Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Golang Mod Analyzer: Reason for using go mod edit -json #2680

Closed
PurriateCat opened this issue Jun 24, 2020 · 3 comments
Closed

Golang Mod Analyzer: Reason for using go mod edit -json #2680

PurriateCat opened this issue Jun 24, 2020 · 3 comments
Labels
enhancement
Milestone
6.0.2

Comments

@PurriateCat
Copy link

PurriateCat commented Jun 24, 2020
edited

Hey folks!
Is there a particular reason why go mod edit -json is used instead of go list -json -m all?

I wrote down my idea to explain the question in a lot more detail:

What is the actual behaviour?

The dependency-check just analyzes direct modules. That's because go mod edit -json is used which returns a list of required modules provided in the go.mod file.

What is expected?

The dependency-check should analyze indirect modules, too. That can be achieved by using the go list -json -m all command instead. It returns all modules and dependencies that are needed for that project, so indirect modules, too.

Why is this important?

Modules can simply require other modules, so they are nested. The dependency-check may miss vulnerabilities in indirect modules while analyzing only the direct modules.
@jeremylong
Copy link
Owner

Pretty much everything except Java support has been contributed by the community. Thanks for the suggestion - we will look into implementing this change soon - although we do accept PRs.

@jaskaransinghdr6j
Copy link

Was wondering the same. @jeremylong is there any potential date for this enhancement?

jeremylong added a commit that referenced this issue Sep 21, 2020
@jeremylong
implement #2680
172b226
@jeremylong jeremylong added this to the 6.0.2 milestone Sep 21, 2020
@jeremylong jeremylong mentioned this issue Sep 21, 2020
Merged
jeremylong added a commit that referenced this issue Sep 22, 2020
@jeremylong
GoModAnalyzer - include transitive dependencies (#2828)
48a067a 
* implement #2680
@jeremylong
Copy link
Owner

This will be included in the next release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
6.0.2
Development

No branches or pull requests
3 participants
@jeremylong @PurriateCat @jaskaransinghdr6j