syft: Build failure for v0.88.0

Thanks @sbrun; I’m still waiting to hear if @p-linnane is also using Go 1.21, but I’m going to assume so.

Let me explain the issue: in Go 1.21, a new keyword: toolchain was introduced as a part of the go.mod. Since this keyword is not present in the Syft go.mod, Go 1.21 complains the go.mod should be updated (as you see with the error “go: updates to go.mod needed; to update it: go mod tidy”). HOWEVER, Go 1.19 and 1.20 do not have support for this keyword, which means if we update the go.mod to be compatible with 1.21, we break compatibility with older versions, which we do not want to do at this time.

That said, it appears the Go team may be backporting support for the toolchain keyword, for example the go 1.19 issue here. But this has not been released in a go 1.19 patch release yet, which leaves us in the situation that we cannot update the go.mod in a way that is compatible with both 1.19 AND 1.21 until possibly a patch release of 1.19 is released. As of today, the latest version of 1.19 is go1.19.12, released Aug 1. We expect early next month to get a patch release that presumably includes support for the toolchain keyword, given that the issue is closed as completed. Once a 1.19 patch is released with this backport, we should be able to update the go.mod to remain on Go 1.19 and also have the toolchain keyword included, which should support compiling on 1.21 without the aforementioned error.

TL;DR: we aren’t going to break Go 1.19 compatibility, but we may just be able to wait a short time for an updated go 1.19.

EDIT: I may have misread the 1.19 backport: it may actually just be refusing to load Go modules with Go version 1.21 or higher specified.