cyclonedx-gomod
cyclonedx-gomod copied to clipboard
Capture vendored modules in stdlib
The Go standard library is vendoring a small selection of modules in such a way that they don't interfere with other versions of those modules in the module graph, see https://github.com/golang/go/blob/master/src/README.vendor
Vendored modules (as of Go 1.17.7) include:
golang.org/x/crypto v0.0.0-20211215165025-cf75a172585e
golang.org/x/net v0.0.0-20220106012031-21a9c9cfe9c3
Those modules are currently not captured at all (for mod
) or only as packages (for app
).
While for mod
we can simply load std
as a normal module that uses vendoring, including this in app
is a little trickier.
go list -deps
doesn't recognize modules in $GOROOT/src/vendor
as modules (which is by design):
$ cd $GOROOT/src
$ go list -deps -f '{{ with .Module }}{{ .Path }}{{ end }}' ./...
(No output)
$ go list -deps -f '{{ .ImportPath }}' ./... | grep '^vendor'
vendor/golang.org/x/crypto/cryptobyte/asn1
vendor/golang.org/x/crypto/cryptobyte
vendor/golang.org/x/net/dns/dnsmessage
vendor/golang.org/x/crypto/internal/subtle
vendor/golang.org/x/crypto/chacha20
vendor/golang.org/x/crypto/poly1305
vendor/golang.org/x/sys/cpu
vendor/golang.org/x/crypto/chacha20poly1305
vendor/golang.org/x/crypto/curve25519
vendor/golang.org/x/crypto/hkdf
vendor/golang.org/x/text/transform
vendor/golang.org/x/text/unicode/bidi
vendor/golang.org/x/text/secure/bidirule
vendor/golang.org/x/text/unicode/norm
vendor/golang.org/x/net/idna
vendor/golang.org/x/net/http/httpguts
vendor/golang.org/x/net/http/httpproxy
vendor/golang.org/x/net/http2/hpack