internal/vulncheck: remove -mod=mod flag from LoadModules

This change is a hotfix removing the -mod=mod flag from the go list call in LoadModules. A proper fix to support vendor directories will be coming shortly. Fixes golang/go#65155 Fixes golang/go#65130 Change-Id: I3faf90227154e019ab70201c9e04a1b185bc5f3a Reviewed-on: https://go-review.googlesource.com/c/vuln/+/556775 Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
golang · Jan 18, 2024 · 4b54a8b · 4b54a8b · ldemailly · Jan 18, 2024
1 parent e313109
commit 4b54a8b
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 1 deletion.
diff --git a/internal/vulncheck/packages.go b/internal/vulncheck/packages.go
@@ -10,6 +10,7 @@ import (
 	"errors"
 	"fmt"
 	"os/exec"
+	"path/filepath"
 	"strings"
 
 	"golang.org/x/tools/go/packages"
@@ -37,7 +38,17 @@ func NewPackageGraph(goVersion string) *PackageGraph {
 }
 
 func (g *PackageGraph) LoadModules(cfg *packages.Config) (mods []*packages.Module, err error) {
-	cmd := exec.Command("go", "list", "-m", "-json", "-mod=mod", "all")
+	cmd := exec.Command("go", "list", "-m", "-json")
+	// Quick fix for go.dev/issue/65155
+	// TODO: Fix go.dev/issue/65124
+	// This check makes it so that govulncheck doesn't crash if running on a
+	// vendored module from the root of a module. Essentially only here so that
+	// the vendor test doesn't fail until #65124 is fixed.
+	if fileExists(filepath.Join(cfg.Dir, "vendor")) {
+		cmd.Args = append(cmd.Args, "-mod=readonly")
+	}
+
+	cmd.Args = append(cmd.Args, "all")
 	cmd.Env = append(cmd.Env, cfg.Env...)
 	cmd.Dir = cfg.Dir
 	out, err := cmd.Output()

diff --git a/internal/vulncheck/utils.go b/internal/vulncheck/utils.go
@@ -7,8 +7,10 @@ package vulncheck
 import (
 	"bytes"
 	"context"
+	"errors"
 	"go/token"
 	"go/types"
+	"os"
 	"sort"
 	"strings"
 
@@ -357,3 +359,17 @@ func modVersion(mod *packages.Module) string {
 	}
 	return mod.Version
 }
+
+// fileExists checks if file path exists. Returns true
+// if the file exists or it cannot prove that it does
+// not exist. Otherwise, returns false.
+func fileExists(path string) bool {
+	if _, err := os.Stat(path); err == nil {
+		return true
+	} else if errors.Is(err, os.ErrNotExist) {
+		return false
+	}
+	// Conservatively return true if os.Stat fails
+	// for some other reason.
+	return true
+}