Skip to content

fix: Use module name over relative paths in go.mod replace directives#3812

Merged
wagoodman merged 7 commits intoanchore:mainfrom
VictorHuu:fix-go-mod-replace
Apr 21, 2025
Merged

fix: Use module name over relative paths in go.mod replace directives#3812
wagoodman merged 7 commits intoanchore:mainfrom
VictorHuu:fix-go-mod-replace

Conversation

@VictorHuu
Copy link
Copy Markdown
Contributor

@VictorHuu VictorHuu commented Apr 19, 2025
edited
Loading

Description

When I scan the go.mod of aws-sdk-go-v2,there will be some packages with the name pattern like '../../..', but they are only local directory aliases to some remote real link like https://github.com/aws/aws-sdk-go-v2,which is only used as a cache.
Here's the replace part of the go.mod:

replace github.com/aws/aws-sdk-go-v2 => ../../../

Here's the reproducible steps:

cd ~
git clone https://github.com/aws/aws-sdk-go-v2
syft aws-sdk-go-v2/feature/ec2/imds -o spdx-json > sbom.spdx.json

And the output is like this

{"artifacts":
[{"id":"567e69993f00fcf8","name":"../../../","version":"UNKNOWN","type":"go-module","foundBy":"go-module-file-cataloger","locations":[{"path":"/go.mod","accessPath":"/go.mod",
"annotations":{"evidence":"primary"}}],"licenses":[],"language":"go","cpes":[{"cpe":"cpe:2.3:a:..:..:*:*:*:*:*:*:*:*","source":"syft-generated"}],"purl":"pkg:golang/../../..","metadataType":"go-module-entry","metadata":{}},
{"id":"ce975785a075b4cf","name":"../../../../../","version":"UNKNOWN","type":"go-module","foundBy":"go-module-file-cataloger","locations":[{"path":"/internal/configtesting/go.mod","accessPath":"/internal/configtesting/go.mod",
"annotations":{"evidence":"primary"}}],"licenses":[],"language":"go","cpes":[{"cpe":"cpe:2.3:a:..:..\\/..\\/..:*:*:*:*:*:*:*:*","source":"syft-generated"}],"purl":"pkg:golang/../../..#../../","metadataType":"go-module-entry","metadata":{}},
{"id":"d30c6d6af8d7b916","name":"../../../../../config/","version":"UNKNOWN","type":"go-module","foundBy":"go-module-file-cataloger","locations":[{"path":"/internal/configtesting/go.mod","accessPath":"/internal/configtesting/go.mod",
"annotations":{"evidence":"primary"}}],"licenses":[],"language":"go","cpes":[{"cpe":"cpe:2.3:a:..:..\\/..\\/..\\/config:*:*:*:*:*:*:*:*","source":"syft-generated"}],"purl":"pkg:golang/../../..#../../config/","metadataType":"go-module-entry","metadata":{}},
{"id":"b0c3fd64cef7d2a2","name":"../../../../../credentials/","version":"UNKNOWN","type":"go-module","foundBy":"go-module-file-cataloger","locations":[{"path":"/internal/configtesting/go.mod","accessPath":"/internal/configtesting/go.mod",
"annotations":{"evidence":"primary"}}],"licenses":[],"language":"go","cpes":[{"cpe":"cpe:2.3:a:..:..\\/..\\/..\\/credentials:*:*:*:*:*:*:*:*","source":"syft

Fixing this will enhance the traceability of SBOM.

Type of change

  • Bug fix (non-breaking change which fixes an issue)

Checklist:

  • I have added unit tests that cover changed behavior
  • I have tested my code in common scenarios and confirmed there are no regressions
  • I have added comments to my code, particularly in hard-to-understand sections

@VictorHuu
We only need to replace the name of a GoLang package when the name is…
0a2b92d 
… a web link

Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
@VictorHuu
make the detection of a localfile path pattern more easy
383e05d 
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
@VictorHuu
consider the m.New.Version so the granularity is narrowed
45b9ce4 
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
@VictorHuu
to pass the static-analysis
5361c22 
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
@VictorHuu VictorHuu force-pushed the fix-go-mod-replace branch from 8fd4ee1 to 5361c22 Compare April 19, 2025 15:37
@VictorHuu
to pass the static-analysis
fe78987 
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
@VictorHuu
Copy link
Copy Markdown
Contributor Author

VictorHuu commented Apr 21, 2025

@wagoodman Sorry for my reckless commits,and I guarantee that the static-analysis has been passed completely. I would appreciate it if you are available to run the checks

@wagoodman
add test
8ec7b06 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@wagoodman
Merge remote-tracking branch 'origin/main' into fix-go-mod-replace
f913d5d 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@wagoodman
Copy link
Copy Markdown
Contributor

wagoodman commented Apr 21, 2025

@VictorHuu not a problem! I pushed a test addition + pulled in the latest changes from main (this will be squash merged, so the commit history does not need to be spiffy-clean).

@wagoodman wagoodman enabled auto-merge (squash) April 21, 2025 17:38
@wagoodman wagoodman changed the title fix:Make the parse of the replace part in go.mod more compliant and traceable fix:Use module name over relative paths in go.mod replace directives Apr 21, 2025
@wagoodman wagoodman added the bug Something isn't working label Apr 21, 2025
@wagoodman wagoodman merged commit ea7e9e6 into anchore:main Apr 21, 2025
13 checks passed
@wagoodman wagoodman changed the title fix:Use module name over relative paths in go.mod replace directives fix: Use module name over relative paths in go.mod replace directives Apr 24, 2025
@VictorHuu VictorHuu deleted the fix-go-mod-replace branch April 26, 2025 12:22
spiffcs added a commit that referenced this pull request Apr 29, 2025
@spiffcs
Merge branch 'main' into 3088-full-text
b3f335e 
* main: (150 commits)
  fix the fluent-bit regex detection pattern (#3817)
  chore(deps): bump anchore/sbom-action from 0.18.0 to 0.19.0 (#3832)
  chore(deps): update tools to latest versions (#3830)
  Resolve owned file paths when searching for overlaps (#3828)
  chore(deps): update anchore dependencies (#3827)
  fix: Make the fileresolver Support Prefix Match of Files (#3820)
  Add support for detecting javascript assets in .NET projects using libman (#3825)
  chore(deps): update tools to latest versions (#3823)
  (feat): support skipping archive extraction with file source (#3795)
  Consider DLL claims for dependencies of .NET packages from deps.json (#3822)
  PE cataloger should consider compile target paths from deps.json (#3821)
  Perf: skip license scanner injection (#3796)
  chore(deps): bump sigstore/cosign-installer from 3.8.1 to 3.8.2 (#3818)
  chore(deps): bump github/codeql-action from 3.28.15 to 3.28.16 (#3819)
  chore(deps): update tools to latest versions (#3815)
  docs: document test commands (#3816)
  Support detection of Chrome binaries (#3136)
  fix:allow golang tip image detection regex pattern (#3757)
  fix:Make the parse of the replace part in ```go.mod``` more compliant and traceable (#3812)
  (fix): delete collection name/type key entries when empty (#3797)
  ...

Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wagoodman wagoodman wagoodman approved these changes

Assignees

No one assigned

Labels

bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@VictorHuu @wagoodman