component-detection icon indicating copy to clipboard operation
component-detection copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Should ignore comment in go.mod

Open karataliu opened this issue 1 year ago • 3 comments

go.mod

require (
  // abc
)

will result in

--- Component: ---
// abc - Go
--- Found at: ---

karataliu avatar Jul 07 '23 06:07 karataliu

Is this happening when using the Go CLI scanning method, go.mod / go.sum parsing, or both? See https://github.com/microsoft/component-detection/blob/main/docs/detectors/go.md for more info

cobya avatar Jul 10 '23 22:07 cobya

Both Default Detection strategy and Fallback Detection strategy have the issue

karataliu avatar Jul 11 '23 05:07 karataliu

Tested the issue and this is only happening when we use the fallback strategy. @karataliu I think that in your case you saw the issue with the CLI detector because your go.mod is missing the module definition. For example, a correct go.mod file will look like:

module github.com/jcf/test
go 1.22.1

require (
	// abc
)

This go.mod file will be scanned by the CLI detector and no component will be found

Image

However, if we use something like

require (
      // abc
)

then the CLI detector won't be executed as the file is missing the module definition

Go CLI command "go list -m -json all" failed with error: go: error reading go.mod: missing module declaration. To specify the module path:
        go mod edit -module=example.com/mod

In such case our in-house parser (the fallback strategy) will take place and then the fake component will be detected

Image

jcfiorenzano avatar Mar 07 '24 01:03 jcfiorenzano

This should be resolved with #1027 . If you are still hitting this on the latest bits please re-open the issue.

cobya avatar Apr 18 '24 22:04 cobya