Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Go: LoadGoModules incorrectly still flags 1.23 as an invalid toolchain #18447

Open
dnwe opened this issue Jan 8, 2025 · 1 comment
Open

Go: LoadGoModules incorrectly still flags 1.23 as an invalid toolchain #18447

dnwe opened this issue Jan 8, 2025 · 1 comment

Comments

@dnwe
Copy link

dnwe commented Jan 8, 2025

Description of the false positive

The Go team had a change of heart in Go 1.23 and re-permitted go 1.23 as an alias for go 1.23.0

The change in behaviour in 1.23 is referenced in this comment on this well-cited GH issue on the confusion around the go directive changes:

image

golang/go#62278 (comment)

However, CodeQL is flagging this as invalid due to not using 1.N.P syntax:

Invalid Go toolchain version

As of Go 1.21, toolchain versions must use the 1.N.P syntax.

1.23 in go.mod does not match this syntax and there is no additional toolchain directive, which may cause some go commands to fail.

Code samples or links to source code

Reduced testcase pushed as a sample repo here with CodeQL scanning enabled:

https://github.com/dnwe/go-codeql

URL to the alert on GitHub code scanning

https://github.com/dnwe/go-codeql/security/code-scanning/tools/CodeQL/status/configurations/actions-FZTWS5DIOVRC653POJVWM3DPO5ZS6Y3PMRSXC3BNMFXGC3DZONUXGLTZNVWA/c1646cb64b746876ea230e833d950329e5308885d88be821300b330d9b9a7f83

@aibaars
Copy link
Contributor

aibaars commented Jan 8, 2025

Thanks for the detailed report! I suppose we need to change to make it a bit more permissive

// A regular expression for the Go toolchain version syntax.
var toolchainVersionRe *regexp.Regexp = regexp.MustCompile(`(?m)^([0-9]+\.[0-9]+\.[0-9]+)$`)
// Returns true if the `go.mod` file specifies a Go language version, that version is `1.21` or greater, and
// there is no `toolchain` directive, and the Go language version is not a valid toolchain version.
func hasInvalidToolchainVersion(modFile *modfile.File) bool {
return modFile.Toolchain == nil && modFile.Go != nil &&
!toolchainVersionRe.Match([]byte(modFile.Go.Version)) && util.NewSemVer(modFile.Go.Version).IsAtLeast(toolchain.V1_21)
}

@mbg What do you think?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants