Fix Go modules to key off of go.mod

The go.mod file contains all of the dependency information necessary to reproduce a build. There is a misconception that the go.sum file has similar utility to a lock file in other dependency management systems. However, this is incorrect. The go.sum file contributes nothing to dependency resolution. Instead, the go.sum file provides cryptographic hashes to ensure new files downloaded match files downloaded previously. So, while it is useful, it isn't at all necessary for Go modules. To summarize: a Go modules project may or may not have a go.sum file, but will always have a go.mod file.
pivotal · Jul 7, 2020 · 667f6be · 667f6be
1 parent fc34b28
commit 667f6be
Show file tree

Hide file tree

Showing 6 changed files with 17 additions and 15 deletions.
diff --git a/README.md b/README.md
@@ -183,7 +183,7 @@ languages, as long as that language has a package definition in the project dire
 * `glide.lock` file (for `glide`)
 * `vendor/vendor.json` file (for `govendor`)
 * `Gopkg.lock` file (for `dep`)
-* `go.sum` file (for `go mod`)
+* `go.mod` file (for `go mod`)
 * `vendor.conf` file (for `trash`)
 * `yarn.lock` file (for `yarn`)
 * `conanfile.txt` file (for `conan`)

diff --git a/lib/license_finder/package_managers/go_modules.rb b/lib/license_finder/package_managers/go_modules.rb
@@ -4,7 +4,7 @@
 
 module LicenseFinder
   class GoModules < PackageManager
-    PACKAGES_FILE = 'go.sum'
+    PACKAGES_FILE = 'go.mod'
 
     class << self
       def takes_priority_over
@@ -17,7 +17,7 @@ def prepare_command
     end
 
     def active?
-      sum_files?
+      mod_files?
     end
 
     def current_packages
@@ -41,11 +41,11 @@ def packages_info
       info_output.split("\n")
     end
 
-    def sum_files?
-      sum_file_paths.any?
+    def mod_files?
+      mod_file_paths.any?
     end
 
-    def sum_file_paths
+    def mod_file_paths
       Dir[project_path.join(PACKAGES_FILE)]
     end
 

diff --git a/spec/fixtures/all_pms/go.sum → spec/fixtures/all_pms/go.mod b/spec/fixtures/all_pms/go.sum → spec/fixtures/all_pms/go.mod
diff --git a/spec/fixtures/config/go.mod b/spec/fixtures/config/go.mod
@@ -0,0 +1,6 @@
+module foo
+
+require (
+	gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405
+	gopkg.in/yaml.v2 v2.2.1
+)
diff --git a/spec/fixtures/config/go.sum b/spec/fixtures/config/go.sum
diff --git a/spec/lib/license_finder/package_managers/go_modules_spec.rb b/spec/lib/license_finder/package_managers/go_modules_spec.rb
@@ -8,7 +8,7 @@ module LicenseFinder
     it_behaves_like 'a PackageManager'
 
     let(:src_path) { '/workspace/code' }
-    let(:sum_path) { "#{src_path}/go.sum" }
+    let(:mod_path) { "#{src_path}/go.mod" }
     let(:vendor_path) { "#{src_path}/vendor" }
     let(:go_list_string) do
       "foo,,/workspace/code/\ngopkg.in/check.v1,v0.0.0-20161208181325-20d25e280405,"\
@@ -22,7 +22,7 @@ module LicenseFinder
         FakeFS.activate!
 
         FileUtils.mkdir_p(vendor_path)
-        File.write(sum_path, content)
+        File.write(mod_path, content)
 
         allow(SharedHelpers::Cmd).to receive(:run).with("GO111MODULE=on go list -m -f '{{.Path}},{{.Version}},{{.Dir}}' all").and_return(go_list_string)
       end
@@ -33,11 +33,11 @@ module LicenseFinder
 
       let(:content) do
         FakeFS.without do
-          fixture_from('go.sum')
+          fixture_from('go.mod')
         end
       end
 
-      it 'finds all the packages all go.sum files' do
+      it 'finds all the packages all go.mod files' do
         packages = subject.current_packages
 
         expect(packages.length).to eq 2
@@ -65,7 +65,7 @@ module LicenseFinder
             .and_return(go_list_string)
         end
 
-        it 'finds all the packages all go.sum files' do
+        it 'finds all the packages all go.mod files' do
           packages = subject.current_packages
 
           expect(packages.length).to eq 2