Issue with gobin indexer and "replace"

[fgiloux]

It seems that clair is not taking replace in consideration when reporting golang package versions.
Looking at the packages in an image on quay.io I see github.com/docker/distribution v2.8.2+incompatible

Looking at the binary inside the image I get:

go version -m .local/share/containers/storage/overlay/020dd665eac37e573bf8fb6984b9603c049a01c18371f1aa6b221a85d810e3b9/merged/usr/local/bin/helm-operator
[...]
dep	github.com/docker/distribution	v2.8.2+incompatible
=>	github.com/docker/distribution	v0.0.0-20191216044856-a8371794149d	h1:jC8tT/S0OGx2cswpeUTn4gOIea8P08lD3VFQT0cOZ50=

here is the go.mod

[crozzy]

This should be fixed upstream with clair #1145

[crozzy]

This is a snippet from the index report using the latest upstream code

    "244": {
      "id": "244",
      "name": "github.com/docker/distribution",
      "version": "v0.0.0-20191216044856-a8371794149d",
      "kind": "binary",
      "source": {
        "id": "1",
        "name": "",
        "version": ""
      },
      "normalized_version": "semver:0.0.0.0.0.0.0.0.0.0"
    },

[fgiloux]

Very good! I have searched previous issues but missed PR #1145
Thanks for pointing that to me.