hsb.horse
Binaries built with Go embed metadata about dependencies and build settings. With the go version -m command, you can extract this information directly from a binary even without source code.
Use Cases
- Check dependencies included in a binary running in production
- Verify whether vulnerable libraries are included
- Confirm build settings such as
GOOSandGOARCH - Identify which commit a binary was built from
Usage
go version -m <binary-path>How to Read the Output
The output is split into several sections.
| Prefix | Meaning |
|---|---|
path | Module import path |
mod | Main module. (devel) indicates a local/development build |
dep | Dependency module with version and checksum |
build | Build settings and VCS information |
Important keys in the build section:
| Key | Description |
|---|---|
-compiler | Compiler used (usually gc) |
CGO_ENABLED | Whether CGO is enabled |
GOOS / GOARCH | Target OS / target architecture |
vcs.revision | Commit hash used for the build |
vcs.time | Commit timestamp |
vcs.modified | Whether uncommitted changes existed at build time |
Example
go version -m ./output./output: go1.19 path github.com/mktbsh/output mod github.com/mktbsh/output (devel) dep github.com/aws/aws-lambda-go v1.34.1 h1:M3a/uFYBjii+... dep github.com/labstack/echo/v4 v4.7.2 h1:Kv2/p8OaQ+M6... ... build -compiler=gc build CGO_ENABLED=0 build GOARCH=amd64 build GOOS=linux build vcs.revision=39792fdacec6dc82b3f6335cb6b921c138f37625 build vcs.time=2022-08-18T08:50:08Z build vcs.modified=trueIn this example, the binary was built for Linux/amd64, CGO was disabled, and it came from commit 39792fd..., with uncommitted changes present (vcs.modified=true).
Related
go version- Check the Go versiongo list -m all- List dependencies from source code