`go list -m all` doesn't work with vendor directory present

[der-eismann]

Hello, when trying to run the microsoft/sbom-tool with a Go project I get the following error:

[INFO] Go CLI was found in system and will be used to generate dependency graph. Detection time may be improved by activating fallback strategy (https://github.com/microsoft/component-detection/blob/main/docs/detectors/go.md#fallback-detection-strategy). But, it will introduce noise into the detected components. 
[ERROR] Go CLI command "go list -m -json all" failed with error:
 go: can't compute 'all' using the vendor directory
	(Use -mod=mod or -mod=readonly to bypass.)
 
[ERROR] Go CLI could not get dependency build list at location: /home/sysop/project/go.mod. Fallback go.sum/go.mod parsing will be used. 
[INFO] Go CLI was found in system and will be used to generate dependency graph. Detection time may be improved by activating fallback strategy (https://github.com/microsoft/component-detection/blob/main/docs/detectors/go.md#fallback-detection-strategy). But, it will introduce noise into the detected components. 
[ERROR] Go CLI command "go list -m -json all" failed with error:
 go: can't compute 'all' using the vendor directory
	(Use -mod=mod or -mod=readonly to bypass.)
 
[ERROR] Go CLI could not get dependency build list at location: /home/sysop/project/go.sum. Fallback go.sum/go.mod parsing will be used.

I'm using go 1.18.3 on my system, removing the vendor directory before the component-detection seems a bit annoying to me. Would it be possible to add the -mod=readonly in some circumstances?

[JamieMagee]

Is there any reason why we wouldn't want so use -mod=readonly all the time?

[ambarve]

I am stuck on this too. Temporary workaround seems to be to use the DisableGoCliScan=true (as explained here) but we should definitely update this command to support -mod=readonly option.

[ambarve]

Here is my understanding of the issue so far (feel free to correct me if I am wrong):

The purpose of running go list -m -json all is to get a list of all the dependencies (along with the version of those dependencies, in the json format) and then to report if any of those dependencies have any security vulnerabilities.

However, go doesn't support go list all if you are using the vendoring mode as explained here. Starting from go1.14 mode is by default set to vendor if a vendor directory is found in the go module. That's why everyone is seeing these failures after upgrading to go 1.14 and above.

This means that in order to get a list of all the dependencies we either have to use go list -mod=mod or go list -mod=readonly. I think always running with go list -mod=readonly -m -json makes sense since -mod=mod has a side effect that it can change the go.mod file.