Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(gomod): prefer version specified by toolchain directive when present #565

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

fix(gomod): prefer version specified by toolchain directive when present #565

wants to merge 3 commits into from
+65 −0

Conversation

G-Rath
Copy link
Collaborator

@G-Rath G-Rath commented Mar 14, 2025
edited
Loading

Unlike with go, the toolchain directive holds the name of an actual toolchain which is prefixed with go and can have a suffix - when comparing, these should be ignored:

Toolchains are compared by comparing the version V embedded in the name (dropping the initial go and discarding off any suffix beginning with -)

However, I'm not sure if that's an extractor-level concern - if it's not, then I think we'll need to include a custom version comparator for semantic to handle that, and ensure comparators elsewhere like osv.dev account for this.

Resolves google/osv-scanner#1606

@G-Rath G-Rath mentioned this pull request Mar 14, 2025
Open
@another-rex
Copy link
Collaborator

I think practically we have made it an extractor level concern (not sure whether that's a good thing or not). Right now we are really only using the go version to determine the standard library version, and that's also what this toolchain directive will be for as well, so let's make it trim the go prefix.

@G-Rath G-Rath marked this pull request as ready for review March 14, 2025 03:11
@G-Rath G-Rath force-pushed the fix/consider-the-toolchain branch from fbd733c to 77bc9d1 Compare March 14, 2025 21:22
@G-Rath G-Rath requested a review from Copilot March 14, 2025 21:24
Copilot
Copilot AI reviewed Mar 14, 2025
View reviewed changes

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR updates the Go module extractor to prioritize the version specified by the toolchain directive, ensuring that any suffix after a '-' is discarded before comparison. Key changes include:

  • Adding logic in gomod.go to extract and use the toolchain version when present.
  • Adding test cases in gomod_test.go to validate correct extraction from toolchain declarations, including cases with suffixes.

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File Description
extractor/filesystem/language/golang/gomod/gomod.go Introduces support for using the toolchain version by trimming the “go” prefix and any suffix.
extractor/filesystem/language/golang/gomod/gomod_test.go Adds tests to ensure proper behavior when the toolchain directive is present with or without a suffix.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@another-rex another-rex Awaiting requested review from another-rex

@cuixq cuixq Awaiting requested review from cuixq

@erikvarga erikvarga Awaiting requested review from erikvarga

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Toolchain directive in go.mod not being considered
2 participants
@G-Rath @another-rex