Module cloned with --shared fails version retrieval

[svenschwermer]

cyclonedx-gomod doesn't work in module git clones that were created with --shared. This is e.g. done by the Yocto build system. Here's a way to reproduce this:

mkdir bare_repo
cd bare_repo
git init --bare
cd ..

git clone bare_repo full_clone
cd full_clone
go mod init foo.bar/dead/beef
cat <<EOF > main.go
package main
func main() {
}
EOF
git add .
git commit -m initial
git push
cd ..

git clone --shared bare_repo shared_clone
cd shared_clone
cyclonedx-gomod app -verbose >/dev/null

The final command from the above listing yields the following stderr log:

9:02PM DBG loading modules moduleDir=.
9:02PM DBG executing command cmd="/usr/bin/go list -deps -json ./" dir=.
9:02PM DBG executing command cmd="/usr/bin/go env -json" dir=
9:02PM DBG loading module moduleDir=/usr/lib/go/src
9:02PM DBG executing command cmd="/usr/bin/go list -mod readonly -json -m" dir=/usr/lib/go/src
9:02PM DBG executing command cmd="/usr/bin/go version" dir=
9:02PM DBG applying module graph moduleCount=1 moduleDir=.
9:02PM DBG executing command cmd="/usr/bin/go mod graph" dir=.
9:02PM DBG skipping graph edge dependant=foo.bar/dead/beef [email protected] reason="dependency not in list of selected modules"
9:02PM DBG detecting module version moduleDir=/home/sven/go-test/shared_clone
9:02PM ERR error="failed to determine version of main module: object not found"

I believe this is due to the following bug: https://github.com/go-git/go-git/issues/1006 However, there doesn't seem to be any momentum behind this bug. Perhaps, you could add a workaround like https://github.com/go-gitea/gitea/commit/82acf22d9c09f3c1bed35a63410ee82853ff9484#diff-38e41a6e00b684af20aec2c0b3d2e65de6fc49e258eba89e79fcc3f0eb5c0dc7R66-R74