golang -trimpath is hiding information #17647
Comments
|
In order to potentially upstream this, should we split the functionality into -trimpath and -trimflags (and we just won't use -trimflags)? |
|
Proposing golang/go#67072 |
xnox
added a commit
to xnox/os
that referenced
this issue
May 2, 2024
Even when -trimpath is active, emit full ldflags in the version information ELF note. Vulnerability scanners typically parse ldflags field to detect main package version, thus binaries that are built with -trimpath are currently actively evading vulnerability scanners. Fixes: wolfi-dev#17647 Fixes: golang/go#63432
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
trimpath reduces binary size a lot by stripping filepaths from binaries.
For privacy reasons it also strips ldflags from binaries; even if they don't contain any paths.
That hides useful information - ie.
We should patch our golang toolchain to not hide ldflags from binaries, when they are built using trimpath.
As this hides information from security scanners.
See also:
golang/go#50603
golang/go#63432
The text was updated successfully, but these errors were encountered: