Upgrade Dex to v2 to embed proper semantic version in binaries #4452
Description
Preflight Checklist
- I agree to follow the Code of Conduct that this project adheres to.
- I have searched the issue tracker for an issue that matches the one I want to file, without success.
Problem Description
The built Dex binaries embed a pseudo-version for the Dex module in the form of v0.0.0--, even when the main binary version is correctly injected via -ldflags.
This occurs because the Go module system generates pseudo-versions for dependencies built from commits that do not have a semantic Git tag. As a result, tools such as Google’s security scanner cannot correctly identify the Dex version from the binary metadata. This prevents accurate vulnerability tracking and compliance verification.
Proposed Solution
Upgrade the Dex dependency to Dex v2 (or the latest tagged release). This ensures that the dependency has a proper semantic version tag. When building from a tagged commit, the Go module system will embed the correct version in the binary, making it recognizable by security scanning tools.
Alternatives Considered
No other method was found to ensure that the pseudo-version embedded in the binary correctly reflects a proper semantic version for Dex.
Additional Information
Local testing confirmed that building via a standard Docker build works, and the pseudo-version is correctly embedded in the binary metadata.
I tested with this patch on v2.44.0.
0001-change-to-module-to-v2.patchf