php小編草莓在這里為大家解答一個關于Go語言的疑問:在運行`go version -m`命令時,輸出中的箭頭符號”=>”代表的含義是什么呢?這個符號實際上是用來表示包的依賴關系的。當我們使用`go mod`進行包管理時,箭頭符號會顯示模塊之間的依賴關系,指示一個模塊依賴于另一個模塊。通過這個符號,我們可以清晰地了解到每個模塊之間的關聯關系,方便我們進行包的管理和調試。
問題內容
我正在解析各種掃描儀在我的項目中識別出的 cve,其中一個 cve 與 golang 依賴項的版本相關聯。
當我運行 go version -m ./binaryfile 時,被標記為易受攻擊的依賴項旁邊有這個箭頭符號 => ,但我找不到任何地方記錄它的含義。
完整的輸出包含在下面…
$ go version -m /root/github.com/alexei-led/pumba/.bin/github.com/alexei-led/pumba
/root/github.com/alexei-led/pumba/.bin/github.com/alexei-led/pumba: go1.19.4
path command-line-arguments
dep github.com/alexei-led/pumba (devel)
dep github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d h1:u+s90utsygptzmwqh2arr3luazljia+pg3kc1ylsyvy=
dep github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvcefjowuhtloarqs3+rkhyy13jywtu97c=
dep github.com/docker/distribution v2.7.1+incompatible h1:a5mlkvzth6w5a4foss3d2eo5bumsjpcb+crllu7csug=
dep github.com/docker/docker v1.13.1
=> github.com/docker/engine v17.12.0-ce-rc1.0.20190717161051-705d9623b7c1+incompatible h1:4pnn+rsurveibbmqlrtzh77hlmip4naaqrhook4apj8=
dep github.com/docker/go-connections v0.4.0 h1:el9xviselrb7bufusrzozjnkim5ynzcvinkohafqrjq=
dep github.com/docker/go-units v0.4.0 h1:3uh0pgvws3nia0q+mwdc8yjepf9zjrfzzwxzydct3tw=
dep github.com/gogo/protobuf v1.3.2 h1:ov1cvc58uf3b5xjbnzv7+opctcqfzebyjwzi34vdm4q=
dep github.com/golang/protobuf v1.4.3 h1:jjczwpvbqxdqfvmtfywevtmiyrl/npdpschpj0t/ram=
dep github.com/johntdyer/slack-go v0.0.0-20180213144715-95fac1160b22 h1:jkup9tq0c7x3w6+ipymit07re42mttwnd77sn2chngq=
dep github.com/johntdyer/slackrus v0.0.0-20180518184837-f7aae3243a07 h1:+kbg/8rjca6vxjzbujaie4mqmbebyc8nleb51frnvby=
dep github.com/opencontainers/go-digest v1.0.0 h1:apouws51w5plhuygyz9fceebiouda/6nw8oi/yohh5u=
dep github.com/opencontainers/image-spec v1.0.1 h1:jmemwkrwhx4zj+fvxwomcfm/8syggruvojfa6h/trci=
dep github.com/pkg/errors v0.9.1 h1:feblx1zs214owpjy7qsbeixburkuhqawrk5uwlgtwt4=
dep github.com/pmezard/go-difflib v1.0.0 h1:4dbwde0ngyqobhblqypwsupocmwr5bezik/f1lzbaqm=
dep github.com/russross/blackfriday/v2 v2.0.1 h1:lpqvate+huhnfhj/0lc98eswrz8afy9tm/0rk8m9o+q=
dep github.com/shurcool/sanitized_anchor_name v1.0.0 h1:pdmoco6wvbs+7yrjymort4/bmy5iyyjws/koiwx8mho=
dep github.com/sirupsen/logrus v1.7.0 h1:shrd1u9pzb12tx0cvy0dtepoch97k8etx+mg7zarutm=
dep github.com/stretchr/objx v0.1.0 h1:4g4v2do3vzwixgiroq5lfboy6nuhcyyzaqniapphys4=
dep github.com/stretchr/testify v1.6.1 h1:hdpohmpopp40lsulcqw7irrb/u7w6rpdc9399xyond0=
dep github.com/urfave/cli v1.22.4 h1:u7tspnppswafymm8iehjhy4ujmluuu/gmqskvj1inxa=
dep golang.org/x/net v0.0.0-20210917163549-3c21e5b27794 h1:poargvjk+mphife37zcmbwoljplramlkmvggjvlkyl8=
dep golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9 h1:sqfwasi55ru7vdns9yr0z324vnlrf+0wmqrxt4st8ck=
dep golang.org/x/sys v0.0.0-20210616094352-59db8d763f22 h1:rqytpxgr1ivnx7psjb3ff8y7snfinvfvkx1c8sjbkio=
dep google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013 h1:+kghl1aib/qcwari1cbqbz1rk19r85mnuf8habghugy=
dep google.golang.org/grpc v1.40.0 h1:agj0ih4mhjseibykfgh1dd9kj/eotz93i6hohhukq5q=
dep google.golang.org/protobuf v1.25.0 h1:ejskq+sypohkw+1uil0jjmtmhcgjpj/qwtxr8qp+r4c=
dep gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:duuwhk2qeco/6vqa44rthz8ie2qxmnekrthcny2nxvo=
build -compiler=gc
build -ldflags="-x main.version=0.8.0 -x main.gitcommit=0413655 -x main.gitbranch=head -x main.buildtime=2022-12-29t09:34:48-0500 "
build -tags=release
build cgo_enabled=0
build goarch=amd64
build goos=linux
build goamd64=v1
登錄后復制
…感興趣的線是:
=> github.com/docker/engine v17.12.0-ce-rc1.0.20190717161051-705d9623b7c1+incompatible h1:4Pnn+RsurVEiBbmqlRtzh77HLMiP4NaaqRHOOK4aPj8=
登錄后復制
解決方法
=> 表示使用 replace 指令構建可執行二進制文件。
前一行也很重要,那就是替換的模塊:
dep github.com/docker/docker v1.13.1
=> github.com/docker/engine v17.12.0-ce-rc1.0.20190717161051-705d9623b7c1+incompatible h1:4pnn+rsurveibbmqlrtzh77hlmip4naaqrhook4apj8=
登錄后復制
這意味著 github.com/docker/docker v1.13.1 在構建過程中被 github.com/docker/engine v17.12.0-... 替換。
來自 go.mod 文件的 replace 指令示例:
replace golang.org/x/net v1.2.3 => example.com/fork/net v1.4.5
登錄后復制
這就是 => 文字的來源。將其視為所引用的 golang.org/x/net 包“指向” example.com/fork/net(這就是實際使用的內容)。
