Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/go: mod graph does not respect replace directive #40513

Closed
RafalSkolasinski opened this issue Jul 31, 2020 · 5 comments
Closed

cmd/go: mod graph does not respect replace directive #40513

RafalSkolasinski opened this issue Jul 31, 2020 · 5 comments
Labels

Comments

@RafalSkolasinski
Copy link

@RafalSkolasinski RafalSkolasinski commented Jul 31, 2020

What version of Go are you using (go version)?

$ go version
go version go1.14.3 linux/amd64

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/rskolasinski/.cache/go-build"
GOENV="/home/rskolasinski/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/rskolasinski/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/lib/go-1.14"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/go-1.14/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build249408856=/tmp/go-build -gno-record-gcc-switches"

What did you do?

Added following replace statement in my go.mod

golang.org/x/text => golang.org/x/text v0.3.3

in order to replace CVEs affect version v0.3.0 ... v0.3.2 in the dependency tree.

This seem to work properly as freshly generated go.sum does not contain offending libraries.

What did you expect to see?

See the replace rules reflected in the go mod graph command's output.
This should be the case according to the documentation

usage: go mod graph
Graph prints the module requirement graph (with replacements applied)
in text form. Each line in the output has two space-separated fields: a module
and one of its requirements. Each module is identified as a string of the form
path@version, except for the main module, which has no @version suffix.

What did you see instead?

Original dependency graph like without the replace directive

Extra information

My attempt is here: SeldonIO/seldon-core#2211

Extra question: output of go mod vendor && cat vendor/modulex.txt always show the golang.org/x/text in version v0.3.3 - with and without replace rules - why is that the case?

@RafalSkolasinski RafalSkolasinski changed the title go mod graph does not expect replace directive go mod graph does not respect replace directive Jul 31, 2020
@cagedmantis cagedmantis changed the title go mod graph does not respect replace directive cmd/go: mod graph does not respect replace directive Jul 31, 2020
@bcmills
Copy link
Member

@bcmills bcmills commented Jul 31, 2020

The replace directive replaces the source code for a given version of the module. It does not reinterpret the version as a different version (as one might expect). As a result, go mod graph should correctly follow the replacement but will attribute the dependencies to the module version being replaced.

#26904 and #26344 are related.

@bcmills
Copy link
Member

@bcmills bcmills commented Aug 3, 2020

@RafalSkolasinski, is the output of go mod graph inconsistent with the replacement's go.mod file for you, or is it just not annotating that the module was replaced?

@RafalSkolasinski
Copy link
Author

@RafalSkolasinski RafalSkolasinski commented Aug 3, 2020

Hi @bcmills, thanks for the reply.

I am just surprised to still see golang.org/x/text@v0.3.0 in the output of go mod graph.
I'd expect to only see there golang.org/x/text@v0.3.3 version.

@bcmills
Copy link
Member

@bcmills bcmills commented Aug 3, 2020

go mod graph reports what is in the module requirement graph. A replace directive replaces the source code for the given module — it does not remove the replaced version from the module graph. So this is working as designed.

@bcmills
Copy link
Member

@bcmills bcmills commented Aug 3, 2020

Duplicate of #32058

@bcmills bcmills marked this as a duplicate of #32058 Aug 3, 2020
@bcmills bcmills closed this Aug 3, 2020
@bcmills bcmills removed the WaitingForInfo label Aug 3, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.