fix: use correct identity of replaced Go modules#6489
fix: use correct identity of replaced Go modules#6489mcombuechen wants to merge 1 commit intomainfrom
Conversation
mcombuechen
force-pushed
the
fix/OSM-3510-go-replace-modules
branch
2 times, most recently
from
a1fc639 to
a419ddf
Compare
When using the `replace` directive in go.mod projects and replacing a dependency with a fork (i.e. module name differs), Snyk would still use the original module's name during analysis. This changes the dependencies name to that of the replaced module.
mcombuechen
force-pushed
the
fix/OSM-3510-go-replace-modules
branch
from
a419ddf to
cf2b094
Compare
|
Temporarily converting to draft, as I am making another change (putting purl generation behind feature flag). |
| // Used only with the Go plugin. When enabled, includes PackageURL information in dep-graphs. | ||
| includePackageUrls?: boolean; | ||
| // Used only with the Go plugin and temporary. When enabled, fixes misidentification of replaced modules. | ||
| useReplaceName?: boolean; |
There was a problem hiding this comment.
question: Used only with the Go plugin and temporary., what's meant by temporary? Do we intend to remove this at some point? If so, how are we going to ensure/track that this will be removed?
There was a problem hiding this comment.
We mainly put this behind a flag for the time of the rollout. We introduced a fix to our Golang dependency discovery, which is fine to be rolled out in the CLI asap, but we need to throttle it for SCM (imported repos) which are subject to nightly recurring tests. We have tickets for the rollout and a task to clean this up once the rollout is complete.
I was hoping to add more information and context through this comment, but it seems like it caused more confusion. 😅
There was a problem hiding this comment.
suggestion: I think a simple TODO: remove once <ticket-ID> is done and a reference to the TODO in the relevant ticket should suffice. WDYT?
2 participants
When using the
replacedirective in go.mod projects and replacing a dependency with a fork (i.e. module name differs), Snyk would still use the original module's name during analysis. This changes the dependencies name to that of the replaced module.The actual fix was done in snyk/snyk-go-plugin@3c75e60.
Also, this change re-introduces purl generation on the plugin level. For added safety, tests in the Go plugin as well as in this repo were added.