cmd-go-always-emit-ldflags-version-information.patch

From b9f7deea41be0adeff7eee35f29ee096b9f2ff20 Mon Sep 17 00:00:00 2001
From: Dimitri John Ledkov <dimitri.ledkov@chainguard.dev>
Date: Thu, 2 May 2024 18:16:47 +0100
Subject: [PATCH] cmd/go: always emit ldflags version information

Even when -trimpath is active, emit full ldflags in the version
information ELF note. Vulnerability scanners typically parse ldflags
field to detect main package version, thus binaries that are built
with -trimpath are currently actively evading vulnerability scanners.

Fixes: https://github.com/golang/go/issues/63432

Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@chainguard.dev>
---
 src/cmd/go/internal/load/pkg.go | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/src/cmd/go/internal/load/pkg.go b/src/cmd/go/internal/load/pkg.go
index 1549800afb..010d60a9d1 100644
--- a/src/cmd/go/internal/load/pkg.go
+++ b/src/cmd/go/internal/load/pkg.go
@@ -2393,9 +2393,7 @@ func (p *Package) setBuildInfo(ctx context.Context, autoVCS bool) {
 		// determine whether they may refer to system paths. If we do that, we can
 		// redact only those paths from the recorded -ldflags setting and still
 		// record the system-independent parts of the flags.
-		if !cfg.BuildTrimpath {
-			appendSetting("-ldflags", ldflags)
-		}
+		appendSetting("-ldflags", ldflags)
 	}
 	if cfg.BuildMSan {
 		appendSetting("-msan", "true")
-- 
2.43.0