Go: `LoadGoModules` incorrectly still flags 1.23 as an invalid toolchain

[dnwe]

Description of the false positive

The Go team had a change of heart in Go 1.23 and re-permitted go 1.23 as an alias for go 1.23.0

The change in behaviour in 1.23 is referenced in this comment on this well-cited GH issue on the confusion around the go directive changes:

golang/go#62278 (comment)

However, CodeQL is flagging this as invalid due to not using 1.N.P syntax:

Invalid Go toolchain version

As of Go 1.21, toolchain versions must use the 1.N.P syntax.

1.23 in go.mod does not match this syntax and there is no additional toolchain directive, which may cause some go commands to fail.

Code samples or links to source code

Reduced testcase pushed as a sample repo here with CodeQL scanning enabled:

https://github.com/dnwe/go-codeql

URL to the alert on GitHub code scanning

https://github.com/dnwe/go-codeql/security/code-scanning/tools/CodeQL/status/configurations/actions-FZTWS5DIOVRC653POJVWM3DPO5ZS6Y3PMRSXC3BNMFXGC3DZONUXGLTZNVWA/c1646cb64b746876ea230e833d950329e5308885d88be821300b330d9b9a7f83

[aibaars]

Thanks for the detailed report! I suppose we need to change to make it a bit more permissive

codeql/go/extractor/project/project.go

Lines 195 to 203 in 3363235

	// A regular expression for the Go toolchain version syntax.
	var toolchainVersionRe *regexp.Regexp = regexp.MustCompile(`(?m)^([0-9]+\.[0-9]+\.[0-9]+)$`)
	// Returns true if the `go.mod` file specifies a Go language version, that version is `1.21` or greater, and
	// there is no `toolchain` directive, and the Go language version is not a valid toolchain version.
	func hasInvalidToolchainVersion(modFile *modfile.File) bool {
	return modFile.Toolchain == nil && modFile.Go != nil &&
	!toolchainVersionRe.Match([]byte(modFile.Go.Version)) && util.NewSemVer(modFile.Go.Version).IsAtLeast(toolchain.V1_21)
	}

@mbg What do you think?

[mbg]

Hi @dnwe 👋🏻

Thanks for opening this issue! I don't think we were aware that the Go team had changed their minds about this. We originally added this diagnostic, since some go toolchain commands failed if the Go version was specified in the "old" format. I'll check that this works correctly now, and then adjust the conditions under which we emit that diagnostic if all checks out.