Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add serverVersion var set via ldflags #5650

Merged
merged 1 commit into from
Jul 15, 2024
Merged

Add serverVersion var set via ldflags #5650

merged 1 commit into from
Jul 15, 2024
+17 −4

Conversation

wallyqs
Copy link
Member

@wallyqs wallyqs commented Jul 15, 2024

Setting a serverVersion variable which is set via ldflags to help security scanners like syft detect the version when inspecting the binary. Goreleaser is modified to set this ldflag and a test is added to make sure that the VERSION constant matches the tag from the release.

Result:

$ export TRAVIS_TAG=v2.10.18

$ go test -race -v -run=TestVersionMatchesTag ./server --trimpath -ldflags="-X=github.com/nats-io/nats-server/v2/server.serverVersion=$TRAVIS_TAG" -count=1 -vet=off

# Example failure
=== RUN   TestVersionMatchesTag
    server_test.go:144: Version (2.11.0-dev) does not match tag (2.10.18)
--- FAIL: TestVersionMatchesTag (0.00s)

$ go build --trimpath -ldflags="-X 'github.com/nats-io/nats-server/v2/server.serverVersion=$TRAVIS_TAG'" .

$ syft ./nats-server
NAME                               VERSION   TYPE     
...   
github.com/nats-io/nats-server/v2  v2.10.18  go-module    
...

@wallyqs wallyqs requested a review from a team as a code owner July 15, 2024 07:35
@wallyqs wallyqs requested a review from bruth July 15, 2024 07:35
@wallyqs wallyqs mentioned this pull request Jul 15, 2024
Closed
@wallyqs wallyqs requested a review from philpennock July 15, 2024 08:03
bruth
bruth reviewed Jul 15, 2024
View reviewed changes
server/server_test.go Outdated Show resolved Hide resolved
@wallyqs
Add serverVersion var set via ldflags
5f0a6ad 
Setting this helps security scanners like syft detect the version
when inspecting the binary.

Signed-off-by: Waldemar Quevedo <wally@nats.io>
@wallyqs wallyqs force-pushed the add-version-for-syft branch from d02a048 to 5f0a6ad Compare July 15, 2024 11:46
@LaurentGoderre
Copy link

LaurentGoderre commented Jul 15, 2024
edited
Loading

@wallyqs serverVersion isn't one of the detected one. The one that are supported are BuildVersion, GitVersion, ReleaseVersion or Tag. With that being said the flag can be there and not pointing to an actual variable in the code and Syft and it would work.

Nevermind, it works

@LaurentGoderre
Copy link

Funny it kind of went full circle to the original PR. Thank you so much for being open to this change!

@derekcollison derekcollison merged commit 2124d5f into main Jul 15, 2024
3 checks passed
@derekcollison derekcollison deleted the add-version-for-syft branch July 15, 2024 16:10
@wallyqs wallyqs mentioned this pull request Jul 15, 2024
Merged
bruth pushed a commit that referenced this pull request Jul 15, 2024
@wallyqs @derekcollison
Cherry-picks for 2.10.18-RC.3 (#5657)
83e8895 
Includes:

- #5649
- #5651
- #5650
- #5655

---------

Signed-off-by: Derek Collison <derek@nats.io>
Signed-off-by: Waldemar Quevedo <wally@nats.io>
Co-authored-by: Derek Collison <derek@nats.io>
@LaurentGoderre
Copy link

@wallyqs is this going to be backported for 2.9.x?

@wallyqs
Copy link
Member Author

wallyqs commented Jul 15, 2024

@LaurentGoderre no, there are no releases planned for v2.9 series

@LaurentGoderre
Copy link

@wallyqs the ldflag section is absent from the binary in the release because of the -trimpath flag. Is that something that is required?

@wallyqs
Copy link
Member Author

wallyqs commented Jul 17, 2024

@LaurentGoderre yes we need the --trimpath flag to have reproducible builds (https://go.dev/blog/rebuild). Latest release though seems to be ok for syft?

syft ./nats-server-v2.10.18-darwin-arm64/nats-server 
NAME                               VERSION   TYPE        
github.com/klauspost/compress      v1.17.9   go-module    
github.com/minio/highwayhash       v1.0.3    go-module    
github.com/nats-io/jwt/v2          v2.5.8    go-module    
github.com/nats-io/nats-server/v2  v2.10.18  go-module    
github.com/nats-io/nkeys           v0.4.7    go-module    
github.com/nats-io/nuid            v1.0.1    go-module    
go.uber.org/automaxprocs           v1.5.3    go-module    
golang.org/x/crypto                v0.25.0   go-module    
golang.org/x/sys                   v0.22.0   go-module    
golang.org/x/time                  v0.5.0    go-module    
stdlib                             go1.22.5  go-module

@LaurentGoderre
Copy link

With the default Syft config yes but it gets them by doing a regex for anything that looks like a version in the binary. With Docker Scout we use a stricter rule and rely on the ldflag in the binary.

@LaurentGoderre
Copy link

Ha!! seems like you ran into this too!! golang/go#63432

@wallyqs
Copy link
Member Author

wallyqs commented Jul 17, 2024

@LaurentGoderre yes... that is what I was afraid we would stumble upon eventually (#5599 (comment)), but at least now situation has improved since syft does manage to get the version right.

@wallyqs wallyqs mentioned this pull request Aug 28, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@LaurentGoderre LaurentGoderre LaurentGoderre approved these changes

@bruth bruth bruth approved these changes

@philpennock philpennock Awaiting requested review from philpennock

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@wallyqs @LaurentGoderre @bruth @derekcollison