Am 21.03.25 um 13:55 schrieb Alejandro Saez Morollon via golang:
On Thu, Mar 20, 2025 at 4:22 PM Zdenek Dohnal via golang <golang@lists.fedoraproject.org mailto:golang@lists.fedoraproject.org> wrote:
Hi all, I maintain two components written in Go, so time to time the components get CVE reports where vulnerable code comes from another component via static linking during build. I was trying to figure out how to make this better, and together with Jason (in CC) got an idea about automatic versioned buildrequires for Go packages and versions would be taken from the package versions present in buildroot. I've checked Go Fedora guidelines and saw there is %go_generate_buildrequires macro, which looked promising, but unfortunately it does not generate BuildRequires on golang and none of the BuildRequires are versioned :( . Do you think it is possible to have such feature? e.g. BuildRequires: golang-src >= 1.24.1-1, or BuildRequires: golang(github.com/golang/go <http://github.com/golang/go>) >= 1.24.1-1 would tell us the package is built with this golang version, and if a golang new version comes later into repos, the package will still work with new golang due '>='. Once CVE fix comes into golang and new golang version is released, presence of the older version in buildrequires of other package will indicate the package includes vulnerable code, and it has to be rebuilt once the original package includes a fix. I have tried to come up at least with PoC for getting golang version from buildroot and add the versioned buildrequires, but no luck so far.I'm not really sure if I understand the problem, but hope these two things help:
First, this is not exactly what you want to do, but we have a script in the rpms/golang package to generate the provides, maybe you can draw inspiration from it: https://src.fedoraproject.org/rpms/golang/blob/rawhide/f/bundled-deps.sh https://src.fedoraproject.org/rpms/golang/blob/rawhide/f/bundled-deps.sh
This applies only for builds that use the vendored approach. Already used while packaging. The trick for them is to add "%license vendor/modules.txt" to the "%files" section (activates the corresponding generator).
IIUC, this does not cover everything, right?
In the build dir, this "go list -json | jq .Imports " shows all imports.
Second, regarding the %go_generate_buildrequires macro, have you tried using go2rpm (again, I checked your golang packages, and it seems you generated them years ago with an old version of go2rpm), in the most recent versions it uses go_generate_buildrequires by default. Just in case there are some issues in the way you are invoking the macro.