Skip to content

Commit 08a12e3

Browse files
AMaini503Aayush Maini
andauthored
Replace existing Go detector with Go117 detector (#1426)
* Replace existing go detector with go117 detector * Fix unit tests for the new implementation of go detector * Handle replace directives in go mod parser, fix UTs * Fix UT that breaks due to path * Change go detector docs to document new behavior * Remove all references to Go117 --------- Co-authored-by: Aayush Maini <aamaini@microsoft.com>
1 parent 2a41d42 commit 08a12e3

9 files changed

Lines changed: 620 additions & 1172 deletions

File tree

docs/detectors/go.md

Lines changed: 13 additions & 58 deletions
Original file line numberDiff line numberDiff line change
@@ -8,22 +8,24 @@ Go detection runs when one of the following files is found in the project:
88

99
## Default Detection strategy
1010

11-
Default Go detection depends on the following to successfully run:
11+
### go.mod
12+
- All go.mod are parsed to detect dependencies. This parsing doesn't depend on presence of `go cli`.
1213

13-
- Go v1.11+.
14+
### go cli (go list) or go.sum Parsing
15+
- If a `go.sum` file is found, detector first checks if go version in the adjacent `go.mod` >= `1.17`. If it is `>= 1.17`, the file is skipped. If it is `< 1.17`, the detector proceeds as follows. Read [Go Module Changes in Go 1.17](#go-module-changes-in-go-117) to understand why `1.17` is relevant.
16+
- If `go cli` is found and not [disabled](#environment-variables), `go list` command is preferred over parsing `go.sum` file since `go.sum` files contains history of dependencies and including these dependencies can lead to [over-reporting](#known-limitations).
17+
- If `go list` was not used or did not run successfully, detector falls back to parsing `go.sum` manually.
1418

19+
### Dependency graph generation
1520
Full dependency graph generation is supported if Go v1.11+ is present
16-
on the build agent. If no Go v1.11+ is present, fallback detection
17-
strategy is performed.
18-
19-
Go detection is performed by parsing output from executing
20-
[go list -mod=readonly -m -json all][1]. To generate the graph, the command
21+
on the build agent. To generate the graph, the command
2122
[go mod graph][2] is executed. This only adds edges between the components
22-
that were already registered by `go list`.
23+
that were already registered.
2324

2425
## Fallback Detection strategy
2526

26-
The fallback detections trategy is known to overreport (see the
27+
The fallback strategy refers to detector parsing `go.sum` manually.
28+
TThis strategy is known to overreport (see the
2729
[known limitations](#known-limitations)). Read through the
2830
[troubleshooting section](#troubleshooting-failures-to-run-the-default-go-detection-strategy)
2931
for tips on how to ensure that the newer, more accurate default
@@ -249,55 +251,6 @@ of the package contents.
249251
making it possible to recreate the same build environment
250252
consistently.
251253
252-
### Detection Strategy
253-
254-
The Go Component Detector follows a strategy that involves the
255-
following key steps:
256-
257-
1. **File Discovery**: The detector searches for go.mod and go.sum files
258-
within the project directory.
259-
260-
2. **Filtering go.sum Files**: The detector filters out go.sum files when
261-
there is no adjacent go.mod file or when the go.mod file specifies
262-
a Go version lower than 1.17. This filtering reduces the risk of
263-
over-reporting components. More on this later.
264-
265-
3. **Go CLI Scanning (Optional)**: If the Go CLI (go) is available and not
266-
manually disabled, the detector attempts to use it to scan the
267-
project for dependencies and build a dependency graph. This step can
268-
significantly improve detection speed.
269-
270-
4. **Fallback Detection**: If Go CLI scanning is not possible or not
271-
successful, the detector falls back to parsing go.mod and go.sum
272-
files directly to identify components.
273-
274-
5. **Parsing go.mod File**: The detector parses the go.mod file to
275-
identify direct and transitive dependencies, recording their names
276-
and versions.
277-
278-
6. **Parsing go.sum File**: The detector parses the go.sum file, recording
279-
information about dependencies, including their names, versions,
280-
and hashes.
281-
282-
7. **Dependency Graph Construction**: If Go CLI scanning was successful,
283-
the detector constructs a dependency graph based on the information
284-
gathered. This graph helps identify relationships between components.
285-
286-
8. **Recording Components**: Throughout the detection process, the
287-
detector records identified components and their relationships.
288-
289-
9. **Environment Variable Check**: The detector checks for an environment
290-
variable (DisableGoCliScan) to determine whether Go CLI scanning
291-
should be disabled.
292-
293-
The logic for checking if the Go version present in the `go.mod` file
294-
is greater than or equal to 1.17 is relevant because it determines
295-
whether the `go.sum` file should be processed for detection.
296-
297-
This check is essential because Go introduced significant changes in
298-
how it handles dependencies and the `go.sum` file in Go version 1.17,
299-
which have implications for dependency scanning.
300-
301254
### Go Module Changes in Go 1.17
302255
303256
Prior to Go 1.17, the `go.mod` file primarily contained information
@@ -310,6 +263,8 @@ file now includes information about both direct and transitive
310263
dependencies. This improvement enhances the clarity and completeness
311264
of dependency information within the `go.mod` file.
312265
266+
The completeness of `go.mod` file in `>= 1.17` allows the detector to skip `go.sum` files entirely.
267+
313268
#### Relevance of the Go Version Check
314269
315270
1. **Accuracy of Dependency Detection**: Checking the Go version in

src/Microsoft.ComponentDetection.Detectors/go/Go117ComponentDetector.cs

Lines changed: 0 additions & 241 deletions
This file was deleted.

0 commit comments

Comments
 (0)