Skip to content

Commit e872ec0

Browse files
Rutam21DmitriyLewen
Rutam21
and
DmitriyLewen
authored
fix(go): Do not trim v prefix from versions in Go Mod Analyzer (aquasecurity#7733)
Co-authored-by: DmitriyLewen <[email protected]>
1 parent 7882776 commit e872ec0

File tree

23 files changed

+510
-506
lines changed

23 files changed

+510
-506
lines changed

docs/docs/supply-chain/vex/file.md

+4-4
Original file line numberDiff line numberDiff line change
@@ -64,7 +64,7 @@ $ cat <<EOF > trivy.vex.cdx
6464
},
6565
"affects": [
6666
{
67-
"ref": "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#pkg:golang/github.com/aws/aws-sdk-go@1.44.234"
67+
"ref": "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#pkg:golang/github.com/aws/aws-sdk-go@v1.44.234"
6868
}
6969
]
7070
}
@@ -115,7 +115,7 @@ Total: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
115115
┌───────────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
116116
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
117117
├───────────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
118-
│ github.com/aws/aws-sdk-go │ CVE-2020-8912 │ LOW │ 1.44.234 │ │ aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto │
118+
│ github.com/aws/aws-sdk-go │ CVE-2020-8912 │ LOW │ v1.44.234 │ │ aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto │
119119
│ │ │ │ │ │ SDK for golang... │
120120
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-8912 │
121121
└───────────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
@@ -497,9 +497,9 @@ Now, suppose a VEX statement is issued for `Module B` as follows:
497497
"vulnerability": {"name": "CVE-XXXX-YYYY"},
498498
"products": [
499499
{
500-
"@id": "pkg:golang/module-b@1.0.0",
500+
"@id": "pkg:golang/module-b@v1.0.0",
501501
"subcomponents": [
502-
{ "@id": "pkg:golang/module-c@2.0.0" }
502+
{ "@id": "pkg:golang/module-c@v2.0.0" }
503503
]
504504
}
505505
],

integration/testdata/fixtures/vex/file/openvex.json

+1-1
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@
1111
{
1212
"@id": "pkg:golang/github.com/testdata/testdata",
1313
"subcomponents": [
14-
{ "@id": "pkg:golang/github.com/open-policy-agent/opa@0.35.0" }
14+
{ "@id": "pkg:golang/github.com/open-policy-agent/opa@v0.35.0" }
1515
]
1616
}
1717
],

integration/testdata/gomod-skip.json.golden

+12-12
Original file line numberDiff line numberDiff line change
@@ -26,10 +26,10 @@
2626
"PkgID": "github.com/docker/[email protected]+incompatible",
2727
"PkgName": "github.com/docker/distribution",
2828
"PkgIdentifier": {
29-
"PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible",
30-
"UID": "de19cd663ca047a8"
29+
"PURL": "pkg:golang/github.com/docker/distribution@v2.7.1%2Bincompatible",
30+
"UID": "9d949a7b01249e68"
3131
},
32-
"InstalledVersion": "2.7.1+incompatible",
32+
"InstalledVersion": "v2.7.1+incompatible",
3333
"FixedVersion": "v2.8.0",
3434
"Status": "fixed",
3535
"Layer": {},
@@ -53,10 +53,10 @@
5353
"PkgID": "github.com/open-policy-agent/[email protected]",
5454
"PkgName": "github.com/open-policy-agent/opa",
5555
"PkgIdentifier": {
56-
"PURL": "pkg:golang/github.com/open-policy-agent/opa@0.35.0",
57-
"UID": "6b685002e082ffc5"
56+
"PURL": "pkg:golang/github.com/open-policy-agent/opa@v0.35.0",
57+
"UID": "e89e2b0d8977e2a"
5858
},
59-
"InstalledVersion": "0.35.0",
59+
"InstalledVersion": "v0.35.0",
6060
"FixedVersion": "0.37.0",
6161
"Status": "fixed",
6262
"Layer": {},
@@ -100,10 +100,10 @@
100100
"PkgID": "golang.org/x/[email protected]",
101101
"PkgName": "golang.org/x/text",
102102
"PkgIdentifier": {
103-
"PURL": "pkg:golang/golang.org/x/text@0.3.6",
104-
"UID": "825dc613c0f39d45"
103+
"PURL": "pkg:golang/golang.org/x/text@v0.3.6",
104+
"UID": "3050088ce9eb2ce4"
105105
},
106-
"InstalledVersion": "0.3.6",
106+
"InstalledVersion": "v0.3.6",
107107
"FixedVersion": "0.3.7",
108108
"Status": "fixed",
109109
"Layer": {},
@@ -133,10 +133,10 @@
133133
"PkgID": "github.com/docker/[email protected]+incompatible",
134134
"PkgName": "github.com/docker/distribution",
135135
"PkgIdentifier": {
136-
"PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible",
137-
"UID": "94376dc37054a7e8"
136+
"PURL": "pkg:golang/github.com/docker/distribution@v2.7.1%2Bincompatible",
137+
"UID": "2f7f0fa81860b8f1"
138138
},
139-
"InstalledVersion": "2.7.1+incompatible",
139+
"InstalledVersion": "v2.7.1+incompatible",
140140
"FixedVersion": "v2.8.0",
141141
"Status": "fixed",
142142
"Layer": {},

integration/testdata/gomod-vex.json.golden

+12-12
Original file line numberDiff line numberDiff line change
@@ -26,10 +26,10 @@
2626
"PkgID": "github.com/docker/[email protected]+incompatible",
2727
"PkgName": "github.com/docker/distribution",
2828
"PkgIdentifier": {
29-
"PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible",
30-
"UID": "de19cd663ca047a8"
29+
"PURL": "pkg:golang/github.com/docker/distribution@v2.7.1%2Bincompatible",
30+
"UID": "9d949a7b01249e68"
3131
},
32-
"InstalledVersion": "2.7.1+incompatible",
32+
"InstalledVersion": "v2.7.1+incompatible",
3333
"FixedVersion": "v2.8.0",
3434
"Status": "fixed",
3535
"Layer": {},
@@ -53,10 +53,10 @@
5353
"PkgID": "golang.org/x/[email protected]",
5454
"PkgName": "golang.org/x/text",
5555
"PkgIdentifier": {
56-
"PURL": "pkg:golang/golang.org/x/text@0.3.6",
57-
"UID": "825dc613c0f39d45"
56+
"PURL": "pkg:golang/golang.org/x/text@v0.3.6",
57+
"UID": "3050088ce9eb2ce4"
5858
},
59-
"InstalledVersion": "0.3.6",
59+
"InstalledVersion": "v0.3.6",
6060
"FixedVersion": "0.3.7",
6161
"Status": "fixed",
6262
"Layer": {},
@@ -86,10 +86,10 @@
8686
"PkgID": "github.com/docker/[email protected]+incompatible",
8787
"PkgName": "github.com/docker/distribution",
8888
"PkgIdentifier": {
89-
"PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible",
90-
"UID": "94376dc37054a7e8"
89+
"PURL": "pkg:golang/github.com/docker/distribution@v2.7.1%2Bincompatible",
90+
"UID": "2f7f0fa81860b8f1"
9191
},
92-
"InstalledVersion": "2.7.1+incompatible",
92+
"InstalledVersion": "v2.7.1+incompatible",
9393
"FixedVersion": "v2.8.0",
9494
"Status": "fixed",
9595
"Layer": {},
@@ -120,10 +120,10 @@
120120
"PkgID": "github.com/docker/[email protected]+incompatible",
121121
"PkgName": "github.com/docker/distribution",
122122
"PkgIdentifier": {
123-
"PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible",
124-
"UID": "94306cdcf85fb50a"
123+
"PURL": "pkg:golang/github.com/docker/distribution@v2.7.1%2Bincompatible",
124+
"UID": "3ad40723ed2fce22"
125125
},
126-
"InstalledVersion": "2.7.1+incompatible",
126+
"InstalledVersion": "v2.7.1+incompatible",
127127
"FixedVersion": "v2.8.0",
128128
"Status": "fixed",
129129
"Layer": {},

integration/testdata/gomod.json.golden

+15-15
Original file line numberDiff line numberDiff line change
@@ -26,10 +26,10 @@
2626
"PkgID": "github.com/docker/[email protected]+incompatible",
2727
"PkgName": "github.com/docker/distribution",
2828
"PkgIdentifier": {
29-
"PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible",
30-
"UID": "de19cd663ca047a8"
29+
"PURL": "pkg:golang/github.com/docker/distribution@v2.7.1%2Bincompatible",
30+
"UID": "9d949a7b01249e68"
3131
},
32-
"InstalledVersion": "2.7.1+incompatible",
32+
"InstalledVersion": "v2.7.1+incompatible",
3333
"FixedVersion": "v2.8.0",
3434
"Status": "fixed",
3535
"Layer": {},
@@ -53,10 +53,10 @@
5353
"PkgID": "github.com/open-policy-agent/[email protected]",
5454
"PkgName": "github.com/open-policy-agent/opa",
5555
"PkgIdentifier": {
56-
"PURL": "pkg:golang/github.com/open-policy-agent/opa@0.35.0",
57-
"UID": "6b685002e082ffc5"
56+
"PURL": "pkg:golang/github.com/open-policy-agent/opa@v0.35.0",
57+
"UID": "e89e2b0d8977e2a"
5858
},
59-
"InstalledVersion": "0.35.0",
59+
"InstalledVersion": "v0.35.0",
6060
"FixedVersion": "0.37.0",
6161
"Status": "fixed",
6262
"Layer": {},
@@ -100,10 +100,10 @@
100100
"PkgID": "golang.org/x/[email protected]",
101101
"PkgName": "golang.org/x/text",
102102
"PkgIdentifier": {
103-
"PURL": "pkg:golang/golang.org/x/text@0.3.6",
104-
"UID": "825dc613c0f39d45"
103+
"PURL": "pkg:golang/golang.org/x/text@v0.3.6",
104+
"UID": "3050088ce9eb2ce4"
105105
},
106-
"InstalledVersion": "0.3.6",
106+
"InstalledVersion": "v0.3.6",
107107
"FixedVersion": "0.3.7",
108108
"Status": "fixed",
109109
"Layer": {},
@@ -133,10 +133,10 @@
133133
"PkgID": "github.com/docker/[email protected]+incompatible",
134134
"PkgName": "github.com/docker/distribution",
135135
"PkgIdentifier": {
136-
"PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible",
137-
"UID": "94376dc37054a7e8"
136+
"PURL": "pkg:golang/github.com/docker/distribution@v2.7.1%2Bincompatible",
137+
"UID": "2f7f0fa81860b8f1"
138138
},
139-
"InstalledVersion": "2.7.1+incompatible",
139+
"InstalledVersion": "v2.7.1+incompatible",
140140
"FixedVersion": "v2.8.0",
141141
"Status": "fixed",
142142
"Layer": {},
@@ -167,10 +167,10 @@
167167
"PkgID": "github.com/docker/[email protected]+incompatible",
168168
"PkgName": "github.com/docker/distribution",
169169
"PkgIdentifier": {
170-
"PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible",
171-
"UID": "94306cdcf85fb50a"
170+
"PURL": "pkg:golang/github.com/docker/distribution@v2.7.1%2Bincompatible",
171+
"UID": "3ad40723ed2fce22"
172172
},
173-
"InstalledVersion": "2.7.1+incompatible",
173+
"InstalledVersion": "v2.7.1+incompatible",
174174
"FixedVersion": "v2.8.0",
175175
"Status": "fixed",
176176
"Layer": {},

pkg/dependency/id_test.go

+1-1
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,7 @@ func TestID(t *testing.T) {
3434
args: args{
3535
ltype: types.GoModule,
3636
name: "test",
37-
version: "1.0.0",
37+
version: "v1.0.0",
3838
},
3939
want: "[email protected]",
4040
},

pkg/dependency/parser/golang/binary/parse.go

+3
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@ package binary
33
import (
44
"cmp"
55
"debug/buildinfo"
6+
"fmt"
67
"runtime/debug"
78
"slices"
89
"sort"
@@ -56,6 +57,8 @@ func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependenc
5657
// Ex: "go1.22.3 X:boringcrypto"
5758
stdlibVersion := strings.TrimPrefix(info.GoVersion, "go")
5859
stdlibVersion, _, _ = strings.Cut(stdlibVersion, " ")
60+
// Add the `v` prefix to be consistent with module and dependency versions.
61+
stdlibVersion = fmt.Sprintf("v%s", stdlibVersion)
5962

6063
ldflags := p.ldFlags(info.Settings)
6164
pkgs := make(ftypes.Packages, 0, len(info.Deps)+2)

pkg/dependency/parser/golang/binary/parse_test.go

+5-5
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@ func TestParse(t *testing.T) {
2020
},
2121
{
2222
Name: "stdlib",
23-
Version: "1.15.2",
23+
Version: "v1.15.2",
2424
Relationship: ftypes.RelationshipDirect,
2525
},
2626
{
@@ -69,7 +69,7 @@ func TestParse(t *testing.T) {
6969
},
7070
{
7171
Name: "stdlib",
72-
Version: "1.16.4",
72+
Version: "v1.16.4",
7373
Relationship: ftypes.RelationshipDirect,
7474
},
7575
{
@@ -93,7 +93,7 @@ func TestParse(t *testing.T) {
9393
},
9494
{
9595
Name: "stdlib",
96-
Version: "1.20.6",
96+
Version: "v1.20.6",
9797
Relationship: ftypes.RelationshipDirect,
9898
},
9999
},
@@ -109,7 +109,7 @@ func TestParse(t *testing.T) {
109109
},
110110
{
111111
Name: "stdlib",
112-
Version: "1.22.1",
112+
Version: "v1.22.1",
113113
Relationship: ftypes.RelationshipDirect,
114114
},
115115
},
@@ -120,7 +120,7 @@ func TestParse(t *testing.T) {
120120
want: []ftypes.Package{
121121
{
122122
Name: "stdlib",
123-
Version: "1.22.1",
123+
Version: "v1.22.1",
124124
Relationship: ftypes.RelationshipDirect,
125125
},
126126
},

pkg/dependency/parser/golang/mod/parse.go

+13-12
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
package mod
22

33
import (
4+
"fmt"
45
"io"
56
"regexp"
67
"strconv"
@@ -90,21 +91,22 @@ func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependenc
9091
if p.useMinVersion {
9192
if toolchainVer := toolchainVersion(modFileParsed.Toolchain, modFileParsed.Go); toolchainVer != "" {
9293
pkgs["stdlib"] = ftypes.Package{
93-
ID: packageID("stdlib", toolchainVer),
94-
Name: "stdlib",
95-
Version: toolchainVer,
94+
ID: packageID("stdlib", toolchainVer),
95+
Name: "stdlib",
96+
// Our versioning library doesn't support canonical (goX.Y.Z) format,
97+
// So we need to add `v` prefix for consistency (with module and dependency versions).
98+
Version: fmt.Sprintf("v%s", toolchainVer),
9699
Relationship: ftypes.RelationshipDirect, // Considered a direct dependency as the main module depends on the standard packages.
97100
}
98101
}
99102
}
100103

101104
// Main module
102105
if m := modFileParsed.Module; m != nil {
103-
ver := strings.TrimPrefix(m.Mod.Version, "v")
104106
pkgs[m.Mod.Path] = ftypes.Package{
105-
ID: packageID(m.Mod.Path, ver),
107+
ID: packageID(m.Mod.Path, m.Mod.Version),
106108
Name: m.Mod.Path,
107-
Version: ver,
109+
Version: m.Mod.Version,
108110
ExternalReferences: p.GetExternalRefs(m.Mod.Path),
109111
Relationship: ftypes.RelationshipRoot,
110112
}
@@ -116,11 +118,10 @@ func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependenc
116118
if skipIndirect && require.Indirect {
117119
continue
118120
}
119-
ver := strings.TrimPrefix(require.Mod.Version, "v")
120121
pkgs[require.Mod.Path] = ftypes.Package{
121-
ID: packageID(require.Mod.Path, ver),
122+
ID: packageID(require.Mod.Path, require.Mod.Version),
122123
Name: require.Mod.Path,
123-
Version: ver,
124+
Version: require.Mod.Version,
124125
Relationship: lo.Ternary(require.Indirect, ftypes.RelationshipIndirect, ftypes.RelationshipDirect),
125126
ExternalReferences: p.GetExternalRefs(require.Mod.Path),
126127
}
@@ -136,7 +137,7 @@ func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependenc
136137
}
137138

138139
// If the replace directive has a version on the left side, make sure it matches the version that was imported.
139-
if rep.Old.Version != "" && old.Version != rep.Old.Version[1:] {
140+
if rep.Old.Version != "" && old.Version != rep.Old.Version {
140141
continue
141142
}
142143

@@ -153,9 +154,9 @@ func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependenc
153154

154155
// Add replaced package to package register.
155156
pkgs[rep.New.Path] = ftypes.Package{
156-
ID: packageID(rep.New.Path, rep.New.Version[1:]),
157+
ID: packageID(rep.New.Path, rep.New.Version),
157158
Name: rep.New.Path,
158-
Version: rep.New.Version[1:],
159+
Version: rep.New.Version,
159160
Relationship: old.Relationship,
160161
ExternalReferences: p.GetExternalRefs(rep.New.Path),
161162
}

0 commit comments

Comments
 (0)