feat: combine go module file and go source discovery into single cataloger (#4127)

---------
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>

go.mod

@@ -274,7 +274,7 @@ require (
 	golang.org/x/term v0.34.0 // indirect
 	golang.org/x/text v0.28.0 // indirect
 	golang.org/x/time v0.7.0 // indirect
-	golang.org/x/tools v0.35.0 // indirect
+	golang.org/x/tools v0.35.0
 	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
 	google.golang.org/api v0.203.0 // indirect
 	google.golang.org/genproto v0.0.0-20241118233622-e639e219e697 // indirect

internal/constants.go

@@ -3,5 +3,5 @@ package internal
 const (
 	// JSONSchemaVersion is the current schema version output by the JSON encoder
 	// This is roughly following the "SchemaVer" guidelines for versioning the JSON schema. Please see schema/json/README.md for details on how to increment.
-	JSONSchemaVersion = "16.0.38"
+	JSONSchemaVersion = "16.0.39"
 )

schema/json/schema-latest.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "anchore.io/schema/syft/json/16.0.38/document",
+  "$id": "anchore.io/schema/syft/json/16.0.39/document",
   "$ref": "#/$defs/Document",
   "$defs": {
     "AlpmDbEntry": {
@@ -1236,6 +1236,29 @@
       },
       "type": "object"
     },
+    "GoSourceEntry": {
+      "properties": {
+        "h1Digest": {
+          "type": "string"
+        },
+        "os": {
+          "type": "string"
+        },
+        "architecture": {
+          "type": "string"
+        },
+        "buildTags": {
+          "type": "string"
+        },
+        "cgoEnabled": {
+          "type": "boolean"
+        }
+      },
+      "type": "object",
+      "required": [
+        "cgoEnabled"
+      ]
+    },
     "HaskellHackageStackEntry": {
       "properties": {
         "pkgHash": {
@@ -2075,6 +2098,9 @@
             {
               "$ref": "#/$defs/GoModuleEntry"
             },
+            {
+              "$ref": "#/$defs/GoSourceEntry"
+            },
             {
               "$ref": "#/$defs/HaskellHackageStackEntry"
             },

syft/format/internal/spdxutil/helpers/originator_supplier_test.go

@@ -28,6 +28,7 @@ func Test_OriginatorSupplier(t *testing.T) {
 		pkg.ErlangRebarLockEntry{},
 		pkg.GolangBinaryBuildinfoEntry{},
 		pkg.GolangModuleEntry{},
+		pkg.GolangSourceEntry{},
 		pkg.HomebrewFormula{},
 		pkg.HackageStackYamlLockEntry{},
 		pkg.HackageStackYamlEntry{},

syft/internal/packagemetadata/generated.go

@@ -30,6 +30,7 @@ func AllTypes() []any {
 		pkg.GitHubActionsUseStatement{},
 		pkg.GolangBinaryBuildinfoEntry{},
 		pkg.GolangModuleEntry{},
+		pkg.GolangSourceEntry{},
 		pkg.HackageStackYamlEntry{},
 		pkg.HackageStackYamlLockEntry{},
 		pkg.HomebrewFormula{},

syft/internal/packagemetadata/names.go

@@ -82,6 +82,7 @@ var jsonTypes = makeJSONTypes(
 	jsonNames(pkg.GitHubActionsUseStatement{}, "github-actions-use-statement"),
 	jsonNames(pkg.GolangBinaryBuildinfoEntry{}, "go-module-buildinfo-entry", "GolangBinMetadata", "GolangMetadata"),
 	jsonNames(pkg.GolangModuleEntry{}, "go-module-entry", "GolangModMetadata"),
+	jsonNames(pkg.GolangSourceEntry{}, "go-source-entry"),
 	jsonNames(pkg.HackageStackYamlLockEntry{}, "haskell-hackage-stack-lock-entry", "HackageMetadataType"),
 	jsonNamesWithoutLookup(pkg.HackageStackYamlEntry{}, "haskell-hackage-stack-entry", "HackageMetadataType"), // the legacy value is split into two types, where the other is preferred
 	jsonNames(pkg.JavaArchive{}, "java-archive", "JavaMetadata"),

syft/internal/packagemetadata/names_test.go

@@ -347,6 +347,12 @@ func Test_JSONName_JSONLegacyName(t *testing.T) {
 			expectedJSONName:   "go-module-entry",
 			expectedLegacyName: "GolangModMetadata",
 		},
+		{
+			name:               "GolangSourceMetadata",
+			metadata:           pkg.GolangSourceEntry{},
+			expectedJSONName:   "go-source-entry",
+			expectedLegacyName: "go-source-entry",
+		},
 		{
 			name:               "HackageStackYamlLockMetadata",
 			metadata:           pkg.HackageStackYamlLockEntry{},

syft/pkg/cataloger/golang/license_finder.go

@@ -0,0 +1,149 @@
+package golang
+
+import (
+	"context"
+	"fmt"
+	"path/filepath"
+	"regexp"
+	"strings"
+
+	"github.com/spf13/afero"
+
+	"github.com/anchore/syft/syft/file"
+	"github.com/anchore/syft/syft/pkg"
+)
+
+// resolveModuleLicenses finds and parses license files for Go modules
+func resolveModuleLicenses(ctx context.Context, pkgInfos []pkgInfo, fs afero.Fs) pkg.LicenseSet {
+	licenses := pkg.NewLicenseSet()
+
+	for _, info := range pkgInfos {
+		modDir, pkgDir, err := getAbsolutePkgPaths(info)
+		if err != nil {
+			continue
+		}
+
+		licenseFiles, err := findAllLicenseCandidatesUpwards(pkgDir, licenseRegexp, modDir, fs)
+		if err != nil {
+			continue
+		}
+
+		for _, f := range licenseFiles {
+			contents, err := fs.Open(f)
+			if err != nil {
+				continue
+			}
+			licenses.Add(pkg.NewLicensesFromReadCloserWithContext(ctx, file.NewLocationReadCloser(file.Location{}, contents))...)
+			_ = contents.Close()
+		}
+	}
+
+	return licenses
+}
+
+/*
+findAllLicenseCandidatesUpwards performs a bubble-up search per package:
+1. pkgInfos represents a sparse vertical distribution of packages within modules
+2. we get more pkgInfos for free when the build configuration is updated
+
+The recursion terminates via two conditions:
+- When dir is outside stopAt boundary (happy case)
+- When reaching filesystem root where parent == dir (edge case)
+
+Note: The code does NOT follow symlinks. It returns a slice of absolute paths that
+represent license file matches that are resolved independently of the bubble-up.
+
+When we should consider redesign tip to stem:
+- Reduced filesystem calls: Single traversal vs multiple per-package
+- Path deduplication: Avoids re-scanning common parent directories
+- Better for wide module structures: Efficient when many packages share parent paths
+- We need to consider the case here where nested modules are visited by accident and licenses
+are erroneously associated to a 'parent module'; bubble up currently prevents this
+*/
+func findAllLicenseCandidatesUpwards(dir string, r *regexp.Regexp, stopAt string, fs afero.Fs) ([]string, error) {
+	// Validate that both paths are absolute
+	if !filepath.IsAbs(dir) {
+		return nil, fmt.Errorf("dir must be an absolute path, got: %s", dir)
+	}
+	if !filepath.IsAbs(stopAt) {
+		return nil, fmt.Errorf("stopAt must be an absolute path, got: %s", stopAt)
+	}
+
+	licenses, err := findLicenseCandidates(dir, r, stopAt, fs)
+	if err != nil {
+		return nil, err
+	}
+
+	// Ensure we return an empty slice rather than nil for consistency
+	if licenses == nil {
+		return []string{}, nil
+	}
+	return licenses, nil
+}
+
+func findLicenseCandidates(dir string, r *regexp.Regexp, stopAt string, fs afero.Fs) ([]string, error) {
+	// stop if we've gone outside the stopAt directory
+	if !strings.HasPrefix(dir, stopAt) {
+		return []string{}, nil
+	}
+
+	licenses, err := findLicensesInDir(dir, r, fs)
+	if err != nil {
+		return nil, err
+	}
+
+	parent := filepath.Dir(dir)
+	// can't go any higher up the directory tree: "/" case
+	if parent == dir {
+		return licenses, nil
+	}
+
+	// search parent directory and combine results
+	parentLicenses, err := findLicenseCandidates(parent, r, stopAt, fs)
+	if err != nil {
+		return nil, err
+	}
+
+	// Combine current directory licenses with parent directory licenses
+	return append(licenses, parentLicenses...), nil
+}
+
+func getAbsolutePkgPaths(info pkgInfo) (modDir string, pkgDir string, err error) {
+	pkgDir, err = filepath.Abs(info.pkgDir)
+	if err != nil {
+		return modDir, pkgDir, err
+	}
+
+	modDir, err = filepath.Abs(info.moduleDir)
+	if err != nil {
+		return modDir, pkgDir, err
+	}
+
+	if !strings.HasPrefix(pkgDir, modDir) {
+		return modDir, pkgDir, fmt.Errorf("modDir %s should contain pkgDir %s", modDir, pkgDir)
+	}
+
+	return modDir, pkgDir, nil
+}
+
+func findLicensesInDir(dir string, r *regexp.Regexp, fs afero.Fs) ([]string, error) {
+	var licenses []string
+
+	dirContents, err := afero.ReadDir(fs, dir)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, f := range dirContents {
+		if f.IsDir() {
+			continue
+		}
+
+		if r.MatchString(f.Name()) {
+			path := filepath.Join(dir, f.Name())
+			licenses = append(licenses, path)
+		}
+	}
+
+	return licenses, nil
+}

syft/pkg/cataloger/golang/license_finder_test.go

@@ -0,0 +1,220 @@
+package golang
+
+import (
+	"testing"
+
+	"github.com/spf13/afero"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestFindAllLicenseCandidatesUpwards(t *testing.T) {
+	tests := []struct {
+		name          string
+		setupFS       func(afero.Fs)
+		startDir      string
+		stopAt        string
+		expectedFiles []string
+		expectedError bool
+		description   string
+	}{
+		{
+			name:     "normal traversal up to root",
+			startDir: "/project/subdir/deeper",
+			stopAt:   "/project",
+			setupFS: func(fs afero.Fs) {
+				fs.MkdirAll("/project/subdir/deeper", 0755)
+				afero.WriteFile(fs, "/project/LICENSE", []byte("MIT"), 0644)
+				afero.WriteFile(fs, "/project/foobar", []byte("MIT"), 0644)
+				afero.WriteFile(fs, "/project/subdir/LICENSE.txt", []byte("Apache"), 0644)
+				afero.WriteFile(fs, "/project/subdir/deeper/COPYING", []byte("GPL"), 0644)
+			},
+			expectedFiles: []string{
+				"/project/subdir/deeper/COPYING",
+				"/project/subdir/LICENSE.txt",
+				"/project/LICENSE",
+			},
+			description: "Should find all license files traversing upward",
+		},
+		{
+			name:     "stops at boundary directory",
+			startDir: "/project/subdir/deeper",
+			stopAt:   "/project/subdir",
+			setupFS: func(fs afero.Fs) {
+				fs.MkdirAll("/project/subdir/deeper", 0755)
+				afero.WriteFile(fs, "/project/LICENSE", []byte("MIT"), 0644)
+				afero.WriteFile(fs, "/project/subdir/LICENSE.txt", []byte("Apache"), 0644)
+				afero.WriteFile(fs, "/project/subdir/deeper/COPYING", []byte("GPL"), 0644)
+			},
+			expectedFiles: []string{
+				"/project/subdir/deeper/COPYING",
+				"/project/subdir/LICENSE.txt",
+			},
+			description: "Should stop at stopAt boundary and not find LICENSE in /project",
+		},
+		{
+			name:     "handles non-existent directory",
+			startDir: "/nonexistent",
+			stopAt:   "/",
+			setupFS: func(fs afero.Fs) {
+				// Don't create the directory
+			},
+			expectedError: true,
+			description:   "Should return error for non-existent directory",
+		},
+		{
+			name:     "handles empty directory tree",
+			startDir: "/empty/dir/tree",
+			stopAt:   "/empty",
+			setupFS: func(fs afero.Fs) {
+				fs.MkdirAll("/empty/dir/tree", 0755)
+				// No license files
+			},
+			expectedFiles: []string{},
+			description:   "Should return empty slice when no license files found",
+		},
+		{
+			name:     "handles directory at filesystem root",
+			startDir: "/",
+			stopAt:   "/",
+			setupFS: func(fs afero.Fs) {
+				afero.WriteFile(fs, "/LICENSE", []byte("MIT"), 0644)
+			},
+			expectedFiles: []string{"/LICENSE"},
+			description:   "Should handle traversal starting at root",
+		},
+		{
+			name:     "ignores directories with license-like names",
+			startDir: "/project/subdir",
+			stopAt:   "/project",
+			setupFS: func(fs afero.Fs) {
+				fs.MkdirAll("/project/subdir", 0755)
+				fs.MkdirAll("/project/LICENSE_DIR", 0755) // Directory, should be ignored
+				afero.WriteFile(fs, "/project/LICENSE", []byte("MIT"), 0644)
+			},
+			expectedFiles: []string{"/project/LICENSE"},
+			description:   "Should ignore directories even if they match license pattern",
+		},
+		{
+			name:     "startDir equals stopAt",
+			startDir: "/project",
+			stopAt:   "/project",
+			setupFS: func(fs afero.Fs) {
+				fs.MkdirAll("/project", 0755)
+				afero.WriteFile(fs, "/project/LICENSE", []byte("MIT"), 0644)
+			},
+			expectedFiles: []string{"/project/LICENSE"},
+			description:   "Should handle case where start equals stop directory",
+		},
+		{
+			name:     "startDir is parent of stopAt (returns empty)",
+			startDir: "/",
+			stopAt:   "/project",
+			setupFS: func(fs afero.Fs) {
+				fs.MkdirAll("/project", 0755)
+				afero.WriteFile(fs, "/LICENSE", []byte("MIT"), 0644)
+			},
+			expectedFiles: []string{},
+			description:   "Should return empty when startDir is above stopAt",
+		},
+		{
+			name:     "very deep nesting",
+			startDir: "/a/b/c/d/e/f/g/h/i/j",
+			stopAt:   "/a",
+			setupFS: func(fs afero.Fs) {
+				fs.MkdirAll("/a/b/c/d/e/f/g/h/i/j", 0755)
+				afero.WriteFile(fs, "/a/LICENSE", []byte("MIT"), 0644)
+				afero.WriteFile(fs, "/a/b/c/d/e/NOTICE", []byte("Notice"), 0644)
+			},
+			expectedFiles: []string{
+				"/a/b/c/d/e/NOTICE",
+				"/a/LICENSE",
+			},
+			description: "Should handle deep directory nesting without stack overflow",
+		},
+		{
+			name:     "relative dir path rejected",
+			startDir: "project/subdir",
+			stopAt:   "/project",
+			setupFS: func(fs afero.Fs) {
+				fs.MkdirAll("/project/subdir", 0755)
+			},
+			expectedError: true,
+			description:   "Should reject relative dir path",
+		},
+		{
+			name:     "relative stopAt path rejected",
+			startDir: "/project/subdir",
+			stopAt:   "project",
+			setupFS: func(fs afero.Fs) {
+				fs.MkdirAll("/project/subdir", 0755)
+			},
+			expectedError: true,
+			description:   "Should reject relative stopAt path",
+		},
+		{
+			name:     "stopAt is descendant of startDir",
+			startDir: "/project",
+			stopAt:   "/project/subdir/deeper",
+			setupFS: func(fs afero.Fs) {
+				fs.MkdirAll("/project/subdir/deeper", 0755)
+				afero.WriteFile(fs, "/project/LICENSE", []byte("MIT"), 0644)
+			},
+			expectedFiles: []string{},
+			description:   "Should return empty when stopAt is below startDir",
+		},
+		{
+			name:     "disjoint paths",
+			startDir: "/foo/bar",
+			stopAt:   "/baz/qux",
+			setupFS: func(fs afero.Fs) {
+				fs.MkdirAll("/foo/bar", 0755)
+				fs.MkdirAll("/baz/qux", 0755)
+				afero.WriteFile(fs, "/foo/bar/LICENSE", []byte("MIT"), 0644)
+				afero.WriteFile(fs, "/LICENSE", []byte("Root"), 0644)
+			},
+			expectedFiles: []string{},
+			description:   "Should return empty for completely disjoint paths",
+		},
+		{
+			name:     "empty stopAt rejected",
+			startDir: "/project/deep/path",
+			stopAt:   "",
+			setupFS: func(fs afero.Fs) {
+				fs.MkdirAll("/project/deep/path", 0755)
+			},
+			expectedError: true,
+			description:   "Should reject empty stopAt string",
+		},
+		{
+			name:     "empty startDir rejected",
+			startDir: "",
+			stopAt:   "/project",
+			setupFS: func(fs afero.Fs) {
+				fs.MkdirAll("/project", 0755)
+			},
+			expectedError: true,
+			description:   "Should reject empty startDir string",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Create in-memory filesystem
+			fs := afero.NewMemMapFs()
+			tt.setupFS(fs)
+
+			// Run the function
+			result, err := findAllLicenseCandidatesUpwards(tt.startDir, licenseRegexp, tt.stopAt, fs)
+
+			// Check error expectation
+			if tt.expectedError {
+				assert.Error(t, err, tt.description)
+				return
+			}
+
+			require.NoError(t, err, tt.description)
+			assert.Equal(t, tt.expectedFiles, result, tt.description)
+		})
+	}
+}

syft/pkg/cataloger/golang/parse_go_mod.go

@@ -4,20 +4,30 @@ import (
 	"bufio"
 	"context"
 	"fmt"
+	"go/build"
 	"io"
+	"path/filepath"
+	"regexp"
 	"sort"
 	"strings"
 
+	"github.com/spf13/afero"
 	"golang.org/x/mod/modfile"
+	"golang.org/x/tools/go/packages"
 
 	"github.com/anchore/syft/internal"
 	"github.com/anchore/syft/internal/log"
+	"github.com/anchore/syft/internal/unknown"
 	"github.com/anchore/syft/syft/artifact"
 	"github.com/anchore/syft/syft/file"
 	"github.com/anchore/syft/syft/pkg"
 	"github.com/anchore/syft/syft/pkg/cataloger/generic"
 )
 
+var (
+	licenseRegexp = regexp.MustCompile(`^(?i)((UN)?LICEN(S|C)E|COPYING|NOTICE).*$`)
+)
+
 type goModCataloger struct {
 	licenseResolver goLicenseResolver
 }
@@ -28,59 +38,322 @@ func newGoModCataloger(opts CatalogerConfig) *goModCataloger {
 	}
 }
 
-// parseGoModFile takes a go.mod and lists all packages discovered.
+// parseGoModFile takes a go.mod and tries to resolve and lists all packages discovered.
-//
-//nolint:funlen
 func (c *goModCataloger) parseGoModFile(ctx context.Context, resolver file.Resolver, _ *generic.Environment, reader file.LocationReadCloser) ([]pkg.Package, []artifact.Relationship, error) {
-	packages := make(map[string]pkg.Package)
+	modDir := filepath.Dir(string(reader.Location.Reference().RealPath))
-
-	contents, err := io.ReadAll(reader)
-	if err != nil {
-		return nil, nil, fmt.Errorf("failed to read go module: %w", err)
-	}
-
-	f, err := modfile.Parse(reader.RealPath, contents, nil)
-	if err != nil {
-		return nil, nil, fmt.Errorf("failed to parse go module: %w", err)
-	}
-
 	digests, err := parseGoSumFile(resolver, reader)
 	if err != nil {
 		log.Debugf("unable to get go.sum: %v", err)
 	}
 
-	for _, m := range f.Require {
+	// source analysis using go toolchain if available
-		lics := c.licenseResolver.getLicenses(ctx, resolver, m.Mod.Path, m.Mod.Version)
+	syftSourcePackages, sourceModules, sourceDependencies, unknownErr := c.loadPackages(modDir, reader.Location)
-		packages[m.Mod.Path] = pkg.Package{
+	catalogedModules, sourceModuleToPkg := c.catalogModules(ctx, syftSourcePackages, sourceModules, reader, digests)
-			Name:      m.Mod.Path,
+	relationships := buildModuleRelationships(catalogedModules, sourceDependencies, sourceModuleToPkg)
-			Version:   m.Mod.Version,
+
-			Licenses:  pkg.NewLicenseSet(lics...),
+	// base case go.mod file parsing
-			Locations: file.NewLocationSet(reader.WithAnnotation(pkg.EvidenceAnnotationKey, pkg.PrimaryEvidenceAnnotation)),
+	modFile, err := c.parseModFileContents(reader)
-			PURL:      packageURL(m.Mod.Path, m.Mod.Version),
+	if err != nil {
-			Language:  pkg.Go,
+		return nil, nil, err
-			Type:      pkg.GoModulePkg,
+	}
-			Metadata: pkg.GolangModuleEntry{
+
-				H1Digest: digests[fmt.Sprintf("%s %s", m.Mod.Path, m.Mod.Version)],
+	// only use mod packages NOT found in source analysis
-			},
+	goModPackages := c.createGoModPackages(ctx, resolver, modFile, sourceModules, reader, digests)
+	c.applyReplaceDirectives(ctx, resolver, modFile, goModPackages, reader, digests)
+	c.applyExcludeDirectives(modFile, goModPackages)
+
+	finalPkgs := c.assembleResults(catalogedModules, goModPackages)
+	return finalPkgs, relationships, unknownErr
+}
+
+// loadPackages uses golang.org/x/tools/go/packages to get dependency information.
+func (c *goModCataloger) loadPackages(modDir string, loc file.Location) (pkgs map[string][]pkgInfo, modules map[string]*packages.Module, dependencies map[string][]string, unknownErr error) {
+	cfg := &packages.Config{
+		// Mode flags control what information is loaded for each package.
+		// Performance impact increases significantly with each additional flag:
+		//
+		// packages.NeedModule - Required for module metadata (path, version, replace directives).
+		//   Essential for SBOM generation. Minimal performance impact.
+		//
+		// packages.NeedName - Required for package names & package Path. Minimal performance impact.
+		//   Needed to identify packages and filter out standard library packages.
+		//
+		// packages.NeedFiles - Loads source file paths for each package.
+		//   Moderate performance impact as it requires filesystem traversal.
+		//   Required for license discovery.
+		//
+		// packages.NeedDeps - Loads the dependency graph between packages.
+		//   High performance impact as it builds the complete import graph.
+		//   Critical for generating accurate dependency relationships in SBOM.
+		//
+		// packages.NeedImports - Loads import information for each package.
+		//   High performance impact, especially with large codebases.
+		//   Required for building module-to-module dependency mappings.
+		//
+		// Adding flags like NeedTypes, NeedSyntax, or NeedTypesInfo would dramatically
+		// increase memory usage and processing time (10x+ slower) but are not needed
+		// for SBOM generation as we only require dependency and module metadata.
+		Mode:  packages.NeedModule | packages.NeedName | packages.NeedFiles | packages.NeedDeps | packages.NeedImports,
+		Dir:   modDir,
+		Tests: true,
+	}
+
+	// From Go documentation: "all" expands to all packages in the main module
+	// and their dependencies, including dependencies needed by tests.
+	//
+	// The special pattern "all" specifies all the active modules,
+	// first the main module and then dependencies sorted by module path.
+	// A pattern containing "..." specifies the active modules whose module paths match the pattern.
+	// On implementation we could not find a test case that differentiated between all and ...
+	// There may be a case where ... is non inclusive so we default to all for the inclusive guarantee
+	rootPkgs, err := packages.Load(cfg, "all")
+	if err != nil {
+		log.Debugf("error loading packages: %v", err)
+	}
+
+	// Check for any errors in loading
+	for _, p := range rootPkgs {
+		if len(p.Errors) > 0 {
+			// Log errors but continue processing
+			for _, e := range p.Errors {
+				log.Debugf("package load error for %s: %v", p.PkgPath, e)
+				unknownErr = unknown.Append(unknownErr, loc, err)
+			}
 		}
 	}
 
-	// remove any old packages and replace with new ones...
+	// note: dependencies have already pruned local imports and only focuses on module => module dependencies
-	for _, m := range f.Replace {
+	return c.visitPackages(rootPkgs, loc, unknownErr)
-		lics := c.licenseResolver.getLicenses(ctx, resolver, m.New.Path, m.New.Version)
+}
 
-		// the old path and new path may be the same, in which case this is a noop,
+type pkgInfo struct {
-		// but if they're different we need to remove the old package.
+	// pkgPath is the import path of the package.
-		// note that we may change the path but we should always reference the new version (since the old version
+	pkgPath string
-		// cannot be trusted as a correct value).
+	// modulePath is the module path of the package.
+	modulePath string
+	// pkgDir is the directory containing the package's source code.
+	pkgDir string
+	// moduleDir is the directory containing the module's source code.
+	moduleDir string
+}
+
+// visitPackages processes Go module import graphs to get all modules
+func (c *goModCataloger) visitPackages(
+	rootPkgs []*packages.Package,
+	loc file.Location,
+	uke error,
+) (pkgs map[string][]pkgInfo, modules map[string]*packages.Module, dependencies map[string][]string, unknownErr error) {
+	modules = make(map[string]*packages.Module)
+	// note: packages are specific to inside the module - they do not include transitive pkgInfo
+	// packages is used for identifying licensing documents for modules that could contain multiple licenses
+	// dependencies cover transitive module imports; see p.Imports array in packages.Visit
+	pkgs = make(map[string][]pkgInfo)
+	// dependencies are module => module dependencies
+	dependencies = make(map[string][]string)
+	// persist unknown errs from previous parts of the catalog
+	unknownErr = uke
+	// closure (p *Package) bool
+	// return bool determines whether the imports of package p are visited.
+	packages.Visit(rootPkgs, func(p *packages.Package) bool {
+		if len(p.Errors) > 0 {
+			for _, err := range p.Errors {
+				unknownErr = unknown.Append(unknownErr, loc, err)
+			}
+			return false
+		}
+
+		// skip for common causes
+		if shouldSkipVisit(p) {
+			return false
+		}
+
+		// different from above; we still might want to visit imports
+		// ignoring a package shouldn't end walking the tree
+		// since we need to get the full picture for license discovery
+		// for _, prefix := range c.config.IgnorePaths {
+		//	if strings.HasPrefix(p.PkgPath, prefix) {
+		//		return c.config.IncludeIgnoredDeps
+		//	}
+		//}
+		pkgDir := resolvePkgDir(p)
+		if pkgDir == "" {
+			return true
+		}
+
+		module := newModule(p.Module)
+		if module.Dir == "" {
+			// We continue processing even when module.Dir is empty because we still want to:
+			// 1. Extract module dependencies from p.Imports for dependency graph construction
+			// 2. Create syft packages with available metadata (name, version, etc.)
+			// 3. Build relationships between modules even without complete filesystem info
+			// Not having the DIR here just means that we're not going to process the licenses
+
+			// Common causes for module.Dir being empty:
+			// - Vendored dependencies where Go toolchain loses some module metadata
+			// - Replace directives pointing to non-existent or inaccessible paths
+			// A known cause is that the module is vendored, so some information is lost.
+			isVendored := strings.Contains(pkgDir, "/vendor/")
+			if !isVendored {
+				log.Debugf("module %s does not have dir and it's not vendored", module.Path)
+			}
+		}
+
+		// extract module dependencies
+		for _, imp := range p.Imports {
+			if imp.Module != nil && imp.Module.Path != module.Path {
+				if dependencies[module.Path] == nil {
+					dependencies[module.Path] = []string{imp.Module.Path}
+				} else {
+					dependencies[module.Path] = append(dependencies[module.Path], imp.Module.Path)
+				}
+			}
+		}
+		pkgs[module.Path] = append(pkgs[module.Path], pkgInfo{
+			pkgPath:    p.PkgPath,
+			modulePath: module.Path,
+			pkgDir:     pkgDir,
+			moduleDir:  module.Dir,
+		})
+		modules[p.Module.Path] = module
+
+		return true
+	}, nil)
+	return pkgs, modules, dependencies, unknownErr
+}
+
+// create syft packages from Go modules found by the go toolchain
+func (c *goModCataloger) catalogModules(
+	ctx context.Context,
+	pkgs map[string][]pkgInfo,
+	modules map[string]*packages.Module,
+	reader file.LocationReadCloser,
+	digests map[string]string,
+) ([]pkg.Package, map[string]artifact.Identifiable) {
+	syftPackages := make([]pkg.Package, 0)
+	moduleToPackage := make(map[string]artifact.Identifiable)
+
+	for _, m := range modules {
+		if isRelativeImportOrMain(m.Path) {
+			// relativeImport modules are already accounted for by their full module paths at other portions of syft's cataloging
+			// example: something like ../../ found as a module for go.mod b, which is sub to go.mod a is accounted for
+			// in another call to the goModCataloger when go.mod a is parsed
+			// local modules that use a "main" heuristic, no module naming (sometimes common pre go module support)
+			// are also not built as syft packages
+			continue
+		}
+
+		pkgInfos := pkgs[m.Path]
+		moduleLicenses := resolveModuleLicenses(ctx, pkgInfos, afero.NewOsFs())
+		// we do out of source lookups for module parsing
+		// locations are NOT included in the SBOM because of this
+		goModulePkg := pkg.Package{
+			Name:      m.Path,
+			Version:   m.Version,
+			Locations: file.NewLocationSet(reader.WithAnnotation(pkg.EvidenceAnnotationKey, pkg.PrimaryEvidenceAnnotation)),
+			Licenses:  moduleLicenses,
+			Language:  pkg.Go,
+			Type:      pkg.GoModulePkg,
+			PURL:      packageURL(m.Path, m.Version),
+			Metadata:  createSourceMetadata(digests[fmt.Sprintf("%s %s", m.Path, m.Version)]),
+		}
+		goModulePkg.SetID()
+
+		moduleToPackage[m.Path] = goModulePkg
+		syftPackages = append(syftPackages, goModulePkg)
+	}
+
+	return syftPackages, moduleToPackage
+}
+
+// buildModuleRelationships creates artifact relationships between Go modules.
+func buildModuleRelationships(
+	syftPkgs []pkg.Package,
+	dependencies map[string][]string,
+	moduleToPkg map[string]artifact.Identifiable,
+) []artifact.Relationship {
+	var rels []artifact.Relationship
+	seen := make(map[string]struct{})
+
+	for _, fromPkg := range syftPkgs {
+		for _, dep := range dependencies[fromPkg.Name] {
+			if dep == fromPkg.Name {
+				continue
+			}
+			toPkg, ok := moduleToPkg[dep]
+			if !ok {
+				continue
+			}
+
+			key := string(fromPkg.ID()) + string(toPkg.ID())
+			if _, exists := seen[key]; exists {
+				continue
+			}
+
+			rels = append(rels, artifact.Relationship{
+				From: toPkg,   // dep
+				To:   fromPkg, // parent
+				Type: artifact.DependencyOfRelationship,
+			})
+			seen[key] = struct{}{}
+		}
+	}
+
+	return rels
+}
+
+func (c *goModCataloger) parseModFileContents(reader file.LocationReadCloser) (*modfile.File, error) {
+	contents, err := io.ReadAll(reader)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read go module: %w", err)
+	}
+
+	f, err := modfile.Parse(reader.RealPath, contents, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse go module: %w", err)
+	}
+
+	return f, nil
+}
+
+// note this handles the deduplication from source by checking if the mod path exists in the sourceModules map
+func (c *goModCataloger) createGoModPackages(ctx context.Context, resolver file.Resolver, modFile *modfile.File, sourceModules map[string]*packages.Module, reader file.LocationReadCloser, digests map[string]string) map[string]pkg.Package {
+	goModPackages := make(map[string]pkg.Package)
+
+	for _, m := range modFile.Require {
+		if _, exists := sourceModules[m.Mod.Path]; !exists {
+			lics := c.licenseResolver.getLicenses(ctx, resolver, m.Mod.Path, m.Mod.Version)
+			goModPkg := pkg.Package{
+				Name:      m.Mod.Path,
+				Version:   m.Mod.Version,
+				Licenses:  pkg.NewLicenseSet(lics...),
+				Locations: file.NewLocationSet(reader.WithAnnotation(pkg.EvidenceAnnotationKey, pkg.PrimaryEvidenceAnnotation)),
+				PURL:      packageURL(m.Mod.Path, m.Mod.Version),
+				Language:  pkg.Go,
+				Type:      pkg.GoModulePkg,
+				Metadata: pkg.GolangModuleEntry{
+					H1Digest: digests[fmt.Sprintf("%s %s", m.Mod.Path, m.Mod.Version)],
+				},
+			}
+			goModPkg.SetID()
+			goModPackages[m.Mod.Path] = goModPkg
+		}
+	}
+
+	return goModPackages
+}
+
+// applyReplaceDirectives processes replace directives from go.mod
+func (c *goModCataloger) applyReplaceDirectives(ctx context.Context, resolver file.Resolver, modFile *modfile.File, goModPackages map[string]pkg.Package, reader file.LocationReadCloser, digests map[string]string) {
+	for _, m := range modFile.Replace {
+		lics := c.licenseResolver.getLicenses(ctx, resolver, m.New.Path, m.New.Version)
 		var finalPath string
 		if !strings.HasPrefix(m.New.Path, ".") && !strings.HasPrefix(m.New.Path, "/") {
 			finalPath = m.New.Path
-			delete(packages, m.Old.Path)
+			delete(goModPackages, m.Old.Path)
 		} else {
 			finalPath = m.Old.Path
 		}
-		packages[finalPath] = pkg.Package{
+		goModPkg := pkg.Package{
 			Name:      finalPath,
 			Version:   m.New.Version,
 			Licenses:  pkg.NewLicenseSet(lics...),
@@ -92,26 +365,31 @@ func (c *goModCataloger) parseGoModFile(ctx context.Context, resolver file.Resol
 				H1Digest: digests[fmt.Sprintf("%s %s", finalPath, m.New.Version)],
 			},
 		}
+		goModPkg.SetID()
+		goModPackages[finalPath] = goModPkg
 	}
+}
 
-	// remove any packages from the exclude fields
+func (c *goModCataloger) applyExcludeDirectives(modFile *modfile.File, goModPackages map[string]pkg.Package) {
-	for _, m := range f.Exclude {
+	for _, m := range modFile.Exclude {
-		delete(packages, m.Mod.Path)
+		delete(goModPackages, m.Mod.Path)
 	}
+}
 
-	pkgsSlice := make([]pkg.Package, len(packages))
+func (c *goModCataloger) assembleResults(catalogedPkgs []pkg.Package, goModPackages map[string]pkg.Package) []pkg.Package {
-	idx := 0
+	pkgsSlice := make([]pkg.Package, 0)
-	for _, p := range packages {
+
-		p.SetID()
+	pkgsSlice = append(pkgsSlice, catalogedPkgs...)
-		pkgsSlice[idx] = p
+
-		idx++
+	for _, p := range goModPackages {
+		pkgsSlice = append(pkgsSlice, p)
 	}
 
 	sort.SliceStable(pkgsSlice, func(i, j int) bool {
 		return pkgsSlice[i].Name < pkgsSlice[j].Name
 	})
 
-	return pkgsSlice, nil, nil
+	return pkgsSlice
 }
 
 func parseGoSumFile(resolver file.Resolver, reader file.LocationReadCloser) (map[string]string, error) {
@@ -151,3 +429,94 @@ func parseGoSumFile(resolver file.Resolver, reader file.LocationReadCloser) (map
 
 	return out, nil
 }
+
+// createSourceMetadata creates metadata for packages found through source analysis using build.Default
+func createSourceMetadata(h1Digest string) pkg.GolangSourceEntry {
+	return pkg.GolangSourceEntry{
+		H1Digest:        h1Digest,
+		OperatingSystem: build.Default.GOOS,
+		Architecture:    build.Default.GOARCH,
+		BuildTags:       strings.Join(build.Default.BuildTags, ","),
+		CgoEnabled:      build.Default.CgoEnabled,
+	}
+}
+
+func resolvePkgDir(p *packages.Package) string {
+	switch {
+	case len(p.GoFiles) > 0:
+		return filepath.Dir(p.GoFiles[0])
+	case len(p.CompiledGoFiles) > 0:
+		return filepath.Dir(p.CompiledGoFiles[0])
+	case len(p.OtherFiles) > 0:
+		return filepath.Dir(p.OtherFiles[0])
+	default:
+		return ""
+	}
+}
+
+func shouldSkipVisit(p *packages.Package) bool {
+	// skip packages that don't have module info
+	if p.Module == nil {
+		return true
+	}
+
+	// skip stdlib
+	if isStdLib(p) {
+		return true
+	}
+
+	return false
+}
+
+// isStdLib returns true if this package is part of the Go standard library.
+func isStdLib(pkg *packages.Package) bool {
+	if pkg.Name == "unsafe" {
+		// Special case unsafe stdlib, because it does not contain go files.
+		return true
+	}
+	if len(pkg.GoFiles) == 0 {
+		return false
+	}
+	prefix := build.Default.GOROOT
+	sep := string(filepath.Separator)
+	if !strings.HasSuffix(prefix, sep) {
+		prefix += sep
+	}
+	return strings.HasPrefix(pkg.GoFiles[0], prefix)
+}
+
+// handle replace directives
+func newModule(mod *packages.Module) *packages.Module {
+	// Example of a module with replace directive: 	k8s.io/kubernetes => k8s.io/kubernetes v1.11.1
+	// {
+	//         "Path": "k8s.io/kubernetes",
+	//         "Version": "v0.17.9",
+	//         "Replace": {
+	//                 "Path": "k8s.io/kubernetes",
+	//                 "Version": "v1.11.1",
+	//                 "Time": "2018-07-17T04:20:29Z",
+	//                 "Dir": "/home/gongyuan_kubeflow_org/go/pkg/mod/k8s.io/kubernetes@v1.11.1",
+	//                 "GoMod": "/home/gongyuan_kubeflow_org/go/pkg/mod/cache/download/k8s.io/kubernetes/@v/v1.11.1.mod"
+	//         },
+	//         "Dir": "/home/gongyuan_kubeflow_org/go/pkg/mod/k8s.io/kubernetes@v1.11.1",
+	//         "GoMod": "/home/gongyuan_kubeflow_org/go/pkg/mod/cache/download/k8s.io/kubernetes/@v/v1.11.1.mod"
+	// }
+	// handle replace directives
+	// Note, we specifically want to replace version field.
+	// Haven't confirmed, but we may also need to override the
+	// entire struct when using replace directive with local folders.
+	tmp := *mod
+	if tmp.Replace != nil {
+		tmp = *tmp.Replace
+	}
+
+	return &tmp
+}
+
+func isRelativeImportOrMain(p string) bool {
+	if p == "main" {
+		return true
+	}
+	// true for ".", "..", "./...", "../..."
+	return build.IsLocalImport(p)
+}

syft/pkg/cataloger/golang/parse_go_mod_test.go

@@ -1,8 +1,13 @@
 package golang
 
 import (
+	"path/filepath"
 	"testing"
 
+	"github.com/google/go-cmp/cmp"
+	"github.com/stretchr/testify/require"
+
+	"github.com/anchore/syft/syft/artifact"
 	"github.com/anchore/syft/syft/file"
 	"github.com/anchore/syft/syft/internal/fileresolver"
 	"github.com/anchore/syft/syft/pkg"
@@ -15,13 +20,13 @@ func TestParseGoMod(t *testing.T) {
 		expected []pkg.Package
 	}{
 		{
-			fixture: "test-fixtures/one-package",
+			fixture: "test-fixtures/go-mod-fixtures/one-package/go.mod",
 			expected: []pkg.Package{
 				{
 					Name:      "github.com/bmatcuk/doublestar",
 					Version:   "v1.3.1",
 					PURL:      "pkg:golang/github.com/bmatcuk/doublestar@v1.3.1",
-					Locations: file.NewLocationSet(file.NewLocation("test-fixtures/one-package")),
+					Locations: file.NewLocationSet(file.NewLocation("test-fixtures/go-mod-fixtures/one-package/go.mod")),
 					Language:  pkg.Go,
 					Type:      pkg.GoModulePkg,
 					Metadata:  pkg.GolangModuleEntry{},
@@ -29,28 +34,28 @@ func TestParseGoMod(t *testing.T) {
 			},
 		},
 		{
-			fixture: "test-fixtures/relative-replace",
+			fixture: "test-fixtures/go-mod-fixtures/relative-replace/go.mod",
 			expected: []pkg.Package{
 				{
 					Name:      "github.com/aws/aws-sdk-go-v2",
 					Version:   "",
 					PURL:      "pkg:golang/github.com/aws/aws-sdk-go-v2",
-					Locations: file.NewLocationSet(file.NewLocation("test-fixtures/relative-replace")),
 					Language:  pkg.Go,
 					Type:      pkg.GoModulePkg,
+					Locations: file.NewLocationSet(file.NewLocation("test-fixtures/go-mod-fixtures/relative-replace/go.mod")),
 					Metadata:  pkg.GolangModuleEntry{},
 				},
 			},
 		},
 		{
 
-			fixture: "test-fixtures/many-packages",
+			fixture: "test-fixtures/go-mod-fixtures/many-packages/go.mod",
 			expected: []pkg.Package{
 				{
 					Name:      "github.com/anchore/archiver/v3",
 					Version:   "v3.5.2",
 					PURL:      "pkg:golang/github.com/anchore/archiver@v3.5.2#v3",
-					Locations: file.NewLocationSet(file.NewLocation("test-fixtures/many-packages")),
+					Locations: file.NewLocationSet(file.NewLocation("test-fixtures/go-mod-fixtures/many-packages/go.mod")),
 					Language:  pkg.Go,
 					Type:      pkg.GoModulePkg,
 					Metadata:  pkg.GolangModuleEntry{},
@@ -59,7 +64,7 @@ func TestParseGoMod(t *testing.T) {
 					Name:      "github.com/anchore/go-testutils",
 					Version:   "v0.0.0-20200624184116-66aa578126db",
 					PURL:      "pkg:golang/github.com/anchore/go-testutils@v0.0.0-20200624184116-66aa578126db",
-					Locations: file.NewLocationSet(file.NewLocation("test-fixtures/many-packages")),
+					Locations: file.NewLocationSet(file.NewLocation("test-fixtures/go-mod-fixtures/many-packages/go.mod")),
 					Language:  pkg.Go,
 					Type:      pkg.GoModulePkg,
 					Metadata:  pkg.GolangModuleEntry{},
@@ -68,7 +73,7 @@ func TestParseGoMod(t *testing.T) {
 					Name:      "github.com/anchore/go-version",
 					Version:   "v1.2.2-0.20200701162849-18adb9c92b9b",
 					PURL:      "pkg:golang/github.com/anchore/go-version@v1.2.2-0.20200701162849-18adb9c92b9b",
-					Locations: file.NewLocationSet(file.NewLocation("test-fixtures/many-packages")),
+					Locations: file.NewLocationSet(file.NewLocation("test-fixtures/go-mod-fixtures/many-packages/go.mod")),
 					Language:  pkg.Go,
 					Type:      pkg.GoModulePkg,
 					Metadata:  pkg.GolangModuleEntry{},
@@ -77,7 +82,7 @@ func TestParseGoMod(t *testing.T) {
 					Name:      "github.com/anchore/stereoscope",
 					Version:   "v0.0.0-20200706164556-7cf39d7f4639",
 					PURL:      "pkg:golang/github.com/anchore/stereoscope@v0.0.0-20200706164556-7cf39d7f4639",
-					Locations: file.NewLocationSet(file.NewLocation("test-fixtures/many-packages")),
+					Locations: file.NewLocationSet(file.NewLocation("test-fixtures/go-mod-fixtures/many-packages/go.mod")),
 					Language:  pkg.Go,
 					Type:      pkg.GoModulePkg,
 					Metadata:  pkg.GolangModuleEntry{},
@@ -86,7 +91,7 @@ func TestParseGoMod(t *testing.T) {
 					Name:      "github.com/bmatcuk/doublestar",
 					Version:   "v8.8.8",
 					PURL:      "pkg:golang/github.com/bmatcuk/doublestar@v8.8.8",
-					Locations: file.NewLocationSet(file.NewLocation("test-fixtures/many-packages")),
+					Locations: file.NewLocationSet(file.NewLocation("test-fixtures/go-mod-fixtures/many-packages/go.mod")),
 					Language:  pkg.Go,
 					Type:      pkg.GoModulePkg,
 					Metadata:  pkg.GolangModuleEntry{},
@@ -95,7 +100,7 @@ func TestParseGoMod(t *testing.T) {
 					Name:      "github.com/go-test/deep",
 					Version:   "v1.0.6",
 					PURL:      "pkg:golang/github.com/go-test/deep@v1.0.6",
-					Locations: file.NewLocationSet(file.NewLocation("test-fixtures/many-packages")),
+					Locations: file.NewLocationSet(file.NewLocation("test-fixtures/go-mod-fixtures/many-packages/go.mod")),
 					Language:  pkg.Go,
 					Type:      pkg.GoModulePkg,
 					Metadata:  pkg.GolangModuleEntry{},
@@ -179,3 +184,156 @@ func Test_corruptGoMod(t *testing.T) {
 		WithError().
 		TestCataloger(t, c)
 }
+
+func Test_parseGoSource_packageResolution(t *testing.T) {
+	tests := []struct {
+		name             string
+		fixturePath      string
+		config           CatalogerConfig
+		expectedPkgs     []string
+		expectedRels     []string
+		expectedLicenses map[string][]string
+	}{
+		{
+			name:        "go-source with direct, transitive, and deps of transitive",
+			fixturePath: filepath.Join("test-fixtures", "go-source"),
+			expectedPkgs: []string{
+				"anchore.io/not/real @  (go.mod)",
+				"github.com/davecgh/go-spew @ v1.1.1 (go.mod)",
+				"github.com/go-viper/mapstructure/v2 @ v2.2.1 (go.mod)",
+				"github.com/google/uuid @ v1.6.0 (go.mod)",
+				"github.com/pmezard/go-difflib @ v1.0.0 (go.mod)",
+				"github.com/sagikazarmark/locafero @ v0.7.0 (go.mod)",
+				"github.com/sirupsen/logrus @ v1.9.3 (go.mod)",
+				"github.com/sourcegraph/conc @ v0.3.0 (go.mod)",
+				"github.com/spf13/afero @ v1.12.0 (go.mod)",
+				"github.com/spf13/cast @ v1.7.1 (go.mod)",
+				"github.com/spf13/pflag @ v1.0.6 (go.mod)",
+				"github.com/spf13/viper @ v1.20.1 (go.mod)",
+				"github.com/stretchr/testify @ v1.10.0 (go.mod)",
+				"github.com/subosito/gotenv @ v1.6.0 (go.mod)",
+				"go.uber.org/multierr @ v1.10.0 (go.mod)",
+				"go.uber.org/zap @ v1.27.0 (go.mod)",
+				"golang.org/x/sys @ v0.33.0 (go.mod)",
+				"golang.org/x/text @ v0.21.0 (go.mod)",
+				"gopkg.in/yaml.v3 @ v3.0.1 (go.mod)",
+				"github.com/fsnotify/fsnotify @ v1.8.0 (go.mod)",
+				"github.com/pelletier/go-toml/v2 @ v2.2.3 (go.mod)",
+				"github.com/frankban/quicktest @ v1.14.6 (go.mod)",
+				"github.com/google/go-cmp @ v0.6.0 (go.mod)",
+				"github.com/kr/pretty @ v0.3.1 (go.mod)",
+				"github.com/kr/text @ v0.2.0 (go.mod)",
+				"github.com/rogpeppe/go-internal @ v1.9.0 (go.mod)",
+				"go.uber.org/goleak @ v1.3.0 (go.mod)",
+				"gopkg.in/check.v1 @ v1.0.0-20190902080502-41f04d3bba15 (go.mod)",
+			},
+			expectedRels: []string{
+				"github.com/davecgh/go-spew @ v1.1.1 (go.mod) [dependency-of] github.com/stretchr/testify @ v1.10.0 (go.mod)",
+				"github.com/frankban/quicktest @ v1.14.6 (go.mod) [dependency-of] github.com/spf13/cast @ v1.7.1 (go.mod)",
+				"github.com/fsnotify/fsnotify @ v1.8.0 (go.mod) [dependency-of] github.com/spf13/viper @ v1.20.1 (go.mod)",
+				"github.com/go-viper/mapstructure/v2 @ v2.2.1 (go.mod) [dependency-of] github.com/spf13/viper @ v1.20.1 (go.mod)",
+				"github.com/google/go-cmp @ v0.6.0 (go.mod) [dependency-of] github.com/frankban/quicktest @ v1.14.6 (go.mod)",
+				"github.com/google/uuid @ v1.6.0 (go.mod) [dependency-of] anchore.io/not/real @  (go.mod)",
+				"github.com/kr/pretty @ v0.3.1 (go.mod) [dependency-of] github.com/frankban/quicktest @ v1.14.6 (go.mod)",
+				"github.com/kr/pretty @ v0.3.1 (go.mod) [dependency-of] gopkg.in/check.v1 @ v1.0.0-20190902080502-41f04d3bba15 (go.mod)",
+				"github.com/kr/text @ v0.2.0 (go.mod) [dependency-of] github.com/kr/pretty @ v0.3.1 (go.mod)",
+				"github.com/pelletier/go-toml/v2 @ v2.2.3 (go.mod) [dependency-of] github.com/spf13/viper @ v1.20.1 (go.mod)",
+				"github.com/pmezard/go-difflib @ v1.0.0 (go.mod) [dependency-of] github.com/stretchr/testify @ v1.10.0 (go.mod)",
+				"github.com/rogpeppe/go-internal @ v1.9.0 (go.mod) [dependency-of] github.com/kr/pretty @ v0.3.1 (go.mod)",
+				"github.com/sagikazarmark/locafero @ v0.7.0 (go.mod) [dependency-of] github.com/spf13/viper @ v1.20.1 (go.mod)",
+				"github.com/sirupsen/logrus @ v1.9.3 (go.mod) [dependency-of] anchore.io/not/real @  (go.mod)",
+				"github.com/sourcegraph/conc @ v0.3.0 (go.mod) [dependency-of] github.com/sagikazarmark/locafero @ v0.7.0 (go.mod)",
+				"github.com/spf13/afero @ v1.12.0 (go.mod) [dependency-of] github.com/sagikazarmark/locafero @ v0.7.0 (go.mod)",
+				"github.com/spf13/afero @ v1.12.0 (go.mod) [dependency-of] github.com/spf13/viper @ v1.20.1 (go.mod)",
+				"github.com/spf13/cast @ v1.7.1 (go.mod) [dependency-of] github.com/spf13/viper @ v1.20.1 (go.mod)",
+				"github.com/spf13/pflag @ v1.0.6 (go.mod) [dependency-of] github.com/spf13/viper @ v1.20.1 (go.mod)",
+				"github.com/spf13/viper @ v1.20.1 (go.mod) [dependency-of] anchore.io/not/real @  (go.mod)",
+				"github.com/stretchr/testify @ v1.10.0 (go.mod) [dependency-of] anchore.io/not/real @  (go.mod)",
+				"github.com/stretchr/testify @ v1.10.0 (go.mod) [dependency-of] github.com/pelletier/go-toml/v2 @ v2.2.3 (go.mod)",
+				"github.com/stretchr/testify @ v1.10.0 (go.mod) [dependency-of] github.com/sagikazarmark/locafero @ v0.7.0 (go.mod)",
+				"github.com/stretchr/testify @ v1.10.0 (go.mod) [dependency-of] github.com/sirupsen/logrus @ v1.9.3 (go.mod)",
+				"github.com/stretchr/testify @ v1.10.0 (go.mod) [dependency-of] github.com/sourcegraph/conc @ v0.3.0 (go.mod)",
+				"github.com/stretchr/testify @ v1.10.0 (go.mod) [dependency-of] github.com/spf13/viper @ v1.20.1 (go.mod)",
+				"github.com/stretchr/testify @ v1.10.0 (go.mod) [dependency-of] github.com/subosito/gotenv @ v1.6.0 (go.mod)",
+				"github.com/stretchr/testify @ v1.10.0 (go.mod) [dependency-of] go.uber.org/multierr @ v1.10.0 (go.mod)",
+				"github.com/stretchr/testify @ v1.10.0 (go.mod) [dependency-of] go.uber.org/zap @ v1.27.0 (go.mod)",
+				"github.com/subosito/gotenv @ v1.6.0 (go.mod) [dependency-of] github.com/spf13/viper @ v1.20.1 (go.mod)",
+				"go.uber.org/goleak @ v1.3.0 (go.mod) [dependency-of] go.uber.org/zap @ v1.27.0 (go.mod)",
+				"go.uber.org/multierr @ v1.10.0 (go.mod) [dependency-of] go.uber.org/zap @ v1.27.0 (go.mod)",
+				"go.uber.org/zap @ v1.27.0 (go.mod) [dependency-of] anchore.io/not/real @  (go.mod)",
+				"golang.org/x/sys @ v0.33.0 (go.mod) [dependency-of] github.com/fsnotify/fsnotify @ v1.8.0 (go.mod)",
+				"golang.org/x/sys @ v0.33.0 (go.mod) [dependency-of] github.com/sirupsen/logrus @ v1.9.3 (go.mod)",
+				"golang.org/x/text @ v0.21.0 (go.mod) [dependency-of] github.com/spf13/afero @ v1.12.0 (go.mod)",
+				"golang.org/x/text @ v0.21.0 (go.mod) [dependency-of] github.com/subosito/gotenv @ v1.6.0 (go.mod)",
+				"gopkg.in/check.v1 @ v1.0.0-20190902080502-41f04d3bba15 (go.mod) [dependency-of] gopkg.in/yaml.v3 @ v3.0.1 (go.mod)",
+				"gopkg.in/yaml.v3 @ v3.0.1 (go.mod) [dependency-of] github.com/spf13/viper @ v1.20.1 (go.mod)",
+				"gopkg.in/yaml.v3 @ v3.0.1 (go.mod) [dependency-of] github.com/stretchr/testify @ v1.10.0 (go.mod)",
+				"gopkg.in/yaml.v3 @ v3.0.1 (go.mod) [dependency-of] go.uber.org/zap @ v1.27.0 (go.mod)",
+			},
+			expectedLicenses: map[string][]string{
+				"github.com/fsnotify/fsnotify":        {"BSD-3-Clause"},
+				"github.com/go-viper/mapstructure/v2": {"MIT"},
+				"github.com/google/uuid":              {"BSD-3-Clause"},
+				"github.com/pelletier/go-toml/v2":     {"MIT"},
+				"github.com/sagikazarmark/locafero":   {"MIT"},
+				"github.com/sirupsen/logrus":          {"MIT"},
+				"github.com/sourcegraph/conc":         {"MIT"},
+				"github.com/spf13/afero":              {"Apache-2.0"},
+				"github.com/spf13/cast":               {"MIT"},
+				"github.com/spf13/pflag":              {"BSD-3-Clause"},
+				"github.com/spf13/viper":              {"MIT"},
+				"github.com/subosito/gotenv":          {"MIT"},
+				"go.uber.org/multierr":                {"MIT"},
+				"go.uber.org/zap":                     {"MIT"},
+				"golang.org/x/sys":                    {"BSD-3-Clause"},
+				"golang.org/x/text":                   {"BSD-3-Clause"},
+				"gopkg.in/yaml.v3":                    {"Apache-2.0", "MIT"},
+				"github.com/davecgh/go-spew":          {"ISC"},
+				"github.com/pmezard/go-difflib":       {"BSD-3-Clause"},
+				"github.com/stretchr/testify":         {"MIT"},
+				"github.com/frankban/quicktest":       {"MIT"},
+				"github.com/google/go-cmp":            {"BSD-3-Clause"},
+				"github.com/kr/text":                  {"MIT"},
+				"github.com/kr/pretty":                {"MIT"},
+				"github.com/rogpeppe/go-internal":     {"BSD-3-Clause"},
+				"go.uber.org/goleak":                  {"MIT"},
+				"gopkg.in/check.v1":                   {"BSD-2-Clause"},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			pkgtest.NewCatalogTester().
+				FromDirectory(t, tt.fixturePath).
+				ExpectsPackageStrings(tt.expectedPkgs).
+				ExpectsRelationshipStrings(tt.expectedRels).
+				ExpectsAssertion(func(t *testing.T, pkgs []pkg.Package, relationships []artifact.Relationship) {
+					for _, p := range pkgs {
+						if metadata, ok := p.Metadata.(pkg.GolangSourceEntry); ok {
+							// Validate that GolangSourceEntry metadata is present but don't assert on specific field values
+							// since these might vary across development machines
+							require.IsType(t, pkg.GolangSourceEntry{}, metadata, "expected GolangSourceEntry metadata for package %s", p.Name)
+							// Verify that the metadata struct is populated (non-zero values indicate go source method was used)
+							require.NotEmpty(t, metadata, "GolangSourceEntry metadata should not be empty for package %s", p.Name)
+						}
+					}
+				}).
+				ExpectsAssertion(func(t *testing.T, pkgs []pkg.Package, relationships []artifact.Relationship) {
+					actualLicenses := make(map[string][]string)
+					for _, p := range pkgs {
+						for _, l := range p.Licenses.ToSlice() {
+							if actualLicenses[p.Name] == nil {
+								actualLicenses[p.Name] = make([]string, 0)
+							}
+							actualLicenses[p.Name] = append(actualLicenses[p.Name], l.Value)
+						}
+					}
+					if diff := cmp.Diff(tt.expectedLicenses, actualLicenses); diff != "" {
+						t.Errorf("mismatch in licenses (-want +got):\n%s", diff)
+					}
+				}).
+				TestCataloger(t, NewGoModuleFileCataloger(CatalogerConfig{}))
+		})
+	}
+}

syft/pkg/cataloger/golang/test-fixtures/go-mod-fixtures/one-package/go.sum

@@ -0,0 +1 @@
+github.com/bmatcuk/doublestar v1.3.1/go.mod h1:wiQtGV+rzVYxB7WIlirSN++5HPtPlXEo9MEoZQC/PmE=

syft/pkg/cataloger/golang/test-fixtures/go-source/cmd/bin1/main.go

@@ -0,0 +1,11 @@
+package main
+
+import (
+	"anchore.io/not/real/pk1"
+	"anchore.io/not/real/pk2"
+)
+
+func main() {
+	pk1.Test()
+	pk2.Test()
+}

syft/pkg/cataloger/golang/test-fixtures/go-source/cmd/bin2/main.go

@@ -0,0 +1,11 @@
+package main
+
+import (
+	"anchore.io/not/real/pk1"
+	"anchore.io/not/real/pk3"
+)
+
+func main() {
+	pk1.Test()
+	pk3.Zap()
+}

syft/pkg/cataloger/golang/test-fixtures/go-source/go.mod

@@ -0,0 +1,29 @@
+module anchore.io/not/real
+
+go 1.24.3
+
+require (
+	github.com/google/uuid v1.6.0
+	github.com/sirupsen/logrus v1.9.3
+	github.com/spf13/viper v1.20.1
+	github.com/stretchr/testify v1.10.0
+	go.uber.org/zap v1.27.0
+)
+
+require (
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/fsnotify/fsnotify v1.8.0 // indirect
+	github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/sagikazarmark/locafero v0.7.0 // indirect
+	github.com/sourcegraph/conc v0.3.0 // indirect
+	github.com/spf13/afero v1.12.0 // indirect
+	github.com/spf13/cast v1.7.1 // indirect
+	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/subosito/gotenv v1.6.0 // indirect
+	go.uber.org/multierr v1.10.0 // indirect
+	golang.org/x/sys v0.33.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+)

syft/pkg/cataloger/golang/test-fixtures/go-source/go.sum

@@ -0,0 +1,60 @@
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
+github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
+github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M=
+github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
+github.com/go-viper/mapstructure/v2 v2.2.1 h1:ZAaOCxANMuZx5RCeg0mBdEZk7DZasvvZIxtHqx8aGss=
+github.com/go-viper/mapstructure/v2 v2.2.1/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M=
+github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
+github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
+github.com/sagikazarmark/locafero v0.7.0 h1:5MqpDsTGNDhY8sGp0Aowyf0qKsPrhewaLSsFaodPcyo=
+github.com/sagikazarmark/locafero v0.7.0/go.mod h1:2za3Cg5rMaTMoG/2Ulr9AwtFaIppKXTRYnozin4aB5k=
+github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
+github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo=
+github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0=
+github.com/spf13/afero v1.12.0 h1:UcOPyRBYczmFn6yvphxkn9ZEOY65cpwGKb5mL36mrqs=
+github.com/spf13/afero v1.12.0/go.mod h1:ZTlWwG4/ahT8W7T0WQ5uYmjI9duaLQGy3Q2OAl4sk/4=
+github.com/spf13/cast v1.7.1 h1:cuNEagBQEHWN1FnbGEjCXL2szYEXqfJPbP2HNUaca9Y=
+github.com/spf13/cast v1.7.1/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
+github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
+github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/viper v1.20.1 h1:ZMi+z/lvLyPSCoNtFCpqjy0S4kPbirhpTMwl8BkW9X4=
+github.com/spf13/viper v1.20.1/go.mod h1:P9Mdzt1zoHIG8m2eZQinpiBjo6kCmZSKBClNNqjJvu4=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=
+github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
+go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
+go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
+go.uber.org/multierr v1.10.0 h1:S0h4aNzvfcFsC3dRF1jLoaov7oRaKqRGC/pUEJ2yvPQ=
+go.uber.org/multierr v1.10.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
+go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
+go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
+golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

syft/pkg/cataloger/golang/test-fixtures/go-source/pk1/pk1.go

@@ -0,0 +1,17 @@
+package pk1
+
+import (
+	"github.com/google/uuid"
+	log "github.com/sirupsen/logrus"
+)
+
+func Test() {
+	return
+}
+
+func NewID() string {
+	log.WithFields(log.Fields{
+		"animal": "walrus",
+	}).Info("A walrus appears")
+	return uuid.New().String()
+}

syft/pkg/cataloger/golang/test-fixtures/go-source/pk1/pk1_test.go

@@ -0,0 +1,12 @@
+package pk1
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestNewID(t *testing.T) {
+	id := NewID()
+	assert.NotEmpty(t, id)
+}

syft/pkg/cataloger/golang/test-fixtures/go-source/pk2/pk2.go

@@ -0,0 +1,5 @@
+package pk2
+
+func Test() {
+	return
+}

syft/pkg/cataloger/golang/test-fixtures/go-source/pk3/pk3.go

@@ -0,0 +1,20 @@
+package pk3
+
+import (
+	"time"
+
+	"github.com/spf13/viper"
+	"go.uber.org/zap"
+)
+
+func Zap() {
+	sugar := zap.NewExample().Sugar()
+	defer sugar.Sync()
+	sugar.Infow("failed to fetch URL",
+		"url", "http://example.com",
+		"attempt", 3,
+		"backoff", time.Second,
+	)
+	sugar.Infof("failed to fetch URL: %s", "http://example.com")
+	viper.SetDefault("ContentDir", "content")
+}

syft/pkg/cataloger/internal/pkgtest/test_generic_parser.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"path/filepath"
 	"sort"
 	"strings"
 	"sync"
@@ -16,6 +17,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
+	stereofile "github.com/anchore/stereoscope/pkg/file"
 	"github.com/anchore/stereoscope/pkg/imagetest"
 	"github.com/anchore/syft/internal/cmptest"
 	"github.com/anchore/syft/internal/licenses"
@@ -130,11 +132,14 @@ func (p *CatalogTester) FromFile(t *testing.T, path string) *CatalogTester {
 		return p
 	}
 
+	absPath, err := filepath.Abs(path)
+	require.NoError(t, err)
+
 	fixture, err := os.Open(path)
 	require.NoError(t, err)
 
 	p.reader = file.LocationReadCloser{
-		Location:   file.NewLocation(fixture.Name()),
+		Location:   file.NewVirtualLocationFromDirectory(fixture.Name(), fixture.Name(), *stereofile.NewFileReference(stereofile.Path(absPath))),
 		ReadCloser: fixture,
 	}
 	return p

syft/pkg/golang.go

@@ -15,3 +15,12 @@ type GolangBinaryBuildinfoEntry struct {
 type GolangModuleEntry struct {
 	H1Digest string `json:"h1Digest,omitempty" cyclonedx:"h1Digest"`
 }
+
+// GolangSourceEntry represents all captured data for a Golang package found through source analysis
+type GolangSourceEntry struct {
+	H1Digest        string `json:"h1Digest,omitempty" cyclonedx:"h1Digest"`
+	OperatingSystem string `json:"os,omitempty" cyclonedx:"os"`
+	Architecture    string `json:"architecture,omitempty" cyclonedx:"architecture"`
+	BuildTags       string `json:"buildTags,omitempty" cyclonedx:"buildTags"`
+	CgoEnabled      bool   `json:"cgoEnabled" cyclonedx:"cgoEnabled"`
+}