diff --git a/.bazelrc b/.bazelrc index cc40d98ca4d8e..89f03b3fd9a91 100644 --- a/.bazelrc +++ b/.bazelrc @@ -219,6 +219,7 @@ build:libc++ --action_env=BAZEL_CXXOPTS=-stdlib=libc++ build:libc++ --action_env=BAZEL_LINKLIBS=-l%:libc++.a:-l%:libc++abi.a build:libc++ --action_env=BAZEL_LINKOPTS=-lm:-pthread build:libc++ --define force_libcpp=enabled +build:libc++ --//bazel:libc++=true build:clang-libc++ --config=libc++ build:clang-libc++ --action_env=ARFLAGS=r build:arm64-clang-libc++ --config=clang-libc++ diff --git a/bazel/BUILD b/bazel/BUILD index d6ac0256f2787..1907d4a937c13 100644 --- a/bazel/BUILD +++ b/bazel/BUILD @@ -785,6 +785,14 @@ selects.config_setting_group( ], ) +selects.config_setting_group( + name = "engflow_rbe_aarch64", + match_all = [ + ":engflow_rbe", + ":linux_aarch64", + ], +) + selects.config_setting_group( name = "apple", match_any = [ @@ -1073,3 +1081,15 @@ config_setting( ":enable_liburing": "True", }, ) + +bool_flag( + name = "libc++", + build_setting_default = False, +) + +config_setting( + name = "libc++_enabled", + flag_values = { + ":libc++": "True", + }, +) diff --git a/bazel/external/boringssl_fips.BUILD b/bazel/external/boringssl_fips.BUILD index 55a6171c20688..9f56d3ebccde7 100644 --- a/bazel/external/boringssl_fips.BUILD +++ b/bazel/external/boringssl_fips.BUILD @@ -1,5 +1,33 @@ +load("@envoy//bazel/external:fips_build.bzl", "boringssl_fips_build_command", "ninja_build_command") +load("@rules_cc//cc:cc_library.bzl", "cc_library") + licenses(["notice"]) # Apache 2 +# BoringSSL build as described in the Security Policy for BoringCrypto module "update stream": +# https://boringssl.googlesource.com/boringssl/+/refs/heads/main/crypto/fipsmodule/FIPS.md#update-stream + +FIPS_GO_VERSION = "go1.24.2" + +FIPS_NINJA_VERSION = "1.10.2" + +FIPS_CMAKE_VERSION = "cmake version 3.22.1" + +SUPPORTED_ARCHES = { + "x86_64": "amd64", + "aarch64": "arm64", +} + +STDLIBS = [ + "libc++", + "libstdc++", +] + +# marker for dir +filegroup( + name = "crypto_marker", + srcs = ["crypto/crypto.cc"], +) + cc_library( name = "crypto", srcs = [ @@ -21,13 +49,65 @@ cc_library( deps = [":crypto"], ) +genrule( + name = "ninja_bin", + srcs = [ + "@fips_ninja//:all", + "@fips_ninja//:configure.py", + ], + outs = ["ninja"], + cmd = select(ninja_build_command()), + toolchains = [ + "@rules_python//python:current_py_toolchain", + "@bazel_tools//tools/cpp:current_cc_toolchain", + ], + tools = [ + "@bazel_tools//tools/cpp:current_cc_toolchain", + "@rules_python//python:current_py_toolchain", + ], +) + genrule( name = "build", - srcs = glob(["**"]), + srcs = glob(["**"]) + ["crypto_marker"], outs = [ "crypto/libcrypto.a", "ssl/libssl.a", ], - cmd = "$(location {}) $(location crypto/libcrypto.a) $(location ssl/libssl.a)".format("@envoy//bazel/external:boringssl_fips.genrule_cmd"), - tools = ["@envoy//bazel/external:boringssl_fips.genrule_cmd"], + cmd = select(boringssl_fips_build_command( + SUPPORTED_ARCHES, + STDLIBS, + FIPS_GO_VERSION, + FIPS_NINJA_VERSION, + FIPS_CMAKE_VERSION, + )), + exec_properties = select({ + "@envoy//bazel:engflow_rbe_x86_64": { + "Pool": "linux_x64_large", + }, + "@envoy//bazel:engflow_rbe_aarch64": { + "Pool": "linux_arm64_small", + }, + "//conditions:default": {}, + }), + toolchains = ["@bazel_tools//tools/cpp:current_cc_toolchain"], + tools = [ + ":ninja_bin", + "@bazel_tools//tools/cpp:current_cc_toolchain", + "@envoy//bazel/external:boringssl_fips.genrule_cmd", + ] + select({ + "@platforms//cpu:x86_64": [ + "@fips_cmake_linux_x86_64//:all", + "@fips_cmake_linux_x86_64//:bin/cmake", + "@fips_go_linux_amd64//:all", + "@fips_go_linux_amd64//:bin/go", + ], + "@platforms//cpu:aarch64": [ + "@fips_cmake_linux_aarch64//:all", + "@fips_cmake_linux_aarch64//:bin/cmake", + "@fips_go_linux_arm64//:all", + "@fips_go_linux_arm64//:bin/go", + ], + "//conditions:default": [], + }), ) diff --git a/bazel/external/boringssl_fips.genrule_cmd b/bazel/external/boringssl_fips.genrule_cmd index 40422663d9e4b..89c0ac1023420 100755 --- a/bazel/external/boringssl_fips.genrule_cmd +++ b/bazel/external/boringssl_fips.genrule_cmd @@ -2,123 +2,115 @@ set -eo pipefail -export CXXFLAGS='' -export LDFLAGS='' - # BoringSSL build as described in the Security Policy for BoringCrypto module "update stream": # https://boringssl.googlesource.com/boringssl/+/refs/heads/main/crypto/fipsmodule/FIPS.md#update-stream -OS=`uname` -ARCH=`uname -m` +OS=$(uname) +ARCH=$(uname -m) # This works only on Linux-x86_64 and Linux-aarch64. if [[ "$OS" != "Linux" || ("$ARCH" != "x86_64" && "$ARCH" != "aarch64") ]]; then - echo "ERROR: BoringSSL FIPS is currently supported only on Linux-x86_64 and Linux-aarch64." - exit 1 -fi - - -# Bazel magic. -# ROOT=$(dirname $(rootpath boringssl/BUILDING.md))/.. -ROOT=./external/boringssl_fips -pushd "$ROOT" -export HOME="$PWD" - -# The security policy recommends using the recent compiler versions: -# "The latest stable versions of Clang, Go, Ninja, and CMake should be used". -# This build makes use of the same LLVM toolchain as the rest of Envoy. - -# Override $PATH for build tools, to avoid picking up anything else. -export PATH="/usr/bin:/bin:/opt/llvm/bin" - -printf "set(CMAKE_C_COMPILER \"clang\")\nset(CMAKE_CXX_COMPILER \"clang++\")\n" > ${HOME}/toolchain - -# Go: requires minimum 1.22. -VERSION=1.24.2 -if [[ "$ARCH" == "x86_64" ]]; then - PLATFORM="linux-amd64" - SHA256=68097bd680839cbc9d464a0edce4f7c333975e27a90246890e9f1078c7e702ad -else - PLATFORM="linux-arm64" - SHA256=756274ea4b68fa5535eb9fe2559889287d725a8da63c6aae4d5f23778c229f4b + echo "ERROR: BoringSSL FIPS is currently supported only on Linux-x86_64 and Linux-aarch64." >&2 + echo " found: $OS-$ARCH" >&2 + exit 1 fi -curl -sLO https://dl.google.com/go/go"$VERSION"."$PLATFORM".tar.gz \ - && echo "$SHA256" go"$VERSION"."$PLATFORM".tar.gz | sha256sum --check -tar xf go"$VERSION"."$PLATFORM".tar.gz --no-same-owner - -export GOPATH="$PWD/gopath" -export GOROOT="$PWD/go" -export PATH="$GOPATH/bin:$GOROOT/bin:$PATH" - -if [[ `go version | awk '{print $3}'` != "go$VERSION" ]]; then - echo "ERROR: Go version doesn't match." - exit 1 +if [[ -z "$CRYPTO_OUT" ]]; then + echo "ERROR: CRYPTO_OUT not set for crypto lib path." >&2 + exit fi -# Go tests use go:embed directives which fail to compile in a Bazel sandbox because Go refuses to embed symlinks. -# (see issue https://github.com/golang/go/issues/59924). As a workaround, replace symlinks with the file copies. -for pem in $(ls ssl/test/runner/*.pem); - do cp --dereference ${pem} tmp.pem; cp --remove-destination tmp.pem ${pem}; rm tmp.pem; -done -for testdata in $(ls ssl/test/runner/hpke/testdata/*.json); - do cp --dereference ${testdata} tmp.json; cp --remove-destination tmp.json ${testdata}; rm tmp.json; -done - -# Ninja -VERSION=1.10.2 -SHA256=ce35865411f0490368a8fc383f29071de6690cbadc27704734978221f25e2bed -curl -sLO https://github.com/ninja-build/ninja/archive/refs/tags/v"$VERSION".tar.gz \ - && echo "$SHA256" v"$VERSION".tar.gz | sha256sum --check -tar -xvf v"$VERSION".tar.gz --no-same-owner -cd ninja-"$VERSION" -python3 ./configure.py --bootstrap - -export PATH="$PWD:$PATH" - -if [[ `ninja --version` != "$VERSION" ]]; then - echo "ERROR: Ninja version doesn't match." - exit 1 -fi -cd .. - -# CMake -VERSION=3.22.1 -if [[ "$ARCH" == "x86_64" ]]; then - PLATFORM="linux-x86_64" - SHA256=73565c72355c6652e9db149249af36bcab44d9d478c5546fd926e69ad6b43640 -else - PLATFORM="linux-aarch64" - SHA256=601443375aa1a48a1a076bda7e3cca73af88400463e166fffc3e1da3ce03540b -fi - -curl -sLO https://github.com/Kitware/CMake/releases/download/v"$VERSION"/cmake-"$VERSION"-"$PLATFORM".tar.gz \ - && echo "$SHA256" cmake-"$VERSION"-"$PLATFORM".tar.gz | sha256sum --check -tar xf cmake-"$VERSION"-"$PLATFORM".tar.gz --no-same-owner - -export PATH="$PWD/cmake-$VERSION-$PLATFORM/bin:$PATH" - -if [[ `cmake --version | head -n1` != "cmake version $VERSION" ]]; then - echo "ERROR: CMake version doesn't match." - exit 1 -fi - -# Clean after previous build. -rm -rf build - -# Build BoringSSL. -# Setting -fPIC only affects the compilation of the non-module code in libcrypto.a, -# because the FIPS module itself is already built with -fPIC. -mkdir build && cd build && cmake -GNinja -DCMAKE_TOOLCHAIN_FILE=${HOME}/toolchain -DFIPS=1 -DCMAKE_BUILD_TYPE=Release -DCMAKE_C_FLAGS="-fPIC" -DCMAKE_CXX_FLAGS="-fPIC" .. -ninja -ninja run_tests - -# Verify correctness of the FIPS build. -if [[ `./bssl isfips` != "1" ]]; then - echo "ERROR: BoringSSL tool didn't report FIPS build." - exit 1 +if [[ -z "$SSL_OUT" ]]; then + echo "ERROR: SSL_OUT not set for ssl lib path." >&2 + exit fi -# Move compiled libraries to the expected destinations. -popd -mv $ROOT/build/libcrypto.a $1 -mv $ROOT/build/libssl.a $2 +validate_go() { + GO_VERSION=$(go version | awk '{print $3}') + if [[ "$GO_VERSION" != "$EXPECTED_GO_VERSION" ]]; then + echo "ERROR: Go version doesn't match." >&2 + echo " expected: $EXPECTED_GO_VERSION" >&2 + echo " found: $GO_VERSION" >&2 + return 1 + fi +} + +validate_ninja() { + NINJA_VERSION=$(ninja --version) + if [[ "$NINJA_VERSION" != "$EXPECTED_NINJA_VERSION" ]]; then + echo "ERROR: Ninja version doesn't match." >&2 + echo " expected: $EXPECTED_NINJA_VERSION" >&2 + echo " found: $NINJA_VERSION" >&2 + return 1 + fi +} + +validate_cmake() { + CMAKE_VERSION=$(cmake --version | head -n1) + if [[ "$CMAKE_VERSION" != "$EXPECTED_CMAKE_VERSION" ]]; then + echo "ERROR: CMake version doesn't match." >&2 + echo " expected: $EXPECTED_CMAKE_VERSION" >&2 + echo " found: $CMAKE_VERSION" >&2 + return 1 + fi +} + +build_boringssl_fips() { + cd "$BSSL_SRC" || exit 1 + export HOME="${BSSL_SRC}" + + # The security policy recommends using the recent compiler versions: + # "The latest stable versions of Clang, Go, Ninja, and CMake should be used". + # This build makes use of the same LLVM toolchain as the rest of Envoy. + printf "set(CMAKE_C_COMPILER \"${CC}\")\nset(CMAKE_CXX_COMPILER \"${CC}\")\n" > "${BSSL_SRC}/toolchain" + + # Go tests use go:embed directives which fail to compile in a Bazel sandbox because Go refuses to embed symlinks. + # (see issue https://github.com/golang/go/issues/59924). As a workaround, replace symlinks with the file copies. + for pem in $(ls ssl/test/runner/*.pem); do + cp --dereference "${pem}" tmp.pem; mv tmp.pem "${pem}"; + done + for testdata in $(ls ssl/test/runner/hpke/testdata/*.json); do + cp --dereference "${testdata}" tmp.json; mv tmp.json "${testdata}"; + done + + # Build BoringSSL. + # Setting -fPIC only affects the compilation of the non-module code in libcrypto.a, + # because the FIPS module itself is already built with -fPIC. + mkdir build + cd build + cmake -GNinja \ + -DCMAKE_TOOLCHAIN_FILE="${BSSL_SRC}/toolchain" \ + -DFIPS=1 \ + -DCMAKE_BUILD_TYPE=Release \ + -DCMAKE_C_FLAGS="-fPIC" \ + -DCMAKE_CXX_FLAGS="${CXXFLAGS} -fPIC" \ + -DCMAKE_EXE_LINKER_FLAGS="$LDFLAGS" \ + -DCMAKE_SHARED_LINKER_FLAGS="$${LDFLAGS}" \ + .. + ninja -j "${NINJA_CORES:-1}" +} + +validate_fips() { + cd "$BSSL_SRC/build" || exit 1 + ninja run_tests + # Verify correctness of the FIPS build. + IS_FIPS="$(./bssl isfips)" + if [[ "${IS_FIPS}" != "1" ]]; then + echo "ERROR: BoringSSL tool didn't report FIPS build." >&2 + echo " expected: 1" >&2 + echo " found: ${IS_FIPS}" >&2 + return 1 + fi +} + +output_libs() { + # Move compiled libraries to the expected destinations. + mv "${BSSL_SRC}/build/libcrypto.a" "$CRYPTO_OUT" + mv "${BSSL_SRC}/build/libssl.a" "$SSL_OUT" +} + +validate_go +validate_ninja +validate_cmake +build_boringssl_fips +validate_fips +output_libs diff --git a/bazel/external/fips_build.bzl b/bazel/external/fips_build.bzl new file mode 100644 index 0000000000000..6b7b8193831f9 --- /dev/null +++ b/bazel/external/fips_build.bzl @@ -0,0 +1,126 @@ +load("@bazel_skylib//lib:selects.bzl", "selects") + +# Set up all the paths, flags, and deps, and then call the boringssl build +BUILD_COMMAND = """ +set -eo pipefail + +# c++ +export CC=$(CC) +# bazel doesnt expose CXX so we have to construct it (or use foreign_cc) +if [[ "%s" == "libc++" ]]; then + export CXXFLAGS="-stdlib=libc++" + export LDFLAGS="-stdlib=libc++ -lc++ -lc++abi -lm -pthread" +else + export CXXFLAGS="" + export LDFLAGS="-lstdc++ -lm -pthread" +fi + +# ninja +NINJA_BINDIR=$$(realpath $$(dirname $(location :ninja_bin))) +export PATH="$${NINJA_BINDIR}:$${PATH}" + +# cmake +CMAKE_BINDIR=$$(realpath $$(dirname $(location %s//:bin/cmake))) +export PATH="$${CMAKE_BINDIR}:$$PATH" + +# go +GO_BINDIR=$$(realpath $$(dirname $(location %s//:bin/go))) +export GOROOT=$$(dirname "$${GO_BINDIR}") +export GOPATH="$${GOROOT}/gopath" +mkdir -p "$$GOPATH" +export PATH="$${GOPATH}/bin:$${GO_BINDIR}:$${PATH}" + +# boringssl +BSSL_SRC=$$(realpath $$(dirname $$(dirname $(location crypto_marker)))) +export BSSL_SRC + +# fips expectations +export EXPECTED_GO_VERSION="%s" +export EXPECTED_NINJA_VERSION="%s" +export EXPECTED_CMAKE_VERSION="%s" + +# We might need to make this configurable if it causes issues outside of CI +export NINJA_CORES=$$(nproc) + +CRYPTO_OUT="$$(realpath $(location crypto/libcrypto.a))" +SSL_OUT="$$(realpath $(location ssl/libssl.a))" +export CRYPTO_OUT +export SSL_OUT + +OUTPUT=$$(mktemp) +if ! $(location @envoy//bazel/external:boringssl_fips.genrule_cmd) > $$OUTPUT 2>&1; then + echo "Build failed:" + cat $$OUTPUT >&2 + exit 1 +fi +""" + +NINJA_BUILD_COMMAND = """ +set -eo pipefail + +SRC_DIR=$$(dirname $(location @fips_ninja//:configure.py)) +OUT_FILE=$$(realpath $@) +PYTHON_BIN=$$(realpath $(PYTHON3)) +export CC=$(CC) +export CXX=$(CC) +# bazel doesnt expose CXX so we have to construct it (or use foreign_cc) +if [[ "%s" == "libc++" ]]; then + export CXXFLAGS="-stdlib=libc++" + export LDFLAGS="-stdlib=libc++ -lc++ -lc++abi -lm -pthread" +else + export CXXFLAGS="" + export LDFLAGS="-lstdc++ -lm -pthread" +fi +cd $$SRC_DIR +OUTPUT=$$(mktemp) +if ! $${PYTHON_BIN} ./configure.py --bootstrap --with-python=$${PYTHON_BIN} > $$OUTPUT 2>&1; then + echo "Build failed:" >&2 + cat $$OUTPUT >&2 + exit 1 +fi +cp ninja $$OUT_FILE +""" + +def _create_boringssl_fips_build_config(lib, arch, arch_alias): + """Create the config_setting_group combination.""" + conditions = ["@platforms//cpu:%s" % arch] + if lib == "libc++": + conditions += ["@envoy//bazel:libc++_enabled"] + selects.config_setting_group( + name = "%s_%s" % (arch, lib), + match_all = conditions, + ) + +def _create_boringssl_fips_build_command(lib, arch, arch_alias, go_version, ninja_version, cmake_version): + """Create the command.""" + _create_boringssl_fips_build_config(lib, arch, arch_alias) + return BUILD_COMMAND % ( + lib, + "@fips_cmake_linux_%s" % arch, + "@fips_go_linux_%s" % arch_alias, + go_version, + ninja_version, + cmake_version, + ) + +def boringssl_fips_build_command(arches, libs, go_version, ninja_version, cmake_version): + """Create conditional commands from the cartesian product of possible arches/stdlib.""" + return { + ":%s_%s" % (arch, lib): _create_boringssl_fips_build_command( + lib, + arch, + arch_alias, + go_version, + ninja_version, + cmake_version, + ) + for arch, arch_alias in arches.items() + for lib in libs + } + +def ninja_build_command(): + """Create the ninja command conditioned to correct stdlib.""" + return { + "@envoy//bazel:libc++_enabled": NINJA_BUILD_COMMAND % "libc++", + "//conditions:default": NINJA_BUILD_COMMAND % "libstdc++", + } diff --git a/bazel/repositories.bzl b/bazel/repositories.bzl index 88697f7b5e0f0..73f2842e25d6e 100644 --- a/bazel/repositories.bzl +++ b/bazel/repositories.bzl @@ -262,6 +262,30 @@ def _boringssl_fips(): patch_args = ["-p1"], ) + NINJA_BUILD_CONTENT = "%s\nexports_files([\"configure.py\"])" % BUILD_ALL_CONTENT + external_http_archive( + name = "fips_ninja", + build_file_content = NINJA_BUILD_CONTENT, + ) + CMAKE_BUILD_CONTENT = "%s\nexports_files([\"bin/cmake\"])" % BUILD_ALL_CONTENT + external_http_archive( + name = "fips_cmake_linux_x86_64", + build_file_content = CMAKE_BUILD_CONTENT, + ) + external_http_archive( + name = "fips_cmake_linux_aarch64", + build_file_content = CMAKE_BUILD_CONTENT, + ) + GO_BUILD_CONTENT = "%s\nexports_files([\"bin/go\"])" % BUILD_ALL_CONTENT + external_http_archive( + name = "fips_go_linux_amd64", + build_file_content = GO_BUILD_CONTENT, + ) + external_http_archive( + name = "fips_go_linux_arm64", + build_file_content = GO_BUILD_CONTENT, + ) + def _aws_lc(): external_http_archive( name = "aws_lc", diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index 5fbf466cfc331..885d64e2cff59 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -1556,6 +1556,77 @@ REPOSITORY_LOCATIONS_SPEC = dict( extensions = ["envoy.compression.qatzip.compressor"], cpe = "N/A", ), + # Dependencies for fips - VERSIONS SHOULD NOT BE CHANGED + fips_ninja = dict( + project_name = "Ninja", + project_desc = "Small build system with a focus on speed", + project_url = "https://ninja-build.org/", + version = "1.10.2", + sha256 = "ce35865411f0490368a8fc383f29071de6690cbadc27704734978221f25e2bed", + strip_prefix = "ninja-{version}", + urls = ["https://github.com/ninja-build/ninja/archive/refs/tags/v{version}.tar.gz"], + use_category = ["build", "dataplane_core", "controlplane"], + release_date = "2020-11-28", + cpe = "cpe:2.3:a:ninja-build:ninja:*", + license = "Apache-2.0", + license_url = "https://github.com/ninja-build/ninja/blob/v{version}/COPYING", + ), + fips_cmake_linux_x86_64 = dict( + project_name = "CMake (Linux x86_64)", + project_desc = "Cross-platform family of tools designed to build, test and package software", + project_url = "https://cmake.org/", + version = "3.22.1", + sha256 = "73565c72355c6652e9db149249af36bcab44d9d478c5546fd926e69ad6b43640", + strip_prefix = "cmake-{version}-linux-x86_64", + urls = ["https://github.com/Kitware/CMake/releases/download/v{version}/cmake-{version}-linux-x86_64.tar.gz"], + use_category = ["build", "dataplane_core", "controlplane"], + release_date = "2021-12-07", + cpe = "cpe:2.3:a:kitware:cmake:*", + license = "BSD-3-Clause", + license_url = "https://github.com/Kitware/CMake/blob/v{version}/Copyright.txt", + ), + fips_cmake_linux_aarch64 = dict( + project_name = "CMake (Linux aarch64)", + project_desc = "Cross-platform family of tools designed to build, test and package software", + project_url = "https://cmake.org/", + version = "3.22.1", + sha256 = "601443375aa1a48a1a076bda7e3cca73af88400463e166fffc3e1da3ce03540b", + strip_prefix = "cmake-{version}-linux-aarch64", + urls = ["https://github.com/Kitware/CMake/releases/download/v{version}/cmake-{version}-linux-aarch64.tar.gz"], + use_category = ["build", "dataplane_core", "controlplane"], + release_date = "2021-12-07", + cpe = "cpe:2.3:a:kitware:cmake:*", + license = "BSD-3-Clause", + license_url = "https://github.com/Kitware/CMake/blob/v{version}/Copyright.txt", + ), + fips_go_linux_amd64 = dict( + project_name = "Go (Linux amd64)", + project_desc = "Go programming language (Linux amd64)", + project_url = "https://golang.org/", + version = "1.24.2", + sha256 = "68097bd680839cbc9d464a0edce4f7c333975e27a90246890e9f1078c7e702ad", + strip_prefix = "go", + urls = ["https://dl.google.com/go/go{version}.linux-amd64.tar.gz"], + use_category = ["build", "dataplane_core", "controlplane"], + release_date = "2024-12-03", + cpe = "cpe:2.3:a:golang:go:*", + license = "BSD-3-Clause", + license_url = "https://golang.org/LICENSE", + ), + fips_go_linux_arm64 = dict( + project_name = "Go (Linux arm64)", + project_desc = "Go programming language (Linux arm64)", + project_url = "https://golang.org/", + version = "1.24.2", + sha256 = "756274ea4b68fa5535eb9fe2559889287d725a8da63c6aae4d5f23778c229f4b", + strip_prefix = "go", + urls = ["https://dl.google.com/go/go{version}.linux-arm64.tar.gz"], + use_category = ["build", "dataplane_core", "controlplane"], + release_date = "2024-12-03", + cpe = "cpe:2.3:a:golang:go:*", + license = "BSD-3-Clause", + license_url = "https://golang.org/LICENSE", + ), ) def _compiled_protoc_deps(locations, versions):