From 44a6e00f7aa1030ca619ce59c182d4b454b0bb2f Mon Sep 17 00:00:00 2001
From: Frankie G-J <frankieg@vmware.com>
Date: Fri, 11 Mar 2022 12:57:33 -0500
Subject: [PATCH] Include vendored modules in Go Module package list (#883)

* include vendored modules in package slice

Signed-off-by: Frankie Gallina-Jones <frankieg@vmware.com>

* add explanatory comments

Signed-off-by: Frankie Gallina-Jones <frankieg@vmware.com>
---
 syft/pkg/cataloger/golang/parse_go_bin.go     | 22 +++++++---
 .../pkg/cataloger/golang/parse_go_bin_test.go | 44 ++++++++++++++++++-
 2 files changed, 57 insertions(+), 9 deletions(-)

diff --git a/syft/pkg/cataloger/golang/parse_go_bin.go b/syft/pkg/cataloger/golang/parse_go_bin.go
index bcb33abda..bf18c3ba4 100644
--- a/syft/pkg/cataloger/golang/parse_go_bin.go
+++ b/syft/pkg/cataloger/golang/parse_go_bin.go
@@ -70,18 +70,26 @@ func buildGoPkgInfo(location source.Location, mod, goVersion, arch string) []pkg
 	for scanner.Scan() {
 		fields := strings.Fields(scanner.Text())
 
-		// must have dep, name, version, sha
-		if len(fields) < 4 {
+		// must have dep, name, version
+		if len(fields) < 3 {
 			continue
 		}
 
-		if fields[0] == packageIdentifier || fields[0] == replaceIdentifier {
-			name := fields[1]
-			version := fields[2]
-			h1Digest := fields[3]
+		name := fields[1]
+		version := fields[2]
+		h1Digest := ""
+		// if dep is *not* vendored, it'll also have h1digest
+		if len(fields) >= 4 {
+			h1Digest = fields[3]
+		}
+
+		if fields[0] == packageIdentifier {
 			pkgsSlice = append(pkgsSlice, newGoBinaryPackage(name, version, h1Digest, goVersion, arch, location))
 		}
+		if fields[0] == replaceIdentifier {
+			// replace the previous entry in the package slice
+			pkgsSlice[len(pkgsSlice)-1] = newGoBinaryPackage(name, version, h1Digest, goVersion, arch, location)
+		}
 	}
-
 	return pkgsSlice
 }
diff --git a/syft/pkg/cataloger/golang/parse_go_bin_test.go b/syft/pkg/cataloger/golang/parse_go_bin_test.go
index 7bd53b35c..c74b869b1 100644
--- a/syft/pkg/cataloger/golang/parse_go_bin_test.go
+++ b/syft/pkg/cataloger/golang/parse_go_bin_test.go
@@ -28,7 +28,8 @@ func TestBuildGoPkgInfo(t *testing.T) {
 			name: "buildGoPkgInfo parses a populated mod string and returns packages but no source info",
 			mod: `path    github.com/anchore/syft mod     github.com/anchore/syft (devel)
 				  dep     github.com/adrg/xdg     v0.2.1  h1:VSVdnH7cQ7V+B33qSJHTCRlNgra1607Q8PzEmnvb2Ic=
-				  dep     github.com/anchore/client-go    v0.0.0-20210222170800-9c70f9b80bcf      h1:DYssiUV1pBmKqzKsm4mqXx8artqC0Q8HgZsVI3lMsAg=`,
+				  dep     github.com/anchore/client-go    v0.0.0-20210222170800-9c70f9b80bcf      h1:DYssiUV1pBmKqzKsm4mqXx8artqC0Q8HgZsVI3lMsAg=
+				  dep     github.com/anchore/client-go    v1.2.3`,
 			expected: []pkg.Package{
 				{
 					Name:     "github.com/adrg/xdg",
@@ -70,6 +71,25 @@ func TestBuildGoPkgInfo(t *testing.T) {
 						H1Digest:          "h1:DYssiUV1pBmKqzKsm4mqXx8artqC0Q8HgZsVI3lMsAg=",
 					},
 				},
+				{
+					Name:     "github.com/anchore/client-go",
+					Version:  "v1.2.3",
+					Language: pkg.Go,
+					Type:     pkg.GoModulePkg,
+					Locations: []source.Location{
+						{
+							Coordinates: source.Coordinates{
+								RealPath:     "/a-path",
+								FileSystemID: "layer-id",
+							},
+						},
+					},
+					MetadataType: pkg.GolangBinMetadataType,
+					Metadata: pkg.GolangBinMetadata{
+						GoCompiledVersion: goCompiledVersion,
+						Architecture:      archDetails,
+					},
+				},
 			},
 		},
 		{
@@ -79,7 +99,8 @@ func TestBuildGoPkgInfo(t *testing.T) {
 				  dep     golang.org/x/net        v0.0.0-20211006190231-62292e806868      h1:KlOXYy8wQWTUJYFgkUI40Lzr06ofg5IRXUK5C7qZt1k=
 				  dep     golang.org/x/sys        v0.0.0-20211006194710-c8a6f5223071      h1:PjhxBct4MZii8FFR8+oeS7QOvxKOTZXgk63EU2XpfJE=
 				  dep     golang.org/x/term       v0.0.0-20210927222741-03fcf44c2211
-				  =>      golang.org/x/term       v0.0.0-20210916214954-140adaaadfaf      h1:Ihq/mm/suC88gF8WFcVwk+OV6Tq+wyA1O0E5UEvDglI=`,
+				  =>      golang.org/x/term       v0.0.0-20210916214954-140adaaadfaf      h1:Ihq/mm/suC88gF8WFcVwk+OV6Tq+wyA1O0E5UEvDglI=
+				  dep     github.com/anchore/client-go    v1.2.3`,
 			expected: []pkg.Package{
 				{
 					Name:     "golang.org/x/net",
@@ -141,6 +162,25 @@ func TestBuildGoPkgInfo(t *testing.T) {
 						H1Digest:          "h1:Ihq/mm/suC88gF8WFcVwk+OV6Tq+wyA1O0E5UEvDglI=",
 					},
 				},
+				{
+					Name:     "github.com/anchore/client-go",
+					Version:  "v1.2.3",
+					Language: pkg.Go,
+					Type:     pkg.GoModulePkg,
+					Locations: []source.Location{
+						{
+							Coordinates: source.Coordinates{
+								RealPath:     "/a-path",
+								FileSystemID: "layer-id",
+							},
+						},
+					},
+					MetadataType: pkg.GolangBinMetadataType,
+					Metadata: pkg.GolangBinMetadata{
+						GoCompiledVersion: goCompiledVersion,
+						Architecture:      archDetails,
+					},
+				},
 			},
 		},
 	}