Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Go: LoadGoModules incorrectly still flags 1.23 as an invalid toolchain #18447

Open
dnwe opened this issue Jan 8, 2025 · 2 comments
Open

Go: LoadGoModules incorrectly still flags 1.23 as an invalid toolchain #18447

dnwe opened this issue Jan 8, 2025 · 2 comments
Labels
false-positive

Comments

@dnwe
Copy link

dnwe commented Jan 8, 2025
edited
Loading

Description of the false positive

The Go team had a change of heart in Go 1.23 and re-permitted go 1.23 as an alias for go 1.23.0

The change in behaviour in 1.23 is referenced in this comment on this well-cited GH issue on the confusion around the go directive changes:

image

golang/go#62278 (comment)

However, CodeQL is flagging this as invalid due to not using 1.N.P syntax:

Invalid Go toolchain version

As of Go 1.21, toolchain versions must use the 1.N.P syntax.

1.23 in go.mod does not match this syntax and there is no additional toolchain directive, which may cause some go commands to fail.

Code samples or links to source code

Reduced testcase pushed as a sample repo here with CodeQL scanning enabled:

https://github.com/dnwe/go-codeql

URL to the alert on GitHub code scanning

https://github.com/dnwe/go-codeql/security/code-scanning/tools/CodeQL/status/configurations/actions-FZTWS5DIOVRC653POJVWM3DPO5ZS6Y3PMRSXC3BNMFXGC3DZONUXGLTZNVWA/c1646cb64b746876ea230e833d950329e5308885d88be821300b330d9b9a7f83
@aibaars
Copy link
Contributor

aibaars commented Jan 8, 2025

Thanks for the detailed report! I suppose we need to change to make it a bit more permissive

codeql/go/extractor/project/project.go

Lines 195 to 203 in 3363235

// A regular expression for the Go toolchain version syntax.
var toolchainVersionRe *regexp.Regexp = regexp.MustCompile(`(?m)^([0-9]+\.[0-9]+\.[0-9]+)$`)
// Returns true if the `go.mod` file specifies a Go language version, that version is `1.21` or greater, and
// there is no `toolchain` directive, and the Go language version is not a valid toolchain version.
func hasInvalidToolchainVersion(modFile *modfile.File) bool {
return modFile.Toolchain == nil && modFile.Go != nil &&
!toolchainVersionRe.Match([]byte(modFile.Go.Version)) && util.NewSemVer(modFile.Go.Version).IsAtLeast(toolchain.V1_21)
}

@mbg What do you think?

@mbg
Copy link
Member

mbg commented Jan 9, 2025

Hi @dnwe 👋🏻

Thanks for opening this issue! I don't think we were aware that the Go team had changed their minds about this. We originally added this diagnostic, since some go toolchain commands failed if the Go version was specified in the "old" format. I'll check that this works correctly now, and then adjust the conditions under which we emit that diagnostic if all checks out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
false-positive
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mbg @dnwe @aibaars