fix(go): Make list -u work for Go 1.14+

[sapphire-janrain]

Description

The latest update, 6.4.0, broke Go dependency resolution for Go version 1.14.x because go list -m -u requires -mod=mod or -mod=readonly now. However, only Go 1.13+ actually supports the command at all, 1.12 returns an error if you try.

Implementation notes

I tried doing this via .execute and catching the exception, but then it causes an error in the report, and I don't think that's avoidable, unless I use a different method of execution? Not really sure. Because of that, I preferred parsing the version number instead. If there's a way to do it via try/catch without logging the error in the try block, let me know.

The reason I parsed it this way was because the version can have arbitrary prefixes like "devel", seems safer just to do this.

[blackduck-copilot]

Black Duck Security Report

Branch master has no Black Duck results, and could not be compared to #209. Analyze branch master to get a change comparison.

Added Components

Clean: 13

Removed Components

Medium Risk: 1
Clean: 118

Click here to see full report

[crowleySynopsys]

@sapphire-janrain I'm having trouble reproducing this issue (see attached output with go 1.14.7 and Detect 6.4.1). Any idea what I'm missing?
Detect-6.4.1-go-1.14.7.txt

[sapphire-janrain]

Not sure... I looked around online to see if there were other possible reasons for it behaving this way, but it didn't seem like there were any. I am using 1.14.5 atm, but doubt that would be the difference here. I'm running in the base directory with go.mod, go.sum, and vendor all present.

This is what I get though:

2020-08-07 13:49:23 INFO  [main] --- ----------------------------------
2020-08-07 13:49:23 INFO  [main] --- Will include the detector tool.
2020-08-07 13:49:23 INFO  [main] --- Searching for detectors. This may take a while.
2020-08-07 13:49:29 INFO  [main] ---
2020-08-07 13:49:29 INFO  [main] --- Running executable >/usr/local/bin/go list -m
2020-08-07 13:49:29 INFO  [main] --- Executable finished: 0
2020-08-07 13:49:29 INFO  [main] --- Running executable >/usr/local/bin/go list -m -u -json all
2020-08-07 13:49:29 INFO  [main] --- Executable finished: 1
2020-08-07 13:49:29 INFO  [main] --- Error Output:
2020-08-07 13:49:29 INFO  [main] --- go list -m: can't determine available upgrades using the vendor directory
	(Use -mod=mod or -mod=readonly to bypass.)
2020-08-07 13:49:29 INFO  [main] --- Running executable >/usr/local/bin/git config --get remote.origin.url
2020-08-07 13:49:29 INFO  [main] --- Executable finished: 0
2020-08-07 13:49:29 INFO  [main] --- Running executable >/usr/local/bin/git rev-parse --abbrev-ref HEAD
2020-08-07 13:49:29 INFO  [main] --- Executable finished: 0
2020-08-07 13:49:29 INFO  [main] --- Running executable >/usr/local/bin/go list -m
2020-08-07 13:49:29 INFO  [main] --- Executable finished: 0
2020-08-07 13:49:29 INFO  [main] --- Running executable >/usr/local/bin/go list -m -u -json all
2020-08-07 13:49:29 INFO  [main] --- Executable finished: 1
2020-08-07 13:49:29 INFO  [main] --- Error Output:
2020-08-07 13:49:29 INFO  [main] --- go list -m: can't determine available upgrades using the vendor directory
	(Use -mod=mod or -mod=readonly to bypass.)

I had trouble finding any official documentation on why exactly, but I did find this mention here:

Of course, this error persists even when I run the command manually. The only thing that fixes it is -mod=mod or -mod=readonly, like it suggests, but readonly seems like the better choice for Black Duck because it won't modify the mod/sum files.

[crowleySynopsys]

@sapphire-janrain This change will be featured in Detect 6.4.2, to be released soon. Thanks!