | ||
| - appendSetting("-ldflags", ldflags) | ||
| - } | ||
| + appendSetting("-ldflags", ldflags) | ||
| } | ||
| if cfg.BuildMSan { | ||
| appendSetting("-msan", "true") | ||
| -- | ||
| 2.43.0 | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| From b9f7deea41be0adeff7eee35f29ee096b9f2ff20 Mon Sep 17 00:00:00 2001 | ||
| From: Dimitri John Ledkov <dimitri.ledkov@chainguard.dev> | ||
| Date: Thu, 2 May 2024 18:16:47 +0100 | ||
| Subject: [PATCH] cmd/go: always emit ldflags version information | ||
|
|
||
| Even when -trimpath is active, emit full ldflags in the version | ||
| information ELF note. Vulnerability scanners typically parse ldflags | ||
| field to detect main package version, thus binaries that are built | ||
| with -trimpath are currently actively evading vulnerability scanners. | ||
|
|
||
| Fixes: https://github.com/golang/go/issues/63432 | ||
|
|
||
| Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@chainguard.dev> | ||
| --- | ||
| src/cmd/go/internal/load/pkg.go | 4 +--- | ||
| 1 file changed, 1 insertion(+), 3 deletions(-) | ||
|
|
||
| diff --git a/src/cmd/go/internal/load/pkg.go b/src/cmd/go/internal/load/pkg.go | ||
| index 1549800afb..010d60a9d1 100644 | ||
| --- a/src/cmd/go/internal/load/pkg.go | ||
| +++ b/src/cmd/go/internal/load/pkg.go | ||
| @@ -2393,9 +2393,7 @@ func (p *Package) setBuildInfo(ctx context.Context, autoVCS bool) { | ||
| // determine whether they may refer to system paths. If we do that, we can | ||
| // redact only those paths from the recorded -ldflags setting and still | ||
| // record the system-independent parts of the flags. | ||
| - if !cfg.BuildTrimpath { | ||
| - appendSetting("-ldflags", ldflags) | ||
| - } | ||
| + appendSetting("-ldflags", ldflags) | ||
| } | ||
| if cfg.BuildMSan { | ||
| appendSetting("-msan", "true") | ||
| -- | ||
| 2.43.0 | ||
|
|