From 2356787053ba298a3a3c386c223a3e1f9960b641 Mon Sep 17 00:00:00 2001 From: Russell Haering Date: Wed, 22 May 2024 11:26:40 -0700 Subject: [PATCH] Go Mod Cataloger: Remove Replaced Packages (#2891) When the goModCataloger processes a Replace directive it currently adds the new package to the resulting package list, but does not remove the old one unless the path is unchanged. Based on an existing comment in the code, removing the old one seems to be the intended behavior, and results in a more expected end-result, so this does so. Signed-off-by: Russell Haering --- syft/pkg/cataloger/golang/parse_go_mod.go | 4 ++++ syft/pkg/cataloger/golang/parse_go_mod_test.go | 9 +++++++++ syft/pkg/cataloger/golang/test-fixtures/many-packages | 3 +++ 3 files changed, 16 insertions(+) diff --git a/syft/pkg/cataloger/golang/parse_go_mod.go b/syft/pkg/cataloger/golang/parse_go_mod.go index e29b9f65c..1c06e8739 100644 --- a/syft/pkg/cataloger/golang/parse_go_mod.go +++ b/syft/pkg/cataloger/golang/parse_go_mod.go @@ -70,6 +70,10 @@ func (c *goModCataloger) parseGoModFile(_ context.Context, resolver file.Resolve log.Tracef("error getting licenses for package: %s %v", m.New.Path, err) } + // the old path and new path may be the same, in which case this is a noop, + // but if they're different we need to remove the old package. + delete(packages, m.Old.Path) + packages[m.New.Path] = pkg.Package{ Name: m.New.Path, Version: m.New.Version, diff --git a/syft/pkg/cataloger/golang/parse_go_mod_test.go b/syft/pkg/cataloger/golang/parse_go_mod_test.go index c656b0c51..59a7164f1 100644 --- a/syft/pkg/cataloger/golang/parse_go_mod_test.go +++ b/syft/pkg/cataloger/golang/parse_go_mod_test.go @@ -31,6 +31,15 @@ func TestParseGoMod(t *testing.T) { fixture: "test-fixtures/many-packages", expected: []pkg.Package{ + { + Name: "github.com/anchore/archiver/v3", + Version: "v3.5.2", + PURL: "pkg:golang/github.com/anchore/archiver@v3.5.2#v3", + Locations: file.NewLocationSet(file.NewLocation("test-fixtures/many-packages")), + Language: pkg.Go, + Type: pkg.GoModulePkg, + Metadata: pkg.GolangModuleEntry{}, + }, { Name: "github.com/anchore/go-testutils", Version: "v0.0.0-20200624184116-66aa578126db", diff --git a/syft/pkg/cataloger/golang/test-fixtures/many-packages b/syft/pkg/cataloger/golang/test-fixtures/many-packages index f748cb574..664445abb 100644 --- a/syft/pkg/cataloger/golang/test-fixtures/many-packages +++ b/syft/pkg/cataloger/golang/test-fixtures/many-packages @@ -11,6 +11,7 @@ require ( github.com/anchore/go-testutils v0.0.0-20200624184116-66aa578126db // github.com/bogus/package v10.10.10 github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b github.com/anchore/stereoscope v0.0.0-20200706164556-7cf39d7f4639 + github.com/mholt/archiver/v3 v3.5.1 //github.com/ignore/this v9.9.9 // indirect github.com/bmatcuk/doublestar v1.3.1 // indirect github.com/go-test/deep v1.0.6 // a comment @@ -18,4 +19,6 @@ require ( replace github.com/bmatcuk/doublestar => github.com/bmatcuk/doublestar v8.8.8 +replace github.com/mholt/archiver/v3 v3.5.1 => github.com/anchore/archiver/v3 v3.5.2 + exclude github.com/adrg/xdg v0.2.1