What does the arrow symbol '=>' in the output of go version -m mean?

php editor Strawberry is here to answer a question about the Go language: When running the `go version -m` command, the arrow in the output What does the symbol "=>" mean? This symbol is actually used to indicate package dependencies. When we use `go mod` for package management, arrow symbols will show the dependencies between modules, indicating that one module depends on another module. Through this symbol, we can clearly understand the relationship between each module, which facilitates package management and debugging.

Question content

I am parsing the CVEs identified by various scanners in my project, and one of the CVEs is associated with a version of a golang dependency.

When I run go version -m ./binaryfile the dependencies marked as vulnerable have this arrow symbol next to them => but I can't find it Document its meaning anywhere.

Full output is included below...

$ go version -m /root/github.com/alexei-led/pumba/.bin/github.com/alexei-led/pumba
/root/github.com/alexei-led/pumba/.bin/github.com/alexei-led/pumba: go1.19.4
        path    command-line-arguments
        dep     github.com/alexei-led/pumba     (devel)
        dep     github.com/cpuguy83/go-md2man/v2        v2.0.0-20190314233015-f79a8a8ca69d      h1:u+s90utsygptzmwqh2arr3luazljia+pg3kc1ylsyvy=
        dep     github.com/davecgh/go-spew      v1.1.1  h1:vj9j/u1bqnvcefjowuhtloarqs3+rkhyy13jywtu97c=
        dep     github.com/docker/distribution  v2.7.1+incompatible     h1:a5mlkvzth6w5a4foss3d2eo5bumsjpcb+crllu7csug=
        dep     github.com/docker/docker        v1.13.1
        =>      github.com/docker/engine        v17.12.0-ce-rc1.0.20190717161051-705d9623b7c1+incompatible      h1:4pnn+rsurveibbmqlrtzh77hlmip4naaqrhook4apj8=

        dep     github.com/docker/go-connections        v0.4.0  h1:el9xviselrb7bufusrzozjnkim5ynzcvinkohafqrjq=
        dep     github.com/docker/go-units      v0.4.0  h1:3uh0pgvws3nia0q+mwdc8yjepf9zjrfzzwxzydct3tw=
        dep     github.com/gogo/protobuf        v1.3.2  h1:ov1cvc58uf3b5xjbnzv7+opctcqfzebyjwzi34vdm4q=
        dep     github.com/golang/protobuf      v1.4.3  h1:jjczwpvbqxdqfvmtfywevtmiyrl/npdpschpj0t/ram=
        dep     github.com/johntdyer/slack-go   v0.0.0-20180213144715-95fac1160b22      h1:jkup9tq0c7x3w6+ipymit07re42mttwnd77sn2chngq=
        dep     github.com/johntdyer/slackrus   v0.0.0-20180518184837-f7aae3243a07      h1:+kbg/8rjca6vxjzbujaie4mqmbebyc8nleb51frnvby=
        dep     github.com/opencontainers/go-digest     v1.0.0  h1:apouws51w5plhuygyz9fceebiouda/6nw8oi/yohh5u=
        dep     github.com/opencontainers/image-spec    v1.0.1  h1:jmemwkrwhx4zj+fvxwomcfm/8syggruvojfa6h/trci=
        dep     github.com/pkg/errors   v0.9.1  h1:feblx1zs214owpjy7qsbeixburkuhqawrk5uwlgtwt4=
        dep     github.com/pmezard/go-difflib   v1.0.0  h1:4dbwde0ngyqobhblqypwsupocmwr5bezik/f1lzbaqm=
        dep     github.com/russross/blackfriday/v2      v2.0.1  h1:lpqvate+huhnfhj/0lc98eswrz8afy9tm/0rk8m9o+q=
        dep     github.com/shurcool/sanitized_anchor_name       v1.0.0  h1:pdmoco6wvbs+7yrjymort4/bmy5iyyjws/koiwx8mho=
        dep     github.com/sirupsen/logrus      v1.7.0  h1:shrd1u9pzb12tx0cvy0dtepoch97k8etx+mg7zarutm=
        dep     github.com/stretchr/objx        v0.1.0  h1:4g4v2do3vzwixgiroq5lfboy6nuhcyyzaqniapphys4=
        dep     github.com/stretchr/testify     v1.6.1  h1:hdpohmpopp40lsulcqw7irrb/u7w6rpdc9399xyond0=
        dep     github.com/urfave/cli   v1.22.4 h1:u7tspnppswafymm8iehjhy4ujmluuu/gmqskvj1inxa=
        dep     golang.org/x/net        v0.0.0-20210917163549-3c21e5b27794      h1:poargvjk+mphife37zcmbwoljplramlkmvggjvlkyl8=
        dep     golang.org/x/sync       v0.0.0-20201020160332-67f06af15bc9      h1:sqfwasi55ru7vdns9yr0z324vnlrf+0wmqrxt4st8ck=
        dep     golang.org/x/sys        v0.0.0-20210616094352-59db8d763f22      h1:rqytpxgr1ivnx7psjb3ff8y7snfinvfvkx1c8sjbkio=
        dep     google.golang.org/genproto      v0.0.0-20200526211855-cb27e3aa2013      h1:+kghl1aib/qcwari1cbqbz1rk19r85mnuf8habghugy=
        dep     google.golang.org/grpc  v1.40.0 h1:agj0ih4mhjseibykfgh1dd9kj/eotz93i6hohhukq5q=
        dep     google.golang.org/protobuf      v1.25.0 h1:ejskq+sypohkw+1uil0jjmtmhcgjpj/qwtxr8qp+r4c=
        dep     gopkg.in/yaml.v3        v3.0.0-20200313102051-9f266ea9e77c      h1:duuwhk2qeco/6vqa44rthz8ie2qxmnekrthcny2nxvo=
        build   -compiler=gc
        build   -ldflags="-x main.version=0.8.0 -x main.gitcommit=0413655 -x main.gitbranch=head -x main.buildtime=2022-12-29t09:34:48-0500 "
        build   -tags=release
        build   cgo_enabled=0
        build   goarch=amd64
        build   goos=linux
        build   goamd64=v1

...The line of interest is:

=>      github.com/docker/engine        v17.12.0-ce-rc1.0.20190717161051-705d9623b7c1+incompatible      h1:4Pnn+RsurVEiBbmqlRtzh77HLMiP4NaaqRHOOK4aPj8=

Solution

=> means using the replace directive to build the executable binary.

The previous line is also very important, that is the replaced module:

dep     github.com/docker/docker        v1.13.1
    =>      github.com/docker/engine        v17.12.0-ce-rc1.0.20190717161051-705d9623b7c1+incompatible      h1:4pnn+rsurveibbmqlrtzh77hlmip4naaqrhook4apj8=

This means github.com/docker/docker v1.13.1 was replaced by github.com/docker/engine v17.12.0-... during the build process.

Example replace directive from go.mod file:

replace golang.org/x/net v1.2.3 => example.com/fork/net v1.4.5

This is the source of => text. Think of it as the referenced golang.org/x/net package "points" to example.com/fork/net (this is what is actually used ).

The above is the detailed content of What does the arrow symbol '=>' in the output of go version -m mean?. For more information, please follow other related articles on the PHP Chinese website!