slsa-github-generator icon indicating copy to clipboard operation
slsa-github-generator copied to clipboard

Published 20 hours ago verified publisher icon slsa-framework

[bug] The git status is dirty for releases

Open naveensrinivasan opened this issue 3 years ago • 5 comments
trafficstars

Describe the bug With go 1.18 the build info https://pkg.go.dev/debug/buildinfo@master is embedded within the binary.

I used this example source code to investigate the buildinfo

package main

import (
	"debug/buildinfo"
	"fmt"
	"os"
)

func main() {
	file := os.Args[1]
	x, err := buildinfo.ReadFile(file)
	if err != nil {
		fmt.Println(err)
		os.Exit(1)
	}
	for _, v := range x.Settings {
		fmt.Println(v)
	}
}

I downloaded the binaries from GitHub releases and passed them to the above example code. This is version v1.2.0

Here is the output

go run main.go ~/Downloads/slsa-builder-go-linux-amd64
{-compiler gc}
{-ldflags -s -w}
{-tags netgo}
{CGO_ENABLED 0}
{GOARCH amd64}
{GOOS linux}
{GOAMD64 v1}
{vcs git}
{vcs.revision bdd89e60dc5387d8f819bebc702987956bcd4913}
{vcs.time 2022-07-19T18:02:42Z}
{vcs.modified true}

go run main.go ~/Downloads/slsa-generator-generic-linux-amd64
{-compiler gc}
{-tags netgo}
{CGO_ENABLED 0}
{GOARCH amd64}
{GOOS linux}
{GOAMD64 v1}
{vcs git}
{vcs.revision bdd89e60dc5387d8f819bebc702987956bcd4913}
{vcs.time 2022-07-19T18:02:42Z}
{vcs.modified true}

I thought this was probably an issue with the latest build. So I tried with the previous release and realized it is the same.This is version v1.1.1

go run main.go ~/Downloads/slsa-builder-go-linux-amd64-2
{-compiler gc}
{-tags netgo}
{CGO_ENABLED 0}
{GOARCH amd64}
{GOOS linux}
{GOAMD64 v1}
{vcs git}
{vcs.revision d995948e8d53cc639c0d3ef69db31dbc243519c4}
{vcs.time 2022-06-20T21:41:41Z}
{vcs.modified true}

Actual output is

{vcs.modified true}

Expected output to be

This {vcs.modified false} should be false.

naveensrinivasan avatar Jul 31 '22 22:07 naveensrinivasan

Is it because we run go mod vendor?

laurentsimon avatar Aug 01 '22 20:08 laurentsimon

Yeah I was wondering that too, but vendor/ is in the .gitignore so it shouldn't contribute to the dirty state. https://github.com/slsa-framework/slsa-github-generator/blob/98d91d15f44c7d0d34ab643356cc5adcdf4f64e2/.gitignore#L15

I can't think of an obvious reason why this is happening.

ianlewis avatar Aug 02 '22 08:08 ianlewis

@naveensrinivasan BTW you can print the build info without writing a program like follows

$ go mod vendor
$ go build -mod=vendor -o generic ./internal/builders/generic/
$ go version -m generic
generic: go1.18
...
        build   vcs=git
        build   vcs.revision=98d91d15f44c7d0d34ab643356cc5adcdf4f64e2
        build   vcs.time=2022-08-02T07:58:33Z
        build   vcs.modified=false

ianlewis avatar Aug 02 '22 08:08 ianlewis

@naveensrinivasan BTW you can print the build info without writing a program like follows

$ go mod vendor
$ go build -mod=vendor -o generic ./internal/builders/generic/
$ go version -m generic
generic: go1.18
...
        build   vcs=git
        build   vcs.revision=98d91d15f44c7d0d34ab643356cc5adcdf4f64e2
        build   vcs.time=2022-08-02T07:58:33Z
        build   vcs.modified=false

Thanks! Good to know!

naveensrinivasan avatar Aug 02 '22 16:08 naveensrinivasan

This is also an issue for the generic generator

$ go version -m slsa-generator-generic-linux-amd64 | grep vcs
        build   vcs=git
        build   vcs.revision=bdd89e60dc5387d8f819bebc702987956bcd4913
        build   vcs.time=2022-07-19T18:02:42Z
        build   vcs.modified=true

ianlewis avatar Aug 03 '22 00:08 ianlewis

BTW, this also affects user repos since we run go mod vendor users need to add vendor to their .gitignore to avoid this issue.

ianlewis avatar May 15 '23 08:05 ianlewis