rules_go icon indicating copy to clipboard operation
rules_go copied to clipboard
verified publisher icon bazelbuild

how to get the dependencies and their versions for go executables built with bazel

Open blumamir opened this issue 1 year ago • 4 comments

Hi,

Me and https://github.com/RonFed are working on OpenTelemetry auto instrumentation module. This issue is regarding the one here

In order to correctly instrument a go binary, we need to extract the dependencies and their versions from the executable file.

We use the debug/buildinfo from the standard library, doing something similar to this:

import  (
  "debug/buildinfo"
)

	f, err := os.Open("/path/to/go/executable")
	if err != nil {
		fmt.Println("Error:", err)
		return
	}
	defer f.Close()

	bi, err := buildinfo.Read(f)
	if err != nil {
		fmt.Println("Error:", err)
		return
	}

	fmt.Println("deps:")
	fmt.Println(bi.Deps)

When running this inspection on a binary built with go build and go.mod, we are able to see the deps in the executable. However, when inspecting an executable built with bazel, the deps are not there.

Example sections from our build configuration:

BUILD.bazel

go_library(
    name = "rolldice_lib",
    srcs = [
        "main.go",
        "rolldice.go",
    ],
    importpath = "github.com/tendermint/tendermint/rolldice",
    visibility = ["//visibility:private"],
    deps = [
        "@com_github_gin_gonic_gin//:go_default_library"
    ],
)

deps.bzl

...
    go_repository(
        name = "com_github_gin_gonic_gin",
        build_file_proto_mode = "disable_global",
        importpath = "github.com/gin-gonic/gin",
        sum = "h1:nTuyha1TYqgedzytsKYqna+DfLos46nTv2ygFy86HFU=",
        version = "v1.10.0",
    )
...

How can we get this info from a binary built with bazel? Any help will be appreciated

blumamir avatar Oct 27 '24 14:10 blumamir

I'm running into the same issue where bazel built binaries do not return anything when executing go version -m <path-to-bin> but binaries built with go build return all the embedded modules and their versions.

gscho avatar Jan 06 '25 14:01 gscho

We can inject data, but it's not clear what data that should be. Bazel Go targets can depend on Go code that isn't even a Go module. PRs that wire this up in any reasonable way are welcome though, I'm happy to support them as well.

fmeum avatar Jan 06 '25 15:01 fmeum

+1 on this. this can also be used in vulnerability scanning, would be great to at least having the option to embed it. Is it specify a go.mod file for final binary to act as source of data? @fmeum

HDYA avatar Apr 11 '25 19:04 HDYA

The approach I may prototype is to:

  • have rules_go add bazel-contrib/supply-chain metadata to the generated BUILD files
  • modify go_binary to gather those markers and use that

This can capture non-Go dependencies as well. For now, I would only add package name and version. Certainly nothing ephemeral like build timestamps.

aiuto avatar Jul 17 '25 04:07 aiuto