DependencyCheck
DependencyCheck copied to clipboard
jeremylong
Errors parsing go.mod, invalid go version format
Describe the bug
The process yields the error complaining about the go version format.
go: errors parsing go.mod:
/src/go.mod:3: invalid go version '1.21.0': must match format 1.23
Version of dependency-check used The problem occurs using version 8.4.0 of the docker image
Log file
Excerpt:
[INFO] Analysis Started
[INFO] Finished Archive Analyzer (0 seconds)
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Python Distribution Analyzer (0 seconds)
[WARN] While analyzing `/src/go.mod` `go` generated the following warnings:
go: errors parsing go.mod:
/src/go.mod:3: invalid go version '1.21.0': must match format 1.23
[WARN] An error occurred while analyzing '/src/go.mod' (Golang Mod Analyzer).
[INFO] Finished Golang Mod Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Created CPE Index (0 seconds)
[INFO] Finished NPM CPE Analyzer (1 seconds)
[INFO] Created CPE Index (0 seconds)
[INFO] Finished CPE Analyzer (0 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[WARN] Unable to determine Package-URL identifiers for 1 dependencies
[INFO] Finished Sonatype OSS Index Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Known Exploited Vulnerability Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Finished Unused Suppression Rule Analyzer (0 seconds)
[INFO] Analysis Complete (1 seconds)
[INFO] Writing report to: /report/dependency-check-report.xml
[INFO] Writing report to: /report/dependency-check-report.html
[INFO] Writing report to: /report/dependency-check-report.json
[INFO] Writing report to: /report/dependency-check-report.csv
[INFO] Writing report to: /report/dependency-check-report.sarif
[INFO] Writing report to: /report/dependency-check-jenkins.html
[INFO] Writing report to: /report/dependency-check-junit.xml
[ERROR] Error analyzing '/src/go.mod'; Error parsing output from `go list -json -m all`
To Reproduce Steps to reproduce the behavior:
- Install golang v1.21.0
-
mkdir example && cd example -
go mod init foobar - Run the script of the docker page adding the
--enableExperimentalflag
Expected behavior Scanning process should proceed with no error
Additional context
The obvious workaround is to edit the go.mod file and adjust the format.
The output that the Golang Mod Analyzer shows you in the error message is the output generated by go (go list -m -json -mod=readonly -all) and just handed to you in the output. You should ensure to start off with a proper formatted go.mod for the version of go in the image
The docker image embeds go from the golang 1.17.1-alpine image.
https://github.com/jeremylong/DependencyCheck/blob/main/Dockerfile
Sounds strange to me by the way that your sequence of events leads to a quoted version as go documentation appear to suggest that it would be unquoted.
https://go.dev/doc/modules/gomod-ref#module-syntax
Try running go list -m -json -all without the readonly and see if that corrects the problem?
Hello,
I got the same issue, seems it's only broken if you use semantic versioning (X.Y.Z). If you use go 1.21 in you go.mod file, it'll work
Also reported here: https://github.com/jeremylong/DependencyCheck/issues/6052, but it's how go works, I guess
When you are using the semantic versioning - what happens when you run:
go list -json -m all
Hello,
I got the same issue, seems it's only broken if you use semantic versioning (X.Y.Z). If you use
go 1.21in yougo.modfile, it'll workAlso reported here: #6052, but it's how go works, I guess
thanks, solved my problem
This is happening to me on a brand new 'go mod init'. It is writing my go version correctly at 1.22.4 but I have to manually remove the '.4' to avoid the error.
