Search code examples
gocommand-line-interfacedependency-management

What is the meaning of the arrow symbol "=>" in output of go version -m?


I am resolving CVEs that various scanners have identified on a project of mine, and one such CVE is tied to the version of a golang dependency.

When I run go version -m ./binaryFile, the dependency which is getting flagged as vulnerable has this arrow symbol => next to it, but I can not find documented anywhere what it means.

The full output is included below...

$ go version -m /root/github.com/alexei-led/pumba/.bin/github.com/alexei-led/pumba
/root/github.com/alexei-led/pumba/.bin/github.com/alexei-led/pumba: go1.19.4
        path    command-line-arguments
        dep     github.com/alexei-led/pumba     (devel)
        dep     github.com/cpuguy83/go-md2man/v2        v2.0.0-20190314233015-f79a8a8ca69d      h1:U+s90UTSYgptZMwQh2aRr3LuazLJIa+Pg3Kc1ylSYVY=
        dep     github.com/davecgh/go-spew      v1.1.1  h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
        dep     github.com/docker/distribution  v2.7.1+incompatible     h1:a5mlkVzth6W5A4fOsS3D2EO5BUmsJpcB+cRlLU7cSug=
        dep     github.com/docker/docker        v1.13.1
        =>      github.com/docker/engine        v17.12.0-ce-rc1.0.20190717161051-705d9623b7c1+incompatible      h1:4Pnn+RsurVEiBbmqlRtzh77HLMiP4NaaqRHOOK4aPj8=

        dep     github.com/docker/go-connections        v0.4.0  h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=
        dep     github.com/docker/go-units      v0.4.0  h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw=
        dep     github.com/gogo/protobuf        v1.3.2  h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
        dep     github.com/golang/protobuf      v1.4.3  h1:JjCZWpVbqXDqFVmTfYWEVTMIYrL/NPdPSCHPJ0T/raM=
        dep     github.com/johntdyer/slack-go   v0.0.0-20180213144715-95fac1160b22      h1:jKUP9TQ0c7X3w6+IPyMit07RE42MtTWNd77sN2cHngQ=
        dep     github.com/johntdyer/slackrus   v0.0.0-20180518184837-f7aae3243a07      h1:+kBG/8rjCa6vxJZbUjAiE4MQmBEBYc8nLEb51frnvBY=
        dep     github.com/opencontainers/go-digest     v1.0.0  h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
        dep     github.com/opencontainers/image-spec    v1.0.1  h1:JMemWkRwHx4Zj+fVxWoMCFm/8sYGGrUVojFA6h/TRcI=
        dep     github.com/pkg/errors   v0.9.1  h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
        dep     github.com/pmezard/go-difflib   v1.0.0  h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
        dep     github.com/russross/blackfriday/v2      v2.0.1  h1:lPqVAte+HuHNfhJ/0LC98ESWRz8afy9tM/0RK8m9o+Q=
        dep     github.com/shurcooL/sanitized_anchor_name       v1.0.0  h1:PdmoCO6wvbs+7yrJyMORt4/BmY5IYyJwS/kOiWx8mHo=
        dep     github.com/sirupsen/logrus      v1.7.0  h1:ShrD1U9pZB12TX0cVy0DtePoCH97K8EtX+mg7ZARUtM=
        dep     github.com/stretchr/objx        v0.1.0  h1:4G4v2dO3VZwixGIRoQ5Lfboy6nUhCyYzaqnIAPPhYs4=
        dep     github.com/stretchr/testify     v1.6.1  h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
        dep     github.com/urfave/cli   v1.22.4 h1:u7tSpNPPswAFymm8IehJhy4uJMlUuU/GmqSkvJ1InXA=
        dep     golang.org/x/net        v0.0.0-20210917163549-3c21e5b27794      h1:pOaRGvJk+MpHIfe37zcmbwolJplrAmLKmvggJVLkYl8=
        dep     golang.org/x/sync       v0.0.0-20201020160332-67f06af15bc9      h1:SQFwaSi55rU7vdNs9Yr0Z324VNlrF+0wMqRXT4St8ck=
        dep     golang.org/x/sys        v0.0.0-20210616094352-59db8d763f22      h1:RqytpXGR1iVNX7psjB3ff8y7sNFinVFvkx1c8SjBkio=
        dep     google.golang.org/genproto      v0.0.0-20200526211855-cb27e3aa2013      h1:+kGHl1aib/qcwaRi1CbqBZ1rk19r85MNUf8HaBghugY=
        dep     google.golang.org/grpc  v1.40.0 h1:AGJ0Ih4mHjSeibYkFGh1dD9KJ/eOtZ93I6hoHhukQ5Q=
        dep     google.golang.org/protobuf      v1.25.0 h1:Ejskq+SyPohKW+1uil0JJMtmHCgJPJ/qWTxr8qp+R4c=
        dep     gopkg.in/yaml.v3        v3.0.0-20200313102051-9f266ea9e77c      h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
        build   -compiler=gc
        build   -ldflags="-X main.Version=0.8.0 -X main.GitCommit=0413655 -X main.GitBranch=HEAD -X main.BuildTime=2022-12-29T09:34:48-0500 "
        build   -tags=release
        build   CGO_ENABLED=0
        build   GOARCH=amd64
        build   GOOS=linux
        build   GOAMD64=v1

...the line of interest is:

        =>      github.com/docker/engine        v17.12.0-ce-rc1.0.20190717161051-705d9623b7c1+incompatible      h1:4Pnn+RsurVEiBbmqlRtzh77HLMiP4NaaqRHOOK4aPj8=

Solution

  • The => means the replace directive was used when building the executable binary.

    The preceeding line is also important, that's the replaced module:

        dep     github.com/docker/docker        v1.13.1
        =>      github.com/docker/engine        v17.12.0-ce-rc1.0.20190717161051-705d9623b7c1+incompatible      h1:4Pnn+RsurVEiBbmqlRtzh77HLMiP4NaaqRHOOK4aPj8=
    

    This means github.com/docker/docker v1.13.1 was replaced by github.com/docker/engine v17.12.0-... during the build.

    A replace directive example from a go.mod file:

    replace golang.org/x/net v1.2.3 => example.com/fork/net v1.4.5
    

    This is where the => literal comes from. Think of it as the referred golang.org/x/net package "points to" example.com/fork/net (that is what actually will be used).