Correctly determine if package has been built with golang
Golang packages may be built statically-linked (for instance, if the package does not use any system libraries) and currently the statically-linked-binary check generates lots of false-positives due to not detecting statically-linked golang packages correctly.
Currently the statically-linked-binary check has two checks:
- The binary package name begins with "golang-", which is not enough for packages which ship a golang binary (e.g. debos & fakemachine).
- Check the Build-Depends-All field for a golang compiler, which isn't available in binary packages.
Add some additional sanity checks to really tell if binary packages are built with a golang compiler:
- Check the package Section field for golang.
- Check the binary package was built with a golang compiler by checking the Built-Using and Static-Built-Using fields.
- Check the source package name (i.e. the name of the source package which the binary was built from) starts with "golang-".
Edited by Christopher Obbard