Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consuming CSAF model from go v1.20 projects #508

Closed
mpermar opened this issue Nov 15, 2023 · 8 comments · Fixed by #514
Closed

Consuming CSAF model from go v1.20 projects #508

mpermar opened this issue Nov 15, 2023 · 8 comments · Fixed by #514

Comments

@mpermar
Copy link

mpermar commented Nov 15, 2023
edited
Loading

The CSAF current model requires go 1.21.

As a continuation of #367 , @juan131 has been working with the folks from AquaSecurity to add support to the CSAF VEX profile in the Trivy Open Source scanner.

However, we haven't been able to find a workaround and Trivy's policy is to use the immediate older Golang version, currently 1.20. So, right now we are blocked as it is not possible to integrate it with this library. There are a couple of approaches we have been thinking:

  1. Create a fork that builds on 1.20. Bitnami could do a fork and we could sustain it. Perhaps better, this fork could rather be a branch in this project.
  2. My preferred approach. Downgrade this project to Golang 1.20. @juan131 has been looking at it and it looks like this project is only using the new max and clear functions from 1.21. So it's literally a few line changes.

In the spirit of #367 which was aiming to make easier consumption, what do you think if we downgrade the golang dependency? The change is simple, we have the PR ready to be merged, all tests are passing and it will make adoption broader.

@bernhardreiter @tschmidtb51 @s-l-teichmann , thoughts?
@s-l-teichmann
Copy link
Contributor

Lowering the required Go version should be fine. PR #509 implements this.

@mpermar
Copy link
Author

mpermar commented Nov 15, 2023

Ah that's awesome. Thanks!

@tschmidtb51 tschmidtb51 linked a pull request Nov 15, 2023 that will close this issue
Lower required Go version to 1.20 #509
Closed
@s-l-teichmann
Copy link
Contributor

Lowering the required Go version should be fine. PR #509 implements this.

As i've overlooked the dependencies to log/slog and slices I've sat the PR back to draft.
I've replaced the two packages with there golang.org/x/exp counterparts but we have to discuss our
policies before we merge this.

@tschmidtb51
Copy link
Collaborator

@s-l-teichmann / @bernhardreiter: We should discuss this in the next meeting.

@bernhardreiter bernhardreiter changed the title Consuming CSAF model from 1.20 projects Consuming CSAF model from go v1.20 projects Nov 20, 2023
@tschmidtb51 tschmidtb51 linked a pull request Nov 28, 2023 that will close this issue
Support Go 1.20 #514
Merged
@tschmidtb51
Copy link
Collaborator

@mpermar Please test - this should be resolved with the current main.

@mpermar
Copy link
Author

mpermar commented Nov 28, 2023

Looks good to me. Trivy builds now when pointing it to main branch's commit hash.

When do you think there will be a release including this change? We will pin it to the hash for the time being, but it is nicer to have a release.

@tschmidtb51
Copy link
Collaborator

tschmidtb51 commented Nov 28, 2023 via email

@mpermar
Copy link
Author

mpermar commented Nov 28, 2023

Understood. I think this issue can be closed now. Thanks for the quick response!

@mpermar mpermar closed this as completed Nov 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Support Go 1.20 gocsaf/csaf
Lower required Go version to 1.20 gocsaf/csaf
3 participants
@mpermar @s-l-teichmann @tschmidtb51