cyclonedx-gomod
cyclonedx-gomod copied to clipboard
Published
20 hours ago •
CycloneDX
CycloneDX
`bin`: Support macOS universal binaries
go version -m can't currently deal with macOS universal binaries.
However, with Go 1.18, we will get the necessary tools to implement support for them ourselves, using buildinfo.Read(io.ReaderAt).
Also, Go has had support for reading fat mach-o binaries since 1.3 using macho.OpenFat.
I tinkered a bit, and it's now almost trivial to get go version -m results for all embedded binaries:
import (
"debug/buildinfo"
"debug/macho"
"io"
"log"
"os"
)
func LoadBuildInfo118(binaryPath string) error {
ff, err := macho.OpenFat(binaryPath)
if err != nil {
return err
}
ff.Close()
binaryFile, err := os.Open(binaryPath)
if err != nil {
return err
}
defer binaryFile.Close()
for i, arch := range ff.Arches {
header := ff.Arches[i].FatArchHeader
bi, err := buildinfo.Read(io.NewSectionReader(binaryFile, int64(header.Offset), int64(header.Size)))
if err != nil {
return err
}
log.Printf("%s: %s@%s (%s)", arch.Cpu, bi.Main.Path, bi.Main.Version, bi.Main.Sum)
}
return nil
}
Example output for the universal binary of goreleaser:
2022/02/05 12:34:35 CpuAmd64: github.com/goreleaser/[email protected] (h1:gW8sdjDEo2H2ZgcJmWsNZUcaJSD4MLvA/bw7+GYQ8kU=)
2022/02/05 12:34:35 CpuArm64: github.com/goreleaser/[email protected] (h1:gW8sdjDEo2H2ZgcJmWsNZUcaJSD4MLvA/bw7+GYQ8kU=)
Still torn on what the correct output would be though. Two SBOMs? A merged SBOM?
