vault icon indicating copy to clipboard operation
vault copied to clipboard
verified publisher icon hashicorp

Dependencies of the released Vault binary indicate wrong Vault version

Open candrews opened this issue 7 months ago • 0 comments

Describe the bug

The dependencies provided by go version -m vault indicate the wrong vault dependency version.

This causes tools, such as Trivy, to be unable to determine what version of Vault this binary is. SBOMs are generated with incorrect information, security scanners report false positives, and other such problems result from this issue.

To Reproduce Steps to reproduce the behavior:

  1. Following the instructions at https://developer.hashicorp.com/vault/install, download the official vault release: https://releases.hashicorp.com/vault/1.19.4/vault_1.19.4_linux_amd64.zip
  2. Extract vault from the zip file
  3. Run: go version -m vault

The output is:

$ go version -m ~/Downloads/vault
/home/candrews/Downloads/vault: go1.24.3
	path	github.com/hashicorp/vault
	mod	github.com/hashicorp/vault	v0.0.0-20250514170447-322786e236e2+dirty	
	dep	cel.dev/expr	v0.19.0	h1:lXuo+nDhpyJSpWxpPVi5cPUwzKb+dsdOiw6IreM5yt0=
	dep	cloud.google.com/go	v0.116.0	h1:B3fRrSDkLRt5qSHWe40ERJvhvnQwdZiHu0bJOpldweE=
...

Expected behavior

The output should be:

$ go version -m ~/Downloads/vault
/home/candrews/Downloads/vault: go1.24.3
	path	github.com/hashicorp/vault
	mod	github.com/hashicorp/vault	v1.19.4
	dep	cel.dev/expr	v0.19.0	h1:lXuo+nDhpyJSpWxpPVi5cPUwzKb+dsdOiw6IreM5yt0=
	dep	cloud.google.com/go	v0.116.0	h1:B3fRrSDkLRt5qSHWe40ERJvhvnQwdZiHu0bJOpldweE=
...

Environment:

  • Vault Server Version (retrieve with vault status): n/a
  • Vault CLI Version (retrieve with vault version): Vault v1.19.4 (322786e236e268532e4b189845971ba67b5cbb23), built 2025-05-14T13:04:47Z
  • Server Operating System/Architecture: Linux

Vault server configuration file(s):

n/a

Additional context

Other go project releases do show the expected information.

For example, Trivy, downloaded from https://github.com/aquasecurity/trivy/releases/tag/v0.62.1, works as expected:

$ go version -m ~/Downloads/trivy_0.62.1_Linux-64bit/trivy 
/home/candrews/Downloads/trivy_0.62.1_Linux-64bit/trivy: go1.24.2
	path	github.com/aquasecurity/trivy/cmd/trivy
	mod	github.com/aquasecurity/trivy	v0.62.1	
	dep	cel.dev/expr	v0.19.1	h1:NciYrtDRIR0lNCnH1LFJegdjspNx9fI59O7TWcua/W4=
	dep	cloud.google.com/go	v0.118.3	h1:jsypSnrE/w4mJysioGdMBg4MiW/hHx/sArFpaBWHdME=

candrews avatar May 20 '25 17:05 candrews