Skip to content

feat: add golang patching#1388

Draft
robert-cronin wants to merge 46 commits intoproject-copacetic:mainfrom
robert-cronin:feat/golang-patching
Draft

feat: add golang patching#1388
robert-cronin wants to merge 46 commits intoproject-copacetic:mainfrom
robert-cronin:feat/golang-patching

Conversation

@robert-cronin
Copy link
Contributor

@robert-cronin robert-cronin commented Nov 19, 2025
edited
Loading

Closes #1386

Copilot AI review requested due to automatic review settings November 19, 2025 23:16
@robert-cronin robert-cronin marked this pull request as draft November 19, 2025 23:16
@codecov
Copy link

codecov bot commented Nov 19, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 30.07986% with 788 lines in your changes missing coverage. Please review.
✅ Project coverage is 36.61%. Comparing base (cf9e44c) to head (f92e9a3).

Files with missing lines Patch % Lines
pkg/langmgr/golang.go 11.30% 414 Missing and 2 partials ⚠️
pkg/provenance/rebuilder.go 39.30% 234 Missing and 10 partials ⚠️
pkg/provenance/detector.go 48.95% 95 Missing and 3 partials ⚠️
pkg/patch/core.go 0.00% 15 Missing ⚠️
pkg/patch/single.go 16.66% 10 Missing ⚠️
pkg/cmd/cmd.go 83.33% 5 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1388      +/-   ##
==========================================
- Coverage   37.70%   36.61%   -1.10%     
==========================================
  Files          52       55       +3     
  Lines        7505     8587    +1082     
==========================================
+ Hits         2830     3144     +314     
- Misses       4447     5200     +753     
- Partials      228      243      +15

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Copilot AI reviewed Nov 19, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@sozercan sozercan moved this from 🆕 New to Deferred in Copacetic Workboard Nov 19, 2025
@robert-cronin
Copy link
Contributor Author

robert-cronin commented Nov 25, 2025

Demo with fluxcd/source-controller

❯ COPA_EXPERIMENTAL=1 ./dist/linux_amd64/release/copa patch \
  -i ghcr.io/fluxcd/source-controller:v1.2.0 \
  -r /tmp/flux-scan.json \
  -t flux-patched-final \
  --enable-go-binary-rebuild \
  --pkg-types library \
  --ignore-errors
INFO[0000] Patched image name: ghcr.io/fluxcd/source-controller:flux-patched-final 
[+] Building 0.8s (1/1)                                                                                                                                                                             
 => resolve image config for docker-image://ghcr.io/fluxcd/source-controller:v1.2.0                                                                                                            0.8s
WARN[0001] No update packages were specified to apply   
INFO[0001] Found 22 Go package updates to process       
ERRO[0001] Invalid package name stdlib: stdlib vulnerabilities require Go version upgrade, not supported: stdlib 
INFO[0001] Go binary rebuilding is enabled (experimental) 
[+] Building 3.9s (1/1)                                                                                                                                                                             
 => resolve image config for docker-image://ghcr.io/fluxcd/source-controller:v1.2.0                                                                                                            0.8s
INFO[0005] Successfully fetched SLSA provenance for ghcr.io/fluxcd/source-controller:v1.2.0 (level: 2, type: https://slsa.dev/provenance/v0.2) 
INFO[0005] SLSA provenance incomplete (missing: [Dockerfile build command base image Go version]), will try binary detection 
[+] Building 4.5s (1/3)                                                                                                                                                                             
 => resolve image config for docker-image://ghcr.io/fluxcd/source-controller:v1.2.0                                                                                                            1.0s
 => docker-image://ghcr.io/fluxcd/source-controller:v1.2.0                                                                                                                                     0.3s
[+] Building 6.7s (5/5)                                                                                                                                                                             
[+] Building 6.9s (5/5) FINISHED                                                                                                                                                                    
 => resolve image config for docker-image://ghcr.io/fluxcd/source-controller:v1.2.0                                                                                                            1.0s
 => CACHED docker-image://ghcr.io/fluxcd/source-controller:v1.2.0                                                                                                                              0.3s
 => => resolve ghcr.io/fluxcd/source-controller:v1.2.0                                                                                                                                         0.3s
 => CACHED sh -c if command -v go >/dev/null 2>&1; then echo ok > /copa-go-check; fi                                                                                                           0.0s
 => CACHED sh -c paths=""; for dir in /app /go/src /usr/src/app /workspace /src /opt/app; do if [ -f "$dir/go.mod" ]; then paths="$paths $dir"; fi; done; if [ -z "$paths" ]; then paths=$(fi  0.0s
 => exporting to docker image format                                                                                                                                                           2.0s
 => => exporting layers                                                                                                                                                                        0.0s
 => => exporting manifest sha256:fc10504cafc225e365efc7107d50003e33ee162f705fd1273774b1357e2f1fcd                                                                                              0.0s
 => => exporting config sha256:6a4dfed58d6c390c4311fe6e222c2e80127d6824adc1d456d792b856196e9e87                                                                                                0.0s
 => => sending tarball                                                                                                                                                                         1.9s
INFO[0007] found local image descriptor for ghcr.io/fluxcd/source-controller:flux-patched-final via docker 
INFO[0008] Patched image (linux/amd64): ghcr.io/fluxcd/source-controller:flux-patched-final

@robert-cronin
feat: add golang patching
c89ba61 
Signed-off-by: robert-cronin <[email protected]>
@robert-cronin
feat: Add SLSA provenance fetching and parsing functionality
bc1dae0 
- Introduced a new command `test-provenance` to test SLSA provenance fetching and parsing.
- Implemented a `Fetcher` to retrieve SLSA provenance attestations from container registries.
- Added a `Parser` to extract build information from SLSA provenance.
- Created types for `Attestation`, `BuildInfo`, and `ProvenanceCompleteness` to structure the data.
- Enhanced the main command to include the new `test-provenance` command.
- Added comprehensive logging and error handling for better debugging and user feedback.

Signed-off-by: robert-cronin <[email protected]>
@robert-cronin
feat: Implement binary detection and information extraction functiona…
3826750 
…lity

Signed-off-by: robert-cronin <[email protected]>
@robert-cronin
feat: Add experimental Go binary rebuilding using SLSA provenance and…
fc81932 
… binary detection

Signed-off-by: robert-cronin <[email protected]>
@robert-cronin
feat: Enhance Go package validation and expand language target checks…
2fa9fdb 
… in Trivy parser

Signed-off-by: robert-cronin <[email protected]>
@robert-cronin
feat: add experimental Go binary rebuilding feature
cdb6fed 
Signed-off-by: robert-cronin <[email protected]>
@robert-cronin
feat: add experimental Go binary rebuilding feature
4291463 
Signed-off-by: robert-cronin <[email protected]>
@robert-cronin robert-cronin marked this pull request as ready for review December 3, 2025 11:02
@robert-cronin robert-cronin marked this pull request as ready for review January 28, 2026 02:49
@github-project-automation github-project-automation bot moved this from Deferred to ✅ Done in Copacetic Workboard Jan 28, 2026
@robert-cronin robert-cronin reopened this Jan 28, 2026
@robert-cronin robert-cronin moved this from ✅ Done to 👀 In review in Copacetic Workboard Jan 28, 2026
robert-cronin and others added 8 commits January 28, 2026 20:20
@robert-cronin
fix: trim e2e fixtures to verified images and use larger CI runner
4f025be 
Signed-off-by: robert-cronin <[email protected]>
@robert-cronin
fix: harden go patching security and remove redundant feature gate
c98770b 
Signed-off-by: robert-cronin <[email protected]>
@robert-cronin
fix: revert cosmetic-only changes to cmd.go
a5bd2a3 
Signed-off-by: robert-cronin <[email protected]>
@robert-cronin
fix: allow quotes in Go build flags validation
1b2d3b8 
Signed-off-by: robert-cronin <[email protected]>
@robert-cronin
fix: harden security against crafted container images
70613b8 
Signed-off-by: robert-cronin <[email protected]>
@robert-cronin
fix: address second-pass security review findings
871fdd6 
Signed-off-by: robert-cronin <[email protected]>
@robert-cronin
fix: apply De Morgan's law to satisfy staticcheck linter
07f8ecc 
Signed-off-by: robert-cronin <[email protected]>
@robert-cronin
fix(golang): sync vendor directory after dependency updates
b8adfcb 
Signed-off-by: robert-cronin <[email protected]>
@ashnamehrotra
Copy link
Contributor

ashnamehrotra commented Feb 11, 2026

@robert-cronin I tested this with the following but I am still seeing 86 vulns in the patched image, is there anything I'm missing?

trivy image --vuln-type library --ignore-unfixed ghcr.io/fluxcd/source-controller:v1.2.0 -f json -o amd64.json --platform linux/amd64
trivy image --vuln-type library --ignore-unfixed ghcr.io/fluxcd/source-controller:v1.2.0 -f json -o arm64.json --platform linux/arm64
COPA_EXPERIMENTAL=1 ./copa patch -i ghcr.io/fluxcd/source-controller:v1.2.0 -r /Users/ashnamehrotra/copacetic/test-reports --go-stdlib-upgrade --pkg-types library --ignore-errors --debug

@robert-cronin
Copy link
Contributor Author

robert-cronin commented Feb 11, 2026

@robert-cronin I tested this with the following but I am still seeing 86 vulns in the patched image, is there anything I'm missing?

trivy image --vuln-type library --ignore-unfixed ghcr.io/fluxcd/source-controller:v1.2.0 -f json -o amd64.json --platform linux/amd64 trivy image --vuln-type library --ignore-unfixed ghcr.io/fluxcd/source-controller:v1.2.0 -f json -o arm64.json --platform linux/arm64 COPA_EXPERIMENTAL=1 ./copa patch -i ghcr.io/fluxcd/source-controller:v1.2.0 -r /Users/ashnamehrotra/copacetic/test-reports --go-stdlib-upgrade --pkg-types library --ignore-errors --debug

i think fluxcd/source-controller is one of the images that doesn't have VCS commit info embedded in the binary (likely built with .git excluded from the docker build context). without the commit hash, we can't clone the source repo to rebuild. i added some documentation on this limitation here: https://github.com/project-copacetic/copacetic/blob/feat/golang-patching/website/docs/app-level-patching.md#key-requirement-vcs-commit-hash

this is also something we should probably surface more clearly in the copa output itself, maybe as part of #1451.

if you want to test with an image that works, try docker.io/prom/pushgateway:v1.11.2 i just tested and it goes from 8 vulns to 0 with --library-patch-level minor:

trivy image --vuln-type library --ignore-unfixed docker.io/prom/pushgateway:v1.11.2 -f json -o scan.json --platform linux/amd64
COPA_EXPERIMENTAL=1 copa patch -i docker.io/prom/pushgateway:v1.11.2 -r scan.json --go-stdlib-upgrade --pkg-types library --library-patch-level minor --ignore-errors -t pushgateway-patched

sozercan
sozercan reviewed Feb 11, 2026
View reviewed changes
pkg/provenance/detector.go Outdated

const (
// golangToolingImage is the image used for running go version -m.
golangToolingImage = "golang:1.23-alpine"
Copy link
Member

@sozercan sozercan Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

don't use alpine

match to binary's go version

sozercan
sozercan reviewed Feb 11, 2026
View reviewed changes
pkg/cmd/cmd.go Outdated
flags.StringVar(&ua.libraryPatchLevel, "library-patch-level", utils.PatchTypePatch,
"[EXPERIMENTAL] Library patch level preference: 'patch', 'minor', or 'major'. "+
"Only applicable when 'library' is included in --pkg-types. Defaults to 'patch'")
flags.BoolVar(&ua.goStdlibUpgrade, "go-stdlib-upgrade", false,
Copy link
Member

@sozercan sozercan Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lets make this more generic with toolchain-patch-level or similar

@robert-cronin robert-cronin marked this pull request as draft February 11, 2026 23:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sozercan sozercan sozercan left review comments

Copilot code review Copilot Copilot left review comments

@jeremyrickard jeremyrickard Awaiting requested review from jeremyrickard jeremyrickard is a code owner

@ashnamehrotra ashnamehrotra Awaiting requested review from ashnamehrotra ashnamehrotra is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

Copacetic Workboard
Status: 👀 In review

Milestone

v0.14.0

Development

Successfully merging this pull request may close these issues.

[REQ] Add Go package patching

3 participants

@robert-cronin @ashnamehrotra @sozercan