fossa-cli icon indicating copy to clipboard operation
fossa-cli copied to clipboard
verified publisher icon fossas

[BUG] Go analyze error Module.Replace: key "Version" not found

Open xuchenCN opened this issue 3 years ago • 4 comments

Go project via gomod analyze

A task succeeded with warnings

  Warning

    Could not analyze deep dependencies.

    Could not analyze edges between dependencies.

    >>> Relevant errors

      Error

        Failed to parse command output. command: Command {cmdName = "go", cmdArgs = ["list","-json","all"], cmdAllowErr = NonEmptyStdout}.

            Error in $[1190].Module.Replace: key "Version" not found

        If you believe this to be a defect, please report a bug to FOSSA support at https://support.fossa.com

I review the result of go list -json all, only local replace has no 'Version' field.

"Module": {
                "Path": "xxxx.com/xxxx-xxxx-xxxx",
                "Version": "v0.0.0-00010101000000-000000000000",
                "Replace": {
                        "Path": "../xxxx",
                        "Dir": "/Users/xxxx",
                        "GoMod": "/Users/xxxx/go.mod",
                        "GoVersion": "1.13"
                },
                "Dir": "/Users/xxxx",
                "GoMod": "/Users/xxxx",
                "GoVersion": "1.13"
        },

xuchenCN avatar Dec 05 '22 03:12 xuchenCN

Thank you @xuchenCN for creating this issue. If this is in regards to a defect, product question or feature request: you should use our support portal at https://support.fossa.com to file a request, as you would receive more immediate support.

github-actions[bot] avatar Dec 05 '22 03:12 github-actions[bot]

There is a Zendesk ticket for this as well https://fossa.zendesk.com/agent/tickets/5374.

We have completed our initial research and design for improved Golang analysis; the first improvement is in progress this sprint.

The CLI will generate a package graph using go list -json -deps all and then turn it into a graph of packages for submission to FOSSA.

We'll keep you posted on deployment to fossa-cli and when you can upgrade.

ryanlink avatar Mar 15 '23 18:03 ryanlink

Thanks for reply, hope to resolve this issue in new version.

xuchenCN avatar Mar 20 '23 03:03 xuchenCN

Hi @xuchenCN,

It's not the default yet, but we released a new version of fossa-cli a few days ago (v3.7.5) which includes an all new strategy for examining Go projects under an experimental flag. This new strategy should give more accurate results as well as not exhibit the bug that you've reported here.

To use this functionality you will need to run fossa analyze with the new flag: fossa analyze --experimental-use-v3-go-resolver. To verify that the new strategy is running, you can run using the --debug flag and should look for messages like analysis using go list (V3 Resolver) that aren't followed by messages indicating the use of static analysis or analysis using go list (modules). You can expect to possibly see a different set of dependencies. The common case should be that they will see fewer dependencies. More specific things that you should expect:

  1. It should mark transitive/direct deps correctly.
  2. It should not include test dependencies.

-Chris

csasarak avatar Apr 14 '23 21:04 csasarak