Skip to content

fix: ignore reference to 'go@version' from newer go mod graph output #188

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 29, 2025
Merged

fix: ignore reference to 'go@version' from newer go mod graph output #188

merged 1 commit into from
Apr 29, 2025

Conversation

Strum355
Copy link
Member

Description

Related issues (if any): #184 (comment)

Checklist

  • I have followed this repository's contributing guidelines.
  • I will adhere to the project's code of conduct.

Additional information

Anything else?

@Strum355 Strum355 requested a review from ruromero April 28, 2025 17:12
@Strum355 Strum355 force-pushed the nsc/go-module-ignore-go branch from d6b08a1 to 0393d17 Compare April 28, 2025 17:12
ruromero
ruromero reviewed Apr 29, 2025
View reviewed changes
Copy link
Collaborator

@ruromero ruromero left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know if we should remove it from newer or add it in older. The go standard library is part of the software components so IMO it adds more context to the generated SBOM. Also there might be some CVEs that affect specific go versions:
example: https://www.cve.org/CVERecord?id=CVE-2024-24790 or https://www.cve.org/CVERecord?id=CVE-2025-22866

@ruromero
Copy link
Collaborator

As discussed offline. It's better to ignore it completely as the go version should be part of the SBOM that includes the rpm/deb packages etc. Example: pkg:deb/debian/golang-1.22
The reason is that the project doesn't have a direct dependency to a specific golang version (only minimum required go version), the actual version is resolved at build time and depends on the tools available during build. We are generating an SBOM of the project's dependencies, not the build artifact dependencies.

@Strum355 Strum355 requested a review from ruromero April 29, 2025 14:33
@ruromero ruromero merged commit 67aaa89 into trustification:main Apr 29, 2025
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ruromero ruromero ruromero approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Research alternatives to go mod graph for Go provider
2 participants
@Strum355 @ruromero