You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hey folks!
Is there a particular reason why go mod edit -json is used instead of go list -json -m all?
I wrote down my idea to explain the question in a lot more detail:
What is the actual behaviour?
The dependency-check just analyzes direct modules. That's because go mod edit -json is used which returns a list of required modules provided in the go.mod file.
What is expected?
The dependency-check should analyze indirect modules, too. That can be achieved by using the go list -json -m all command instead. It returns all modules and dependencies that are needed for that project, so indirect modules, too.
Why is this important?
Modules can simply require other modules, so they are nested. The dependency-check may miss vulnerabilities in indirect modules while analyzing only the direct modules.
The text was updated successfully, but these errors were encountered:
Pretty much everything except Java support has been contributed by the community. Thanks for the suggestion - we will look into implementing this change soon - although we do accept PRs.
Hey folks!
Is there a particular reason why
go mod edit -json
is used instead ofgo list -json -m all
?I wrote down my idea to explain the question in a lot more detail:
What is the actual behaviour?
The dependency-check just analyzes direct modules. That's because
go mod edit -json
is used which returns a list of required modules provided in thego.mod
file.What is expected?
The dependency-check should analyze indirect modules, too. That can be achieved by using the
go list -json -m all
command instead. It returns all modules and dependencies that are needed for that project, so indirect modules, too.Why is this important?
Modules can simply require other modules, so they are nested. The dependency-check may miss vulnerabilities in indirect modules while analyzing only the direct modules.
The text was updated successfully, but these errors were encountered: