component-detection icon indicating copy to clipboard operation
component-detection copied to clipboard
verified publisher icon microsoft

`go list -m all` doesn't work with vendor directory present

Open der-eismann opened this issue 3 years ago • 1 comments

Hello, when trying to run the microsoft/sbom-tool with a Go project I get the following error:

[INFO] Go CLI was found in system and will be used to generate dependency graph. Detection time may be improved by activating fallback strategy (https://github.com/microsoft/component-detection/blob/main/docs/detectors/go.md#fallback-detection-strategy). But, it will introduce noise into the detected components. 
[ERROR] Go CLI command "go list -m -json all" failed with error:
 go: can't compute 'all' using the vendor directory
	(Use -mod=mod or -mod=readonly to bypass.)
 
[ERROR] Go CLI could not get dependency build list at location: /home/sysop/project/go.mod. Fallback go.sum/go.mod parsing will be used. 
[INFO] Go CLI was found in system and will be used to generate dependency graph. Detection time may be improved by activating fallback strategy (https://github.com/microsoft/component-detection/blob/main/docs/detectors/go.md#fallback-detection-strategy). But, it will introduce noise into the detected components. 
[ERROR] Go CLI command "go list -m -json all" failed with error:
 go: can't compute 'all' using the vendor directory
	(Use -mod=mod or -mod=readonly to bypass.)
 
[ERROR] Go CLI could not get dependency build list at location: /home/sysop/project/go.sum. Fallback go.sum/go.mod parsing will be used.

I'm using go 1.18.3 on my system, removing the vendor directory before the component-detection seems a bit annoying to me. Would it be possible to add the -mod=readonly in some circumstances?

der-eismann avatar Aug 08 '22 09:08 der-eismann

Is there any reason why we wouldn't want so use -mod=readonly all the time?

JamieMagee avatar Aug 10 '22 16:08 JamieMagee

I am stuck on this too. Temporary workaround seems to be to use the DisableGoCliScan=true (as explained here) but we should definitely update this command to support -mod=readonly option.

ambarve avatar Aug 23 '22 14:08 ambarve

Here is my understanding of the issue so far (feel free to correct me if I am wrong):

The purpose of running go list -m -json all is to get a list of all the dependencies (along with the version of those dependencies, in the json format) and then to report if any of those dependencies have any security vulnerabilities.

However, go doesn't support go list all if you are using the vendoring mode as explained here. Starting from go1.14 mode is by default set to vendor if a vendor directory is found in the go module. That's why everyone is seeing these failures after upgrading to go 1.14 and above.

This means that in order to get a list of all the dependencies we either have to use go list -mod=mod or go list -mod=readonly. I think always running with go list -mod=readonly -m -json makes sense since -mod=mod has a side effect that it can change the go.mod file.

ambarve avatar Aug 23 '22 18:08 ambarve