Gosum support #475
Gosum support #475
Conversation
edit: better parsing of the go.sum
doc: added documentation of extractFromSum
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
| // extractFromSum extracts dependencies from the go.sum file. | ||
| // | ||
| // Note: This function may produce false positives, as the go.sum file might be outdated. | ||
| func extractFromSum(input *filesystem.ScanInput) ([]*extractor.Inventory, error) { |
There was a problem hiding this comment.
Does this mean go.sum files only exist when a go.mod file is present, no matter what go version?
| log.Warnf("Error reading go.sum file: %s", err) | ||
| } else { | ||
| for _, p := range sumPackages { | ||
| packages[mapKey{name: p.Name, version: p.Version}] = p |
There was a problem hiding this comment.
Adding this will overwrite packages from go.mod, right? I think we don't want to do this deduplication. If we skip it we can also add go.sum in FileRequired and replace Extract with a "if" between extractGoMod and extractGoSum. WDYT?
This PR enables scalibr to search for indirect dependencies inside the
go.sumif the go.mod's golang version is < 1.17.This feature is necessary since before 1.17 every indirect dependency was only present in the
go.sumfile.