-
Notifications
You must be signed in to change notification settings - Fork 17.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cmd/go: using --trimpath
in go build
removes -ldflags
from go version -m
output
#63432
cmd/go: using --trimpath
in go build
removes -ldflags
from go version -m
output
#63432
Comments
See: #52372 |
Thanks ok I see now there are a couple of TODOs so this is a known issue: go/src/cmd/go/internal/load/pkg.go Line 2336 in d252fdd
Maybe just whitelisting |
@wallyqs if you'd like to make progress on that TODO, you're welcome to send a fix! 🙃 I don't think we should add a special case for |
Change https://go.dev/cl/536795 mentions this issue: |
What about removing |
What about having special info in buildinfo to mention that |
@dolmen, I think the right solution here is probably to parse the On the other hand, if we can't identify a specific variable that refers to the path passed in |
Is I'm thinking about the case where a tool that rebuilds binaries would take the raw ldflags value from a binary and pass it to |
|
* Parse the build info for -ldflags. If included, the flags will be further parsed, and searched for -X sub-flags. These sub-flags are commonly used to set the binary version during build time. A common pattern is to run `go build -ldflags='-X main.version=<semver>'` so that the main package's version variable is replaced with the latest tag. It's not guaranteed that this flag will propogate into the binary. See golang/go#63432 for more info. * Flag parsing reuses the pflags library that's used by the main Trivy binary. This keeps the implementation concise, and a bit more robust than creating a custom flag parser for -X flag commonly passed to -ldflags. * Add simple binary to test for validity of ldflags parsing. The flag * The documentation has been updated to reflect the improved accuracy of the Go binary parser.
Add a new boolean option -trimldflags. Only meaningful when -trimpath is true. Defaults to true for backwards compatibility. Otheriwise when set to false reports ldflags in buildinfo, in spite of -trimpath setting. Also when ldflags are trimmed from the output, leave a reproducible marker that it happened. The difference between `-trimpath` and `-trimpath -trimldflags=false` shown below for a compilation with ldflags set: ```diff $ diff -u default.txt trimldflags\=false.txt --- default.txt 2024-04-26 18:51:15.106892203 +0100 +++ trimldflags=false.txt 2024-04-26 18:50:19.187008488 +0100 @@ -137,7 +137,7 @@ dep sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= build -buildmode=exe build -compiler=gc - build -trimldflags=true + build -ldflags="-X main.Version=234" build -trimpath=true build DefaultGODEBUG=asynctimerchan=1,gotypesalias=0 build CGO_ENABLED=1 ``` Fixes: golang#63432
Add a new boolean option -trimldflags. Only meaningful when -trimpath is true. Defaults to true for backwards compatibility. Otheriwise when set to false reports ldflags in buildinfo, in spite of -trimpath setting. Also when ldflags are trimmed from the output, leave a reproducible marker that it happened. The difference between `-trimpath` and `-trimpath -trimldflags=false` shown below for a compilation with ldflags set: ```diff $ diff -u default.txt trimldflags\=false.txt --- default.txt 2024-04-26 18:51:15.106892203 +0100 +++ trimldflags=false.txt 2024-04-26 18:50:19.187008488 +0100 @@ -137,7 +137,7 @@ dep sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= build -buildmode=exe build -compiler=gc - build -trimldflags=true + build -ldflags="-X main.Version=234" build -trimpath=true build DefaultGODEBUG=asynctimerchan=1,gotypesalias=0 build CGO_ENABLED=1 ``` Fixes: golang#63432
Change https://go.dev/cl/582055 mentions this issue: |
Add a new boolean option -trimldflags. Only meaningful when -trimpath is true. Defaults to true for backwards compatibility. Otheriwise when set to false reports ldflags in buildinfo, in spite of -trimpath setting. Also when ldflags are trimmed from the output, leave a reproducible marker that it happened. Building with '-trimpath -ldflags="-X main.Version=234"' will now emit: build -trimldflags=true Adding -trimldflags=false to the above will emit ldflags: build -ldflags="-X main.Version=234" Fixes: golang#63432
* Parse the build info for -ldflags. If included, the flags will be further parsed, and searched for -X sub-flags. These sub-flags are commonly used to set the binary version during build time. A common pattern is to run `go build -ldflags='-X main.version=<semver>'` so that the main package's version variable is replaced with the latest tag. It's not guaranteed that this flag will propogate into the binary. See golang/go#63432 for more info. * Flag parsing reuses the pflags library that's used by the main Trivy binary. This keeps the implementation concise, and a bit more robust than creating a custom flag parser for -X flag commonly passed to -ldflags. * Add simple binary to test for validity of ldflags parsing. The flag * The documentation has been updated to reflect the improved accuracy of the Go binary parser.
Hi, I am proposing to add a flag to allow override, and emit ldflags despite trimpath active. Another option is to a heuristic to allow ldflags..... as long as it doesn't have any slashes. Separately, other commands allow substituting prefixes, so maybe an option to regexp substitute things in ldflags would work too? @matloob requested to discuss this further, so happy to discuss more. Note, that my proposal to override ldflags should not result in any detrimental behavour w.r.t. reproducible builds by default. |
Add a new boolean option -trimldflags. Only meaningful when -trimpath is true. Defaults to true for backwards compatibility. Otheriwise when set to false reports ldflags in buildinfo, in spite of -trimpath setting. Also when ldflags are trimmed from the output, leave a reproducible marker that it happened. Building with '-trimpath -ldflags="-X main.Version=234"' will now emit: build -trimldflags=true Adding -trimldflags=false to the above will emit ldflags: build -ldflags="-X main.Version=234" Fixes: golang#63432 Change-Id: I47d633ef0e6a90136799bef9701b7ff22c92f095 GitHub-Pull-Request: golang#67072
@matloob which one of the above solutions are desired? the currently proposed PR addresses the outstanding TODO. |
Even when -trimpath is active, emit full ldflags in the version information ELF note. Vulnerability scanners typically parse ldflags field to detect main package version, thus binaries that are built with -trimpath are currently actively evading vulnerability scanners. Fixes: wolfi-dev#17647 Fixes: golang/go#63432
@matloob @michaelmatloob any comments? |
I think the best option is to do what the TODO suggests and what Bryan suggested in #63432 (comment) and parse the ldflags to see if it contains known paths. |
Was -trimpath ldflags stripping got added to get to reproducible builds of go toolchain itself? in that case the goal is to "preserve as many ldflags as possible" but "without breaking reproducibility of the go toolchain builds itself" +/- any other bugs? Cause absolute and relative paths are ok, as long as they are stable. It's when they are dynamic the binaries become non reproducible. |
Change https://go.dev/cl/608818 mentions this issue: |
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
What did you expect to see?
What did you see instead?
The text was updated successfully, but these errors were encountered: