From ea7e9e696beb1e2683aca5e26badaf4943e1f858 Mon Sep 17 00:00:00 2001 From: VictorHuu <2151409@tongji.edu.cn> Date: Tue, 22 Apr 2025 01:58:54 +0800 Subject: [PATCH] fix:Make the parse of the replace part in ```go.mod``` more compliant and traceable (#3812) * We only need to replace the name of a GoLang package when the name is a web link Signed-off-by: Yuntao Hu * make the detection of a localfile path pattern more easy Signed-off-by: Yuntao Hu * consider the m.New.Version so the granularity is narrowed Signed-off-by: Yuntao Hu * to pass the static-analysis Signed-off-by: Yuntao Hu * to pass the static-analysis Signed-off-by: Yuntao Hu * add test Signed-off-by: Alex Goodman --------- Signed-off-by: Yuntao Hu Signed-off-by: Alex Goodman Co-authored-by: Alex Goodman --- syft/pkg/cataloger/golang/parse_go_mod.go | 19 +++++++++++++------ .../pkg/cataloger/golang/parse_go_mod_test.go | 14 ++++++++++++++ .../golang/test-fixtures/relative-replace | 7 +++++++ 3 files changed, 34 insertions(+), 6 deletions(-) create mode 100644 syft/pkg/cataloger/golang/test-fixtures/relative-replace diff --git a/syft/pkg/cataloger/golang/parse_go_mod.go b/syft/pkg/cataloger/golang/parse_go_mod.go index d44679a69..b145bce74 100644 --- a/syft/pkg/cataloger/golang/parse_go_mod.go +++ b/syft/pkg/cataloger/golang/parse_go_mod.go @@ -77,18 +77,25 @@ func (c *goModCataloger) parseGoModFile(ctx context.Context, resolver file.Resol // the old path and new path may be the same, in which case this is a noop, // but if they're different we need to remove the old package. - delete(packages, m.Old.Path) - - packages[m.New.Path] = pkg.Package{ - Name: m.New.Path, + // note that we may change the path but we should always reference the new version (since the old version + // cannot be trusted as a correct value). + var finalPath string + if !strings.HasPrefix(m.New.Path, ".") && !strings.HasPrefix(m.New.Path, "/") { + finalPath = m.New.Path + delete(packages, m.Old.Path) + } else { + finalPath = m.Old.Path + } + packages[finalPath] = pkg.Package{ + Name: finalPath, Version: m.New.Version, Licenses: pkg.NewLicenseSet(lics...), Locations: file.NewLocationSet(reader.WithAnnotation(pkg.EvidenceAnnotationKey, pkg.PrimaryEvidenceAnnotation)), - PURL: packageURL(m.New.Path, m.New.Version), + PURL: packageURL(finalPath, m.New.Version), Language: pkg.Go, Type: pkg.GoModulePkg, Metadata: pkg.GolangModuleEntry{ - H1Digest: digests[fmt.Sprintf("%s %s", m.New.Path, m.New.Version)], + H1Digest: digests[fmt.Sprintf("%s %s", finalPath, m.New.Version)], }, } } diff --git a/syft/pkg/cataloger/golang/parse_go_mod_test.go b/syft/pkg/cataloger/golang/parse_go_mod_test.go index 20538e4c7..9158773b0 100644 --- a/syft/pkg/cataloger/golang/parse_go_mod_test.go +++ b/syft/pkg/cataloger/golang/parse_go_mod_test.go @@ -28,6 +28,20 @@ func TestParseGoMod(t *testing.T) { }, }, }, + { + fixture: "test-fixtures/relative-replace", + expected: []pkg.Package{ + { + Name: "github.com/aws/aws-sdk-go-v2", + Version: "", + PURL: "pkg:golang/github.com/aws/aws-sdk-go-v2", + Locations: file.NewLocationSet(file.NewLocation("test-fixtures/relative-replace")), + Language: pkg.Go, + Type: pkg.GoModulePkg, + Metadata: pkg.GolangModuleEntry{}, + }, + }, + }, { fixture: "test-fixtures/many-packages", diff --git a/syft/pkg/cataloger/golang/test-fixtures/relative-replace b/syft/pkg/cataloger/golang/test-fixtures/relative-replace new file mode 100644 index 000000000..6680ca68a --- /dev/null +++ b/syft/pkg/cataloger/golang/test-fixtures/relative-replace @@ -0,0 +1,7 @@ +module github.com/aws/aws-sdk-go-v2/feature/ec2/imds + +go 1.22 + +require github.com/aws/aws-sdk-go-v2 v1.36.3 + +replace github.com/aws/aws-sdk-go-v2 => ../../../