cmd/go: report trimpath erasing ldflags, and allow override

Add a new boolean option -trimldflags. Only meaningful when -trimpath
is true. Defaults to true for backwards compatibility. Otheriwise when
set to false reports ldflags in buildinfo, in spite of -trimpath
setting. Also when ldflags are trimmed from the output, leave a
reproducible marker that it happened.

Building with '-trimpath -ldflags="-X main.Version=234"' will now emit:
	build	-trimldflags=true

Adding -trimldflags=false to the above will emit ldflags:
	build	-ldflags="-X main.Version=234"

Fixes: #63432

Author: xnox

src/cmd/go/alldocs.go

@@ -86,6 +86,7 @@ var (
 	BuildToolexec      []string                // -toolexec flag
 	BuildToolchainName string
 	BuildTrimpath      bool // -trimpath flag
+	BuildTrimldflags   bool // -trimldflags flag
 	BuildV             bool // -v flag
 	BuildWork          bool // -work flag
 	BuildX             bool // -x flag

src/cmd/go/internal/cfg/cfg.go

@@ -2395,7 +2395,14 @@ func (p *Package) setBuildInfo(ctx context.Context, autoVCS bool) {
 		// determine whether they may refer to system paths. If we do that, we can
 		// redact only those paths from the recorded -ldflags setting and still
 		// record the system-independent parts of the flags.
-		if !cfg.BuildTrimpath {
+		//
+		// For now add a toggle to always allow ldflags reporting, it may make
+		// non-reproducible builds, but it will stop hiding valuable version
+		// information as used by security vulnerability scanners. Although maybe
+		// vcs.describe or vcs.modhash should be added instead.
+		if cfg.BuildTrimpath && cfg.BuildTrimldflags {
+			appendSetting("-trimldflags", "true")
+		} else {
 			appendSetting("-ldflags", ldflags)
 		}
 	}

src/cmd/go/internal/load/pkg.go

@@ -192,6 +192,9 @@ and test commands:
 		Instead of absolute file system paths, the recorded file names
 		will begin either a module path@version (when using modules),
 		or a plain import path (when using the standard library, or GOPATH).
+	-trimldflags
+		Only meaningful with -trimpath true. Controls reporting of ldflags in binary
+		module information. May affect reproducible builds.
 	-toolexec 'cmd args'
 		a program to use to invoke toolchain programs like vet and asm.
 		For example, instead of running asm, the go command will run
@@ -338,6 +341,7 @@ func AddBuildFlags(cmd *base.Command, mask BuildFlagMask) {
 	cmd.Flag.Var((*tagsFlag)(&cfg.BuildContext.BuildTags), "tags", "")
 	cmd.Flag.Var((*base.StringsFlag)(&cfg.BuildToolexec), "toolexec", "")
 	cmd.Flag.BoolVar(&cfg.BuildTrimpath, "trimpath", false, "")
+	cmd.Flag.BoolVar(&cfg.BuildTrimldflags, "trimldflags", true, "")
 	cmd.Flag.BoolVar(&cfg.BuildWork, "work", false, "")
 	cmd.Flag.Var((*buildvcsFlag)(&cfg.BuildBuildvcs), "buildvcs", "")
 

src/cmd/go/internal/work/build.go

@@ -283,6 +283,9 @@ func (b *Builder) buildActionID(a *Action) cache.ActionID {
 	fmt.Fprintf(h, "omitdebug %v standard %v local %v prefix %q\n", p.Internal.OmitDebug, p.Standard, p.Internal.Local, p.Internal.LocalPrefix)
 	if cfg.BuildTrimpath {
 		fmt.Fprintln(h, "trimpath")
+		if cfg.BuildTrimldflags {
+			fmt.Fprintln(h, "trimldflags")
+		}
 	}
 	if p.Internal.ForceLibrary {
 		fmt.Fprintf(h, "forcelibrary\n")
@@ -1368,6 +1371,9 @@ func (b *Builder) linkActionID(a *Action) cache.ActionID {
 	fmt.Fprintf(h, "omitdebug %v standard %v local %v prefix %q\n", p.Internal.OmitDebug, p.Standard, p.Internal.Local, p.Internal.LocalPrefix)
 	if cfg.BuildTrimpath {
 		fmt.Fprintln(h, "trimpath")
+		if cfg.BuildTrimldflags {
+			fmt.Fprintln(h, "trimldflags")
+		}
 	}
 
 	// Toolchain-dependent configuration, shared with b.linkSharedActionID.