go version -m path/to/binary
is really nice for introspecting which modules a given go binary is using.
And the other data gives information about which golang toolchain was used.
However, information is missing w.r.t. which golang toolchain built-in modules are used by a given binary. Is it possible to extract that data somehow? Or change golang toolchain to record that information?
Example, I don’t expect gops
to use cryptography, and thus there is no need to build it as vanilla and as a FIPS variant of the binary. But I also cannot easily assert that either.
I sort of can see that from go tool nm
, but only if symbols are not stripped from the binary. It would be nice if builtin module deps would be documented in the output of go version -m
(or manybe a new extra flag -b
for built-ins).
That would help with figuring out security context of the binary (does it access net? does it access tls? does it access crypto?) and will also help with detecting if binary needs a rebuild or not (CVE fix releases like go1.21.8 (released 2024-03-05) includes security fixes to the crypto/x509, html/template, net/http, net/http/cookiejar, and net/mail packages
would be interesting to figure out which go binaries use those modules and thus need rebuilding).
$ go version -m gops
gops: go1.22.1
path github.com/google/gops
mod github.com/google/gops (devel)
dep github.com/shirou/gopsutil/v3 v3.24.3 h1:eoUGJSmdfLzJ3mxIhmOAhgKEKgQkeOwKpz1NbhVnuPE=
dep github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0=
dep github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
dep github.com/tklauser/go-sysconf v0.3.12 h1:0QaGUFOdQaIVdPgfITYzaTegZvdCjmYO52cSFAEVmqU=
dep github.com/tklauser/numcpus v0.6.1 h1:ng9scYS7az0Bk4OZLvrNXNSAO2Pxr1XXRAPyjhIx+Fk=
dep github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ=
dep golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
build -buildmode=exe
build -compiler=gc
build -tags=netgo,osusergo
build DefaultGODEBUG=httplaxcontentlength=1,httpmuxgo121=1,panicnil=1,tls10server=1,tlsrsakex=1,tlsunsafeekm=1
build CGO_ENABLED=1
build CGO_CFLAGS=
build CGO_CPPFLAGS=
build CGO_CXXFLAGS=
build CGO_LDFLAGS=
build GOARCH=amd64
build GOOS=linux
build GOAMD64=v1
build vcs=git
build vcs.revision=52fc2ac77922011484a61268ec097d6158aaa015
build vcs.time=2024-04-01T22:18:14Z
build vcs.modified=false
$ go tool nm gops | sed -n 's/.* T \(.*\)/\1/p' | grep -v 'type:' | cut -d. -f1 | sort -u
bufio
bytes
compress/flate
compress/zlib
context
debug/buildinfo
debug/dwarf
debug/elf
debug/macho
debug/pe
debug/plan9obj
encoding/base64
encoding/binary
encoding/csv
encoding/hex
encoding/json
errors
flag
fmt
github
golang
hash/adler32
internal/abi
internal/bisect
internal/bytealg
internal/chacha8rand
internal/cpu
internal/fmtsort
internal/godebug
internal/intern
internal/itoa
internal/poll
internal/reflectlite
internal/saferio
internal/singleflight
internal/syscall/unix
internal/testlog
internal/xcoff
internal/zstd
io
io/fs
io/ioutil
log
main
math
math/bits
net
net/netip
net/url
os
os/exec
os/user
path
path/filepath
reflect
regexp
regexp/syntax
_rt0_amd64
_rt0_amd64_linux
runtime
runtime/debug
runtime/internal/atomic
runtime/internal/sys
runtime/internal/syscall
slices
sort
strconv
strings
sync
sync/atomic
syscall
text/template
text/template/parse
time
unicode
unicode/utf8
vendor/golang
Is there something like that already? Or is this a feature request for go version -m
?