fix:Make the parse of the replace part in ``go.mod`` more compliant and traceable (#3812)

* We only need to replace the name of a GoLang package when the name is a web link Signed-off-by: Yuntao Hu <victorhu493@gmail.com> * make the detection of a localfile path pattern more easy Signed-off-by: Yuntao Hu <victorhu493@gmail.com> * consider the m.New.Version so the granularity is narrowed Signed-off-by: Yuntao Hu <victorhu493@gmail.com> * to pass the static-analysis Signed-off-by: Yuntao Hu <victorhu493@gmail.com> * to pass the static-analysis Signed-off-by: Yuntao Hu <victorhu493@gmail.com> * add test Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> --------- Signed-off-by: Yuntao Hu <victorhu493@gmail.com> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2025-11-18 00:43:20 +01:00 · 2025-04-22 01:58:54 +08:00 · 2025-04-22 01:58:54 +08:00 · ea7e9e696b
commit ea7e9e696b
parent 1f15361ecf
3 changed files with 34 additions and 6 deletions
--- a/syft/pkg/cataloger/golang/parse_go_mod.go
+++ b/syft/pkg/cataloger/golang/parse_go_mod.go
@ -77,18 +77,25 @@ func (c *goModCataloger) parseGoModFile(ctx context.Context, resolver file.Resol
 		// the old path and new path may be the same, in which case this is a noop,
 		// but if they're different we need to remove the old package.
 		// note that we may change the path but we should always reference the new version (since the old version
 		// cannot be trusted as a correct value).
 		var finalPath string
 		if !strings.HasPrefix(m.New.Path, ".") && !strings.HasPrefix(m.New.Path, "/") {
 			finalPath = m.New.Path
 			delete(packages, m.Old.Path)
-
+		} else {
-		packages[m.New.Path] = pkg.Package{
+			finalPath = m.Old.Path
-			Name:      m.New.Path,
+		}
 		packages[finalPath] = pkg.Package{
 			Name:      finalPath,
 			Version:   m.New.Version,
 			Licenses:  pkg.NewLicenseSet(lics...),
 			Locations: file.NewLocationSet(reader.WithAnnotation(pkg.EvidenceAnnotationKey, pkg.PrimaryEvidenceAnnotation)),
-			PURL:      packageURL(m.New.Path, m.New.Version),
+			PURL:      packageURL(finalPath, m.New.Version),
 			Language:  pkg.Go,
 			Type:      pkg.GoModulePkg,
 			Metadata: pkg.GolangModuleEntry{
-				H1Digest: digests[fmt.Sprintf("%s %s", m.New.Path, m.New.Version)],
+				H1Digest: digests[fmt.Sprintf("%s %s", finalPath, m.New.Version)],
 			},
 		}
 	}
--- a/syft/pkg/cataloger/golang/parse_go_mod_test.go
+++ b/syft/pkg/cataloger/golang/parse_go_mod_test.go
@ -28,6 +28,20 @@ func TestParseGoMod(t *testing.T) {
 				},
 			},
 		},
 		{
 			fixture: "test-fixtures/relative-replace",
 			expected: []pkg.Package{
 				{
 					Name:      "github.com/aws/aws-sdk-go-v2",
 					Version:   "",
 					PURL:      "pkg:golang/github.com/aws/aws-sdk-go-v2",
 					Locations: file.NewLocationSet(file.NewLocation("test-fixtures/relative-replace")),
 					Language:  pkg.Go,
 					Type:      pkg.GoModulePkg,
 					Metadata:  pkg.GolangModuleEntry{},
 				},
 			},
 		},
 		{
 			fixture: "test-fixtures/many-packages",
--- a/syft/pkg/cataloger/golang/test-fixtures/relative-replace
+++ b/syft/pkg/cataloger/golang/test-fixtures/relative-replace
@ -0,0 +1,7 @@
 module github.com/aws/aws-sdk-go-v2/feature/ec2/imds
 go 1.22
 require github.com/aws/aws-sdk-go-v2 v1.36.3
 replace github.com/aws/aws-sdk-go-v2 => ../../../