8000 fix golang 1.24 versions when not semver compliant by xnox · Pull Request #2486 · anchore/grype · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
/ grype Public

fix golang 1.24 versions when not semver compliant #2486

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 26, 2025
Merged

fix golang 1.24 versions when not semver compliant #2486

merged 1 commit into from
Feb 26, 2025

Conversation

xnox
Copy link
Contributor
@xnox xnox commented Feb 26, 2025
edited
Loading

go1.24.0 stamps versions with +incompatible+dirty which is an
invalid SemVer version. Add a fixup to correct this to SemVer
compliant buildinfo version of +incompatible.dirty with a test case.

Related:

$ ./mygrype ../docker/mydocker | grep docker/docker
 ✔ Indexed file system                                                                                                                 ../docker/mydocker 
 ✔ Cataloged contents                                                                    7c98bb9a0a89d26031d23927b57f88cbbf2f326491f10500c9481bc907c011d4 
   ├── ✔ Packages                        [174 packages]  
   ├── ✔ File digests                    [1 files]  
   ├── ✔ File metadata                   [1 locations]  
   └── ✔ Executables                     [1 executables]  
 ✔ Scanned for vulnerabilities     [21 vulnerability matches]  
   ├── by severity: 4 critical, 7 high, 9 medium, 1 low, 0 negligible
   └── by status:   21 fixed, 0 not-fixed, 0 ignored 
github.com/docker/docker                                                      v24.0.7+incompatible+dirty             25.0.6    go-module  GHSA-v23v-6jw2-98fq  Critical  
github.com/docker/docker                                                      v24.0.7+incompatible+dirty             24.0.9    go-module  GHSA-xw73-rw38-6vjc  Medium

Seems to work. rebuilding grype with this change; and also rebuilding an old docker with local modifications, correctly finds CVEs. Bonus points that raw version is printed for humans yet handled correctly internally. Thus the internal mangling of "+incompatible.dirty" is not exposed to the users.

@xnox xnox mentioned this pull request Feb 26, 2025
Closed
@xnox
version: add golang 1.24 version fixup
e111c4d 
go1.24.0 stamps versions with `+incompatible+dirty` which is an
invalid SemVer version. Add a fixup to correct this to SemVer
compliant buildinfo version of `+incompatible.dirty` with a test case.

Related:
- golang/go#71971
- anchore#2482

Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk>
@xnox xnox force-pushed the broken-golang-semver branch from ca80915 to e111c4d Compare February 26, 2025 15:55
kzantow
kzantow approved these changes Feb 26, 2025
View reviewed changes
Copy link
Contributor
@kzantow kzantow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thanks for the contribution @xnox!

@kzantow kzantow merged commit b7b95a3 into anchore:main Feb 26, 2025
10 checks passed
@wagoodman wagoodman changed the title version: add golang 1.24 version fixup fix golang 1.24 versions when not semver compliant Mar 4, 2025
@wagoodman wagoodman added the bug Something isn't working label Mar 5, 2025
@BrewTestBot BrewTestBot mentioned this pull request Mar 5, 2025
Merged
@xnox xnox mentioned this pull request May 6, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kzantow kzantow kzantow approved these changes

Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@xnox @kzantow @wagoodman
0