fix:Make the parse of the replace part in ``go.mod`` more compliant and traceable (#3812)

* We only need to replace the name of a GoLang package when the name is a web link Signed-off-by: Yuntao Hu <victorhu493@gmail.com> * make the detection of a localfile path pattern more easy Signed-off-by: Yuntao Hu <victorhu493@gmail.com> * consider the m.New.Version so the granularity is narrowed Signed-off-by: Yuntao Hu <victorhu493@gmail.com> * to pass the static-analysis Signed-off-by: Yuntao Hu <victorhu493@gmail.com> * to pass the static-analysis Signed-off-by: Yuntao Hu <victorhu493@gmail.com> * add test Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> --------- Signed-off-by: Yuntao Hu <victorhu493@gmail.com> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2025-11-17 16:33:21 +01:00 · 2025-04-22 01:58:54 +08:00 · 2025-04-22 01:58:54 +08:00 · ea7e9e696b
commit ea7e9e696b
parent 1f15361ecf
3 changed files with 34 additions and 6 deletions
--- a/syft/pkg/cataloger/golang/parse_go_mod.go
+++ b/syft/pkg/cataloger/golang/parse_go_mod.go
@ -77,18 +77,25 @@ func (c *goModCataloger) parseGoModFile(ctx context.Context, resolver file.Resol

 		// the old path and new path may be the same, in which case this is a noop,
 		// but if they're different we need to remove the old package.
+		// note that we may change the path but we should always reference the new version (since the old version
+		// cannot be trusted as a correct value).
+		var finalPath string
+		if !strings.HasPrefix(m.New.Path, ".") && !strings.HasPrefix(m.New.Path, "/") {
+			finalPath = m.New.Path
 			delete(packages, m.Old.Path)
-
-		packages[m.New.Path] = pkg.Package{
-			Name:      m.New.Path,
+		} else {
+			finalPath = m.Old.Path
+		}
+		packages[finalPath] = pkg.Package{
+			Name:      finalPath,
 			Version:   m.New.Version,
 			Licenses:  pkg.NewLicenseSet(lics...),
 			Locations: file.NewLocationSet(reader.WithAnnotation(pkg.EvidenceAnnotationKey, pkg.PrimaryEvidenceAnnotation)),
-			PURL:      packageURL(m.New.Path, m.New.Version),
+			PURL:      packageURL(finalPath, m.New.Version),
 			Language:  pkg.Go,
 			Type:      pkg.GoModulePkg,
 			Metadata: pkg.GolangModuleEntry{
-				H1Digest: digests[fmt.Sprintf("%s %s", m.New.Path, m.New.Version)],
+				H1Digest: digests[fmt.Sprintf("%s %s", finalPath, m.New.Version)],
 			},
 		}
 	}
--- a/syft/pkg/cataloger/golang/parse_go_mod_test.go
+++ b/syft/pkg/cataloger/golang/parse_go_mod_test.go
@ -28,6 +28,20 @@ func TestParseGoMod(t *testing.T) {
 				},
 			},
 		},
+		{
+			fixture: "test-fixtures/relative-replace",
+			expected: []pkg.Package{
+				{
+					Name:      "github.com/aws/aws-sdk-go-v2",
+					Version:   "",
+					PURL:      "pkg:golang/github.com/aws/aws-sdk-go-v2",
+					Locations: file.NewLocationSet(file.NewLocation("test-fixtures/relative-replace")),
+					Language:  pkg.Go,
+					Type:      pkg.GoModulePkg,
+					Metadata:  pkg.GolangModuleEntry{},
+				},
+			},
+		},
 		{

 			fixture: "test-fixtures/many-packages",
--- a/syft/pkg/cataloger/golang/test-fixtures/relative-replace
+++ b/syft/pkg/cataloger/golang/test-fixtures/relative-replace
@ -0,0 +1,7 @@
+module github.com/aws/aws-sdk-go-v2/feature/ec2/imds
+
+go 1.22
+
+require github.com/aws/aws-sdk-go-v2 v1.36.3
+
+replace github.com/aws/aws-sdk-go-v2 => ../../../