On Thu, Mar 20, 2025, at 10:19 AM, Zdenek Dohnal via golang wrote:
Hi all,
I maintain two components written in Go, so time to time the components get CVE reports where vulnerable code comes from another component via static linking during build.
I was trying to figure out how to make this better, and together with Jason (in CC) got an idea about automatic versioned buildrequires for Go packages and versions would be taken from the package versions present in buildroot.
I've checked Go Fedora guidelines and saw there is %go_generate_buildrequires macro, which looked promising, but unfortunately it does not generate BuildRequires on golang and none of the BuildRequires are versioned :( .
I had this issue last time too, where upstream already specifies a minimum version of a dependency to avoid a CVE and the information gets stripped out by that macro
Do you think it is possible to have such feature?
Not sure how complex this is but I would love this feature too. We have it for Python and Rust macros after all
Best regards,