Home > Blockchain >  What is the meaning of the arrow symbol "=>" in output of go version -m?
What is the meaning of the arrow symbol "=>" in output of go version -m?

Time:12-30

I am resolving CVEs that various scanners have identified on a project of mine, and one such CVE is tied to the version of a golang dependency.

When I run go version -m ./binaryFile, the dependency which is getting flagged as vulnerable has this arrow symbol => next to it, but I can not find documented anywhere what it means.

The full output is included below...

$ go version -m /root/github.com/alexei-led/pumba/.bin/github.com/alexei-led/pumba
/root/github.com/alexei-led/pumba/.bin/github.com/alexei-led/pumba: go1.19.4
        path    command-line-arguments
        dep     github.com/alexei-led/pumba     (devel)
        dep     github.com/cpuguy83/go-md2man/v2        v2.0.0-20190314233015-f79a8a8ca69d      h1:U s90UTSYgptZMwQh2aRr3LuazLJIa Pg3Kc1ylSYVY=
        dep     github.com/davecgh/go-spew      v1.1.1  h1:vj9j/u1bqnvCEfJOwUhtlOARqs3 rkHYY13jYWTU97c=
        dep     github.com/docker/distribution  v2.7.1 incompatible     h1:a5mlkVzth6W5A4fOsS3D2EO5BUmsJpcB cRlLU7cSug=
        dep     github.com/docker/docker        v1.13.1
        =>      github.com/docker/engine        v17.12.0-ce-rc1.0.20190717161051-705d9623b7c1 incompatible      h1:4Pnn RsurVEiBbmqlRtzh77HLMiP4NaaqRHOOK4aPj8=

        dep     github.com/docker/go-connections        v0.4.0  h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=
        dep     github.com/docker/go-units      v0.4.0  h1:3uh0PgVws3nIA0Q MwDC8yjEPf9zjRfZZWXZYDct3Tw=
        dep     github.com/gogo/protobuf        v1.3.2  h1:Ov1cvc58UF3b5XjBnZv7 opcTcQFZebYjWzi34vdm4Q=
        dep     github.com/golang/protobuf      v1.4.3  h1:JjCZWpVbqXDqFVmTfYWEVTMIYrL/NPdPSCHPJ0T/raM=
        dep     github.com/johntdyer/slack-go   v0.0.0-20180213144715-95fac1160b22      h1:jKUP9TQ0c7X3w6 IPyMit07RE42MtTWNd77sN2cHngQ=
        dep     github.com/johntdyer/slackrus   v0.0.0-20180518184837-f7aae3243a07      h1: kBG/8rjCa6vxJZbUjAiE4MQmBEBYc8nLEb51frnvBY=
        dep     github.com/opencontainers/go-digest     v1.0.0  h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
        dep     github.com/opencontainers/image-spec    v1.0.1  h1:JMemWkRwHx4Zj fVxWoMCFm/8sYGGrUVojFA6h/TRcI=
        dep     github.com/pkg/errors   v0.9.1  h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
        dep     github.com/pmezard/go-difflib   v1.0.0  h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
        dep     github.com/russross/blackfriday/v2      v2.0.1  h1:lPqVAte HuHNfhJ/0LC98ESWRz8afy9tM/0RK8m9o Q=
        dep     github.com/shurcooL/sanitized_anchor_name       v1.0.0  h1:PdmoCO6wvbs 7yrJyMORt4/BmY5IYyJwS/kOiWx8mHo=
        dep     github.com/sirupsen/logrus      v1.7.0  h1:ShrD1U9pZB12TX0cVy0DtePoCH97K8EtX mg7ZARUtM=
        dep     github.com/stretchr/objx        v0.1.0  h1:4G4v2dO3VZwixGIRoQ5Lfboy6nUhCyYzaqnIAPPhYs4=
        dep     github.com/stretchr/testify     v1.6.1  h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
        dep     github.com/urfave/cli   v1.22.4 h1:u7tSpNPPswAFymm8IehJhy4uJMlUuU/GmqSkvJ1InXA=
        dep     golang.org/x/net        v0.0.0-20210917163549-3c21e5b27794      h1:pOaRGvJk MpHIfe37zcmbwolJplrAmLKmvggJVLkYl8=
        dep     golang.org/x/sync       v0.0.0-20201020160332-67f06af15bc9      h1:SQFwaSi55rU7vdNs9Yr0Z324VNlrF 0wMqRXT4St8ck=
        dep     golang.org/x/sys        v0.0.0-20210616094352-59db8d763f22      h1:RqytpXGR1iVNX7psjB3ff8y7sNFinVFvkx1c8SjBkio=
        dep     google.golang.org/genproto      v0.0.0-20200526211855-cb27e3aa2013      h1: kGHl1aib/qcwaRi1CbqBZ1rk19r85MNUf8HaBghugY=
        dep     google.golang.org/grpc  v1.40.0 h1:AGJ0Ih4mHjSeibYkFGh1dD9KJ/eOtZ93I6hoHhukQ5Q=
        dep     google.golang.org/protobuf      v1.25.0 h1:Ejskq SyPohKW 1uil0JJMtmHCgJPJ/qWTxr8qp R4c=
        dep     gopkg.in/yaml.v3        v3.0.0-20200313102051-9f266ea9e77c      h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
        build   -compiler=gc
        build   -ldflags="-X main.Version=0.8.0 -X main.GitCommit=0413655 -X main.GitBranch=HEAD -X main.BuildTime=2022-12-29T09:34:48-0500 "
        build   -tags=release
        build   CGO_ENABLED=0
        build   GOARCH=amd64
        build   GOOS=linux
        build   GOAMD64=v1

...the line of interest is:

        =>      github.com/docker/engine        v17.12.0-ce-rc1.0.20190717161051-705d9623b7c1 incompatible      h1:4Pnn RsurVEiBbmqlRtzh77HLMiP4NaaqRHOOK4aPj8=

CodePudding user response:

The => means the replace directive was used when building the executable binary.

The preceeding line is also important, that's the replaced module:

    dep     github.com/docker/docker        v1.13.1
    =>      github.com/docker/engine        v17.12.0-ce-rc1.0.20190717161051-705d9623b7c1 incompatible      h1:4Pnn RsurVEiBbmqlRtzh77HLMiP4NaaqRHOOK4aPj8=

This means github.com/docker/docker v1.13.1 was replaced by github.com/docker/engine v17.12.0-... during the build.

A replace directive example from a go.mod file:

replace golang.org/x/net v1.2.3 => example.com/fork/net v1.4.5

This is where the => literal comes from. Think of it as the referred golang.org/x/net package "points to" example.com/fork/net (that is what actually will be used).

  • Related