debug/buildinfo: base64-encode test binaries

Overzealous security scanners don't like the Go 1.17 binary because they
think it has every 1.17 security vulnerability. base64-encode the binary
to hide from them.

I've also extended the instructions to make the binary easier to
reproduce.

Since we do the Go binary, we might as well do the C binary too, as it
apparently makes some virus scanners unhappy.

Fixes #71753.
For #71734.
For #71821.

Change-Id: I6a6a636cccbf5312522f52f27f74eded64048fb7
Reviewed-on: https://go-review.googlesource.com/c/go/+/651175
LUCI-TryBot-Result: Go LUCI <[email protected]>
Auto-Submit: Michael Pratt <[email protected]>
Reviewed-by: Ian Lance Taylor <[email protected]>
Reviewed-by: Cherry Mui <[email protected]>

Author: prattmic

src/debug/buildinfo/buildinfo_test.go

@@ -11,6 +11,7 @@ import (
 	"encoding/binary"
 	"flag"
 	"fmt"
+	"internal/obscuretestdata"
 	"internal/testenv"
 	"os"
 	"os/exec"
@@ -275,24 +276,16 @@ func TestReadFile(t *testing.T) {
 
 // Test117 verifies that parsing of the old, pre-1.18 format works.
 func Test117(t *testing.T) {
-	// go117 was generated for linux-amd64 with:
-	//
-	// main.go:
-	//
-	// package main
-	// func main() {}
-	//
-	// GOTOOLCHAIN=go1.17 go mod init example.com/go117
-	// GOTOOLCHAIN=go1.17 go build
-	//
-	// TODO(prattmic): Ideally this would be built on the fly to better
-	// cover all executable formats, but then we need a network connection
-	// to download an old Go toolchain.
-	info, err := buildinfo.ReadFile("testdata/go117")
+	b, err := obscuretestdata.ReadFile("testdata/go117/go117.base64")
 	if err != nil {
 		t.Fatalf("ReadFile got err %v, want nil", err)
 	}
 
+	info, err := buildinfo.Read(bytes.NewReader(b))
+	if err != nil {
+		t.Fatalf("Read got err %v, want nil", err)
+	}
+
 	if info.GoVersion != "go1.17" {
 		t.Errorf("GoVersion got %s want go1.17", info.GoVersion)
 	}
@@ -306,20 +299,14 @@ func Test117(t *testing.T) {
 
 // TestNotGo verifies that parsing of a non-Go binary returns the proper error.
 func TestNotGo(t *testing.T) {
-	// notgo was generated for linux-amd64 with:
-	//
-	// main.c:
-	//
-	// int main(void) { return 0; }
-	//
-	// cc -o notgo main.c
-	//
-	// TODO(prattmic): Ideally this would be built on the fly to better
-	// cover all executable formats, but then we need to encode the
-	// intricacies of calling each platform's C compiler.
-	_, err := buildinfo.ReadFile("testdata/notgo")
+	b, err := obscuretestdata.ReadFile("testdata/notgo/notgo.base64")
+	if err != nil {
+		t.Fatalf("ReadFile got err %v, want nil", err)
+	}
+
+	_, err = buildinfo.Read(bytes.NewReader(b))
 	if err == nil {
-		t.Fatalf("ReadFile got nil err, want non-nil")
+		t.Fatalf("Read got nil err, want non-nil")
 	}
 
 	// The precise error text here isn't critical, but we want something
@@ -410,13 +397,13 @@ func TestIssue54968(t *testing.T) {
 }
 
 func FuzzRead(f *testing.F) {
-	go117, err := os.ReadFile("testdata/go117")
+	go117, err := obscuretestdata.ReadFile("testdata/go117/go117.base64")
 	if err != nil {
 		f.Errorf("Error reading go117: %v", err)
 	}
 	f.Add(go117)
 
-	notgo, err := os.ReadFile("testdata/notgo")
+	notgo, err := obscuretestdata.ReadFile("testdata/notgo/notgo.base64")
 	if err != nil {
 		f.Errorf("Error reading notgo: %v", err)
 	}

src/debug/buildinfo/testdata/go117

@@ -0,0 +1,15 @@
+go117.base64 is a base64-encoded Go 1.17 hello world binary used to test
+debug/buildinfo of pre-1.18 buildinfo encoding.
+
+The binary is base64 encoded to hide it from security scanners that believe a
+Go 1.17 is inherently insecure.
+
+Generate go117.base64 with:
+
+$ GOTOOLCHAIN=go1.17 GOOS=linux GOARCH=amd64 go build -trimpath
+$ base64 go117 > go117.base64
+$ rm go117
+
+TODO(prattmic): Ideally this would be built on the fly to better cover all
+executable formats, but then we need a network connection to download an old Go
+toolchain.

src/debug/buildinfo/testdata/go117/README.md

@@ -0,0 +1,3 @@
+module example.com/go117
+
+go 1.17

src/debug/buildinfo/testdata/go117/go.mod

@@ -0,0 +1,7 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package main
+
+func main() {}

src/debug/buildinfo/testdata/go117/go117.base64

@@ -0,0 +1,17 @@
+notgo.base64 is a base64-encoded C hello world binary used to test
+debug/buildinfo errors on non-Go binaries.
+
+The binary is base64 encoded to hide it from security scanners that might not
+like it.
+
+Generate notgo.base64 on linux-amd64 with:
+
+$ cc -o notgo main.c
+$ base64 notgo > notgo.base64
+$ rm notgo
+
+The current binary was built with "gcc version 14.2.0 (Debian 14.2.0-3+build4)".
+
+TODO(prattmic): Ideally this would be built on the fly to better cover all
+executable formats, but then we need to encode the intricacies of calling each
+platform's C compiler.

src/debug/buildinfo/testdata/go117/main.go

@@ -0,0 +1,7 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+int main(void) {
+	return 0;
+}