fix: Use module name over relative paths in go.mod replace directives
#3812
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… a web link Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
8fd4ee1 to
5361c22
Compare
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
|
@wagoodman Sorry for my reckless commits,and I guarantee that the static-analysis has been passed completely. I would appreciate it if you are available to run the checks |
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
|
@VictorHuu not a problem! I pushed a test addition + pulled in the latest changes from main (this will be squash merged, so the commit history does not need to be spiffy-clean). |
wagoodman
approved these changes
Apr 21, 2025
go.mod more compliant and traceablego.mod replace directives
go.mod replace directivesgo.mod replace directives
spiffcs
added a commit
that referenced
this pull request
Apr 29, 2025
* main: (150 commits) fix the fluent-bit regex detection pattern (#3817) chore(deps): bump anchore/sbom-action from 0.18.0 to 0.19.0 (#3832) chore(deps): update tools to latest versions (#3830) Resolve owned file paths when searching for overlaps (#3828) chore(deps): update anchore dependencies (#3827) fix: Make the fileresolver Support Prefix Match of Files (#3820) Add support for detecting javascript assets in .NET projects using libman (#3825) chore(deps): update tools to latest versions (#3823) (feat): support skipping archive extraction with file source (#3795) Consider DLL claims for dependencies of .NET packages from deps.json (#3822) PE cataloger should consider compile target paths from deps.json (#3821) Perf: skip license scanner injection (#3796) chore(deps): bump sigstore/cosign-installer from 3.8.1 to 3.8.2 (#3818) chore(deps): bump github/codeql-action from 3.28.15 to 3.28.16 (#3819) chore(deps): update tools to latest versions (#3815) docs: document test commands (#3816) Support detection of Chrome binaries (#3136) fix:allow golang tip image detection regex pattern (#3757) fix:Make the parse of the replace part in ```go.mod``` more compliant and traceable (#3812) (fix): delete collection name/type key entries when empty (#3797) ... Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
When I scan the
go.modof aws-sdk-go-v2,there will be some packages with the name pattern like '../../..', but they are only local directory aliases to some remote real link likehttps://github.com/aws/aws-sdk-go-v2,which is only used as a cache.Here's the replace part of the
go.mod:Here's the reproducible steps:
And the output is like this
{"artifacts": [{"id":"567e69993f00fcf8","name":"../../../","version":"UNKNOWN","type":"go-module","foundBy":"go-module-file-cataloger","locations":[{"path":"/go.mod","accessPath":"/go.mod", "annotations":{"evidence":"primary"}}],"licenses":[],"language":"go","cpes":[{"cpe":"cpe:2.3:a:..:..:*:*:*:*:*:*:*:*","source":"syft-generated"}],"purl":"pkg:golang/../../..","metadataType":"go-module-entry","metadata":{}}, {"id":"ce975785a075b4cf","name":"../../../../../","version":"UNKNOWN","type":"go-module","foundBy":"go-module-file-cataloger","locations":[{"path":"/internal/configtesting/go.mod","accessPath":"/internal/configtesting/go.mod", "annotations":{"evidence":"primary"}}],"licenses":[],"language":"go","cpes":[{"cpe":"cpe:2.3:a:..:..\\/..\\/..:*:*:*:*:*:*:*:*","source":"syft-generated"}],"purl":"pkg:golang/../../..#../../","metadataType":"go-module-entry","metadata":{}}, {"id":"d30c6d6af8d7b916","name":"../../../../../config/","version":"UNKNOWN","type":"go-module","foundBy":"go-module-file-cataloger","locations":[{"path":"/internal/configtesting/go.mod","accessPath":"/internal/configtesting/go.mod", "annotations":{"evidence":"primary"}}],"licenses":[],"language":"go","cpes":[{"cpe":"cpe:2.3:a:..:..\\/..\\/..\\/config:*:*:*:*:*:*:*:*","source":"syft-generated"}],"purl":"pkg:golang/../../..#../../config/","metadataType":"go-module-entry","metadata":{}}, {"id":"b0c3fd64cef7d2a2","name":"../../../../../credentials/","version":"UNKNOWN","type":"go-module","foundBy":"go-module-file-cataloger","locations":[{"path":"/internal/configtesting/go.mod","accessPath":"/internal/configtesting/go.mod", "annotations":{"evidence":"primary"}}],"licenses":[],"language":"go","cpes":[{"cpe":"cpe:2.3:a:..:..\\/..\\/..\\/credentials:*:*:*:*:*:*:*:*","source":"syftFixing this will enhance the traceability of SBOM.
Type of change
Checklist: