From 09ea608a3b21b42defae1401598c26dfbc698f9e Mon Sep 17 00:00:00 2001 From: Teppei Fukuda Date: Tue, 11 Nov 2025 18:36:47 +0900 Subject: [PATCH] test(go): refactor mod_test.go to use txtar format (#9775) --- go.mod | 5 +- internal/testutil/txtar.go | 19 +++ pkg/fanal/analyzer/language/golang/mod/mod.go | 46 +++++-- .../analyzer/language/golang/mod/mod_test.go | 94 ++++++-------- .../language/golang/mod/testdata/gopath.txtar | 122 ++++++++++++++++++ .../mod/testdata/{happy/sum => happy.txtar} | 16 ++- .../language/golang/mod/testdata/happy/mod | 9 -- .../language/golang/mod/testdata/merge.txtar | 16 +++ .../language/golang/mod/testdata/merge/sum | 4 - .../testdata/{merge/mod => no-go-sum.txtar} | 6 +- .../{no-pkg-found/mod => no-pkg-found.txtar} | 6 +- .../!burnt!sushi/toml@v0.3.1/COPYING | 21 --- .../LICENSE | 21 --- .../go.mod | 31 ----- .../go.mod | 31 ----- .../aquasecurity/go-dep-parser@v0.0.1/go.mod | 7 - .../pkg/mod/github.com/sad/sad@v0.0.1/go.mod | 1 - .../language/golang/mod/testdata/sad.txtar | 5 + .../language/golang/mod/testdata/sad/mod | 1 - .../LICENSE => vendor-dir-exists.txtar} | 14 +- .../golang/mod/testdata/vendor-dir-exists/mod | 7 - .../mod/testdata/wrong-gomod-in-pkg.txtar | 9 ++ .../mod/testdata/wrong-gomod-in-pkg/mod | 5 - 23 files changed, 286 insertions(+), 210 deletions(-) create mode 100644 internal/testutil/txtar.go create mode 100644 pkg/fanal/analyzer/language/golang/mod/testdata/gopath.txtar rename pkg/fanal/analyzer/language/golang/mod/testdata/{happy/sum => happy.txtar} (80%) delete mode 100644 pkg/fanal/analyzer/language/golang/mod/testdata/happy/mod create mode 100644 pkg/fanal/analyzer/language/golang/mod/testdata/merge.txtar delete mode 100644 pkg/fanal/analyzer/language/golang/mod/testdata/merge/sum rename pkg/fanal/analyzer/language/golang/mod/testdata/{merge/mod => no-go-sum.txtar} (52%) rename pkg/fanal/analyzer/language/golang/mod/testdata/{no-pkg-found/mod => no-pkg-found.txtar} (56%) delete mode 100644 pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/!burnt!sushi/toml@v0.3.1/COPYING delete mode 100644 pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.0-20220406074731-71021a481237/LICENSE delete mode 100644 pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.0-20220406074731-71021a481237/go.mod delete mode 100644 pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.0-20230219131432-590b1dfb6edd/go.mod delete mode 100644 pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.1/go.mod delete mode 100644 pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/sad/sad@v0.0.1/go.mod create mode 100644 pkg/fanal/analyzer/language/golang/mod/testdata/sad.txtar delete mode 100644 pkg/fanal/analyzer/language/golang/mod/testdata/sad/mod rename pkg/fanal/analyzer/language/golang/mod/testdata/{vendor-dir-exists/vendor/github.com/aquasecurity/go-dep-parser/LICENSE => vendor-dir-exists.txtar} (96%) delete mode 100644 pkg/fanal/analyzer/language/golang/mod/testdata/vendor-dir-exists/mod create mode 100644 pkg/fanal/analyzer/language/golang/mod/testdata/wrong-gomod-in-pkg.txtar delete mode 100644 pkg/fanal/analyzer/language/golang/mod/testdata/wrong-gomod-in-pkg/mod diff --git a/go.mod b/go.mod index d561107ba6..ee84743404 100644 --- a/go.mod +++ b/go.mod @@ -111,6 +111,7 @@ require ( github.com/twitchtv/twirp v8.1.3+incompatible github.com/xeipuuv/gojsonschema v1.2.0 github.com/xlab/treeprint v1.2.0 + github.com/zalando/go-keyring v0.2.6 github.com/zclconf/go-cty v1.17.0 github.com/zclconf/go-cty-yaml v1.1.0 go.etcd.io/bbolt v1.4.3 @@ -120,6 +121,7 @@ require ( golang.org/x/sync v0.17.0 golang.org/x/term v0.35.0 golang.org/x/text v0.28.0 + golang.org/x/tools v0.35.1-0.20250728180453-01a3475a31bc golang.org/x/vuln v1.1.4 golang.org/x/xerrors v0.0.0-20240716161551-93cc26a95ae9 google.golang.org/protobuf v1.36.10 @@ -130,8 +132,6 @@ require ( modernc.org/sqlite v1.39.0 ) -require github.com/zalando/go-keyring v0.2.6 - require ( al.essio.dev/pkg/shellescape v1.5.1 // indirect buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.36.6-20250718181942-e35f9b667443.1 // indirect @@ -471,7 +471,6 @@ require ( golang.org/x/sys v0.36.0 // indirect golang.org/x/telemetry v0.0.0-20250807160809-1a19826ec488 // indirect golang.org/x/time v0.13.0 // indirect - golang.org/x/tools v0.35.1-0.20250728180453-01a3475a31bc // indirect golang.org/x/tools/gopls v0.20.0 // indirect google.golang.org/api v0.248.0 // indirect google.golang.org/genproto v0.0.0-20250603155806-513f23925822 // indirect diff --git a/internal/testutil/txtar.go b/internal/testutil/txtar.go new file mode 100644 index 0000000000..f8ab3945f7 --- /dev/null +++ b/internal/testutil/txtar.go @@ -0,0 +1,19 @@ +package testutil + +import ( + "io/fs" + "testing" + + "github.com/stretchr/testify/require" + "golang.org/x/tools/txtar" +) + +// TxtarToFS reads a txtar file and returns it as an fs.FS. +func TxtarToFS(t *testing.T, path string) fs.FS { + t.Helper() + archive, err := txtar.ParseFile(path) + require.NoError(t, err) + fsys, err := txtar.FS(archive) + require.NoError(t, err) + return fsys +} diff --git a/pkg/fanal/analyzer/language/golang/mod/mod.go b/pkg/fanal/analyzer/language/golang/mod/mod.go index f82e998738..b035f8b452 100644 --- a/pkg/fanal/analyzer/language/golang/mod/mod.go +++ b/pkg/fanal/analyzer/language/golang/mod/mod.go @@ -9,6 +9,7 @@ import ( "io" "io/fs" "os" + "path" "path/filepath" "regexp" "slices" @@ -53,6 +54,10 @@ type gomodAnalyzer struct { licenseClassifierConfidenceLevel float64 + // gopathFS represents the $GOPATH directory as an fs.FS. + // It should contain the "pkg/mod" subdirectory structure. + gopathFS fs.FS + logger *log.Logger } @@ -62,6 +67,7 @@ func newGoModAnalyzer(opt analyzer.AnalyzerOptions) (analyzer.PostAnalyzer, erro sumParser: sum.NewParser(), leafModParser: mod.NewParser(false, false), // Don't detect stdlib for non-root go.mod files licenseClassifierConfidenceLevel: opt.LicenseScannerOption.ClassifierConfidenceLevel, + gopathFS: os.DirFS(cmp.Or(os.Getenv("GOPATH"), build.Default.GOPATH)), logger: log.WithPrefix("golang"), }, nil } @@ -142,7 +148,7 @@ func (a *gomodAnalyzer) fillAdditionalData(ctx context.Context, fsys fs.FS, apps var modSearchDirs []searchDir // $GOPATH/pkg/mod - if gopath, err := newGOPATH(); err != nil { + if gopath, err := newGOPATH(a.gopathFS); err != nil { a.logger.Debug("GOPATH not found. Run 'go mod download' or 'go mod tidy' for identifying dependency graph and licenses", log.Err(err)) } else { modSearchDirs = append(modSearchDirs, gopath) @@ -413,18 +419,26 @@ type searchDir interface { } type gopathDir struct { - root string + root fs.FS // $GOPATH/pkg/mod as fs.FS (can be os.DirFS or test fixture) } -func newGOPATH() (searchDir, error) { - gopath := cmp.Or(os.Getenv("GOPATH"), build.Default.GOPATH) - +func newGOPATH(gopathFS fs.FS) (searchDir, error) { // $GOPATH/pkg/mod - modPath := filepath.Join(gopath, "pkg", "mod") - if !fsutils.DirExists(modPath) { - return nil, xerrors.Errorf("GOPATH not found: %s", modPath) + // Use path.Join instead of filepath.Join because fs.FS always uses forward slashes, + // regardless of the operating system. + modFS, err := fs.Sub(gopathFS, path.Join("pkg", "mod")) + if err != nil { + return nil, xerrors.Errorf("failed to access $GOPATH/pkg/mod: %w", err) } - return &gopathDir{root: modPath}, nil + + // Check if the directory exists. + // fs.Sub doesn't return an error for non-existent directories, + // so we need to explicitly verify the directory exists. + if _, err := fs.Stat(modFS, "."); err != nil { + return nil, xerrors.Errorf("$GOPATH/pkg/mod does not exist: %w", err) + } + + return &gopathDir{root: modFS}, nil } // Resolve resolves the module directory for a given package. @@ -437,9 +451,7 @@ func (d *gopathDir) Resolve(pkg types.Package) (fs.FS, error) { // e.g. github.com/aquasecurity/go-dep-parser@v1.0.0 modDirName := fmt.Sprintf("%s@%s", name, pkg.Version) - // e.g. $GOPATH/pkg/mod/github.com/aquasecurity/go-dep-parser@v1.0.0 - modDir := filepath.Join(d.root, modDirName) - return os.DirFS(modDir), nil + return fs.Sub(d.root, modDirName) } type vendorDir struct { @@ -451,8 +463,16 @@ func newVendorDir(fsys fs.FS, modPath string) (vendorDir, error) { vendor := filepath.Join(filepath.Dir(modPath), "vendor") sub, err := fs.Sub(fsys, vendor) if err != nil { - return vendorDir{}, xerrors.Errorf("vendor directory not found: %w", err) + return vendorDir{}, xerrors.Errorf("failed to access vendor directory: %w", err) } + + // Check if the directory exists. + // fs.Sub doesn't return an error for non-existent directories, + // so we need to explicitly verify the directory exists. + if _, err := fs.Stat(sub, "."); err != nil { + return vendorDir{}, xerrors.Errorf("vendor directory does not exist: %w", err) + } + return vendorDir{root: sub}, nil } diff --git a/pkg/fanal/analyzer/language/golang/mod/mod_test.go b/pkg/fanal/analyzer/language/golang/mod/mod_test.go index 4d4dcdccfe..7239642c47 100644 --- a/pkg/fanal/analyzer/language/golang/mod/mod_test.go +++ b/pkg/fanal/analyzer/language/golang/mod/mod_test.go @@ -1,30 +1,30 @@ package mod import ( - "path/filepath" "sort" "testing" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" + "github.com/aquasecurity/trivy/internal/testutil" "github.com/aquasecurity/trivy/pkg/fanal/analyzer" "github.com/aquasecurity/trivy/pkg/fanal/types" - "github.com/aquasecurity/trivy/pkg/mapfs" ) +const gopathFixture = "testdata/gopath.txtar" + func Test_gomodAnalyzer_Analyze(t *testing.T) { tests := []struct { - name string - files []string - want *analyzer.AnalysisResult + name string + txtar string + gopath bool + want *analyzer.AnalysisResult }{ { - name: "happy", - files: []string{ - "testdata/happy/mod", - "testdata/happy/sum", - }, + name: "happy", + txtar: "testdata/happy.txtar", + gopath: true, want: &analyzer.AnalysisResult{ Applications: []types.Application{ { @@ -74,10 +74,9 @@ func Test_gomodAnalyzer_Analyze(t *testing.T) { }, }, { - name: "wrong go.mod from `pkg`", - files: []string{ - "testdata/wrong-gomod-in-pkg/mod", - }, + name: "wrong go.mod from `pkg`", + txtar: "testdata/wrong-gomod-in-pkg.txtar", + gopath: true, want: &analyzer.AnalysisResult{ Applications: []types.Application{ { @@ -116,10 +115,9 @@ func Test_gomodAnalyzer_Analyze(t *testing.T) { }, }, { - name: "no pkg dir found", - files: []string{ - "testdata/no-pkg-found/mod", - }, + name: "no pkg dir found", + txtar: "testdata/no-pkg-found.txtar", + gopath: false, want: &analyzer.AnalysisResult{ Applications: []types.Application{ { @@ -179,11 +177,9 @@ func Test_gomodAnalyzer_Analyze(t *testing.T) { }, }, { - name: "less than 1.17", - files: []string{ - "testdata/merge/mod", - "testdata/merge/sum", - }, + name: "less than 1.17", + txtar: "testdata/merge.txtar", + gopath: true, want: &analyzer.AnalysisResult{ Applications: []types.Application{ { @@ -235,10 +231,9 @@ func Test_gomodAnalyzer_Analyze(t *testing.T) { }, }, { - name: "no go.sum", - files: []string{ - "testdata/merge/mod", - }, + name: "no go.sum", + txtar: "testdata/no-go-sum.txtar", + gopath: true, want: &analyzer.AnalysisResult{ Applications: []types.Application{ { @@ -278,18 +273,15 @@ func Test_gomodAnalyzer_Analyze(t *testing.T) { }, }, { - name: "sad go.mod", - files: []string{ - "testdata/sad/mod", - }, - want: &analyzer.AnalysisResult{}, + name: "sad go.mod", + txtar: "testdata/sad.txtar", + gopath: false, + want: &analyzer.AnalysisResult{}, }, { - name: "deps from GOPATH and license from vendor dir", - files: []string{ - "testdata/vendor-dir-exists/mod", - "testdata/vendor-dir-exists/vendor", - }, + name: "deps from GOPATH and license from vendor dir", + txtar: "testdata/vendor-dir-exists.txtar", + gopath: true, want: &analyzer.AnalysisResult{ Applications: []types.Application{ { @@ -339,28 +331,27 @@ func Test_gomodAnalyzer_Analyze(t *testing.T) { }, }, } + + // Load GOPATH fixture once as fs.FS (represents $GOPATH/pkg/mod) + gopathFS := testutil.TxtarToFS(t, gopathFixture) + for _, tt := range tests { - t.Setenv("GOPATH", "testdata") t.Run(tt.name, func(t *testing.T) { + // Load test case txtar as fs.FS + fsys := testutil.TxtarToFS(t, tt.txtar) + a, err := newGoModAnalyzer(analyzer.AnalyzerOptions{}) require.NoError(t, err) - mfs := mapfs.New() - for _, file := range tt.files { - // Since broken go.mod files bothers IDE, we should use other file names than "go.mod" and "go.sum". - switch filepath.Base(file) { - case "mod": - require.NoError(t, mfs.WriteFile("go.mod", file)) - case "sum": - require.NoError(t, mfs.WriteFile("go.sum", file)) - case "vendor": - require.NoError(t, mfs.CopyDir(file, ".")) - } + // Set GOPATH fs.FS for testing + ma := a.(*gomodAnalyzer) + if tt.gopath { + ma.gopathFS = gopathFS } ctx := t.Context() - got, err := a.PostAnalyze(ctx, analyzer.PostAnalysisInput{ - FS: mfs, + got, err := ma.PostAnalyze(ctx, analyzer.PostAnalysisInput{ + FS: fsys, }) require.NoError(t, err) @@ -368,7 +359,6 @@ func Test_gomodAnalyzer_Analyze(t *testing.T) { sort.Sort(got.Applications[0].Packages) sort.Sort(tt.want.Applications[0].Packages) } - require.NoError(t, err) assert.Equal(t, tt.want, got) }) } diff --git a/pkg/fanal/analyzer/language/golang/mod/testdata/gopath.txtar b/pkg/fanal/analyzer/language/golang/mod/testdata/gopath.txtar new file mode 100644 index 0000000000..714be02f1b --- /dev/null +++ b/pkg/fanal/analyzer/language/golang/mod/testdata/gopath.txtar @@ -0,0 +1,122 @@ +GOPATH directory structure containing pkg/mod with cached Go module dependencies. +This is used as a shared test fixture across multiple test cases. +All file paths must include the "pkg/mod/" prefix to properly represent the GOPATH structure. + +-- pkg/mod/github.com/!burnt!sushi/toml@v0.3.1/COPYING -- +The MIT License (MIT) + +Copyright (c) 2013 TOML authors + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. +-- pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.0-20220406074731-71021a481237/LICENSE -- +MIT License + +Copyright (c) 2019 Teppei Fukuda + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. +-- pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.0-20220406074731-71021a481237/go.mod -- +module github.com/aquasecurity/go-dep-parser + +go 1.18 + +require ( + github.com/BurntSushi/toml v1.2.1 + github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46 + github.com/hashicorp/go-multierror v1.1.1 + github.com/hashicorp/go-retryablehttp v0.7.2 + github.com/liamg/jfather v0.0.7 + github.com/microsoft/go-rustaudit v0.0.0-20220808201409-204dfee52032 + github.com/samber/lo v1.37.0 + github.com/stretchr/testify v1.8.1 + go.uber.org/zap v1.24.0 + golang.org/x/exp v0.0.0-20220407100705-7b9b53b0aca4 + golang.org/x/mod v0.8.0 + golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f + golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 + gopkg.in/yaml.v3 v3.0.1 +) + +require ( + github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492 // indirect + github.com/davecgh/go-spew v1.1.1 // indirect + github.com/hashicorp/errwrap v1.0.0 // indirect + github.com/hashicorp/go-cleanhttp v0.5.2 // indirect + github.com/pmezard/go-difflib v1.0.0 // indirect + go.uber.org/atomic v1.7.0 // indirect + go.uber.org/multierr v1.6.0 // indirect + golang.org/x/text v0.3.8 // indirect +) +-- pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.0-20230219131432-590b1dfb6edd/go.mod -- +module github.com/aquasecurity/go-dep-parser + +go 1.18 + +require ( + github.com/BurntSushi/toml v1.2.1 + github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46 + github.com/hashicorp/go-multierror v1.1.1 + github.com/hashicorp/go-retryablehttp v0.7.2 + github.com/liamg/jfather v0.0.7 + github.com/microsoft/go-rustaudit v0.0.0-20220808201409-204dfee52032 + github.com/samber/lo v1.37.0 + github.com/stretchr/testify v1.8.1 + go.uber.org/zap v1.24.0 + golang.org/x/exp v0.0.0-20220407100705-7b9b53b0aca4 + golang.org/x/mod v0.8.0 + golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f + golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 + gopkg.in/yaml.v3 v3.0.1 +) + +require ( + github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492 // indirect + github.com/davecgh/go-spew v1.1.1 // indirect + github.com/hashicorp/errwrap v1.0.0 // indirect + github.com/hashicorp/go-cleanhttp v0.5.2 // indirect + github.com/pmezard/go-difflib v1.0.0 // indirect + go.uber.org/atomic v1.7.0 // indirect + go.uber.org/multierr v1.6.0 // indirect + golang.org/x/text v0.3.8 // indirect +) +-- pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.1/go.mod -- +module github.com/aquasecurity/go-dep-parser + +go 1.18 + +require ( + golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 +) +-- pkg/mod/github.com/sad/sad@v0.0.1/go.mod -- +wrong diff --git a/pkg/fanal/analyzer/language/golang/mod/testdata/happy/sum b/pkg/fanal/analyzer/language/golang/mod/testdata/happy.txtar similarity index 80% rename from pkg/fanal/analyzer/language/golang/mod/testdata/happy/sum rename to pkg/fanal/analyzer/language/golang/mod/testdata/happy.txtar index 24e1c479b8..4fbae2701e 100644 --- a/pkg/fanal/analyzer/language/golang/mod/testdata/happy/sum +++ b/pkg/fanal/analyzer/language/golang/mod/testdata/happy.txtar @@ -1,3 +1,17 @@ +Test case with go.mod, go.sum, and GOPATH pkg/mod dependencies. +This tests the happy path where all dependencies can be resolved from GOPATH. + +-- go.mod -- +module github.com/org/repo + +go 1.17 + +require github.com/aquasecurity/go-dep-parser v0.0.0-20211110174639-8257534ffed3 + +require golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect + +replace github.com/aquasecurity/go-dep-parser => github.com/aquasecurity/go-dep-parser v0.0.0-20220406074731-71021a481237 +-- go.sum -- github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d h1:U+s90UTSYgptZMwQh2aRr3LuazLJIa+Pg3Kc1ylSYVY= @@ -21,4 +35,4 @@ golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8T gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo= -gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= \ No newline at end of file +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/pkg/fanal/analyzer/language/golang/mod/testdata/happy/mod b/pkg/fanal/analyzer/language/golang/mod/testdata/happy/mod deleted file mode 100644 index 0b4e07634b..0000000000 --- a/pkg/fanal/analyzer/language/golang/mod/testdata/happy/mod +++ /dev/null @@ -1,9 +0,0 @@ -module github.com/org/repo - -go 1.17 - -require github.com/aquasecurity/go-dep-parser v0.0.0-20211110174639-8257534ffed3 - -require golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect - -replace github.com/aquasecurity/go-dep-parser => github.com/aquasecurity/go-dep-parser v0.0.0-20220406074731-71021a481237 \ No newline at end of file diff --git a/pkg/fanal/analyzer/language/golang/mod/testdata/merge.txtar b/pkg/fanal/analyzer/language/golang/mod/testdata/merge.txtar new file mode 100644 index 0000000000..8f8824baa0 --- /dev/null +++ b/pkg/fanal/analyzer/language/golang/mod/testdata/merge.txtar @@ -0,0 +1,16 @@ +Test case for Go version < 1.17 with go.sum. +This tests merging dependency information from both go.mod and go.sum. + +-- go.mod -- +module github.com/org/repo + +go 1.15 + +require github.com/aquasecurity/go-dep-parser v0.0.0-20211110174639-8257534ffed3 + +replace github.com/aquasecurity/go-dep-parser => github.com/aquasecurity/go-dep-parser v0.0.0-20230219131432-590b1dfb6edd +-- go.sum -- +github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ= +github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/aquasecurity/go-dep-parser v0.0.0-20230219131432-590b1dfb6edd h1:H9IR14rR3+Z13ZH7ay9bs2hHBL7WAqdEJLLr8nhx/Rs= +github.com/aquasecurity/go-dep-parser v0.0.0-20230219131432-590b1dfb6edd/go.mod h1:4dZHU2Ntsh9EopNVdTKf8UjSGDNTMVoyB5B34RjD75g= diff --git a/pkg/fanal/analyzer/language/golang/mod/testdata/merge/sum b/pkg/fanal/analyzer/language/golang/mod/testdata/merge/sum deleted file mode 100644 index d64fdb02cb..0000000000 --- a/pkg/fanal/analyzer/language/golang/mod/testdata/merge/sum +++ /dev/null @@ -1,4 +0,0 @@ -github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ= -github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= -github.com/aquasecurity/go-dep-parser v0.0.0-20230219131432-590b1dfb6edd h1:H9IR14rR3+Z13ZH7ay9bs2hHBL7WAqdEJLLr8nhx/Rs= -github.com/aquasecurity/go-dep-parser v0.0.0-20230219131432-590b1dfb6edd/go.mod h1:4dZHU2Ntsh9EopNVdTKf8UjSGDNTMVoyB5B34RjD75g= \ No newline at end of file diff --git a/pkg/fanal/analyzer/language/golang/mod/testdata/merge/mod b/pkg/fanal/analyzer/language/golang/mod/testdata/no-go-sum.txtar similarity index 52% rename from pkg/fanal/analyzer/language/golang/mod/testdata/merge/mod rename to pkg/fanal/analyzer/language/golang/mod/testdata/no-go-sum.txtar index 4257ff26da..8c5a230e83 100644 --- a/pkg/fanal/analyzer/language/golang/mod/testdata/merge/mod +++ b/pkg/fanal/analyzer/language/golang/mod/testdata/no-go-sum.txtar @@ -1,7 +1,11 @@ +Test case without go.sum file. +This tests that the analyzer works when only go.mod is present. + +-- go.mod -- module github.com/org/repo go 1.15 require github.com/aquasecurity/go-dep-parser v0.0.0-20211110174639-8257534ffed3 -replace github.com/aquasecurity/go-dep-parser => github.com/aquasecurity/go-dep-parser v0.0.0-20230219131432-590b1dfb6edd \ No newline at end of file +replace github.com/aquasecurity/go-dep-parser => github.com/aquasecurity/go-dep-parser v0.0.0-20230219131432-590b1dfb6edd diff --git a/pkg/fanal/analyzer/language/golang/mod/testdata/no-pkg-found/mod b/pkg/fanal/analyzer/language/golang/mod/testdata/no-pkg-found.txtar similarity index 56% rename from pkg/fanal/analyzer/language/golang/mod/testdata/no-pkg-found/mod rename to pkg/fanal/analyzer/language/golang/mod/testdata/no-pkg-found.txtar index 2f64bb82f7..54e916e1ab 100644 --- a/pkg/fanal/analyzer/language/golang/mod/testdata/no-pkg-found/mod +++ b/pkg/fanal/analyzer/language/golang/mod/testdata/no-pkg-found.txtar @@ -1,3 +1,7 @@ +Test case where no GOPATH pkg/mod directory is found. +This tests the fallback behavior when dependencies cannot be found in GOPATH. + +-- go.mod -- module github.com/org/repo go 1.23 @@ -7,4 +11,4 @@ require ( github.com/aquasecurity/go-version v1.0.1 ) -require golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect \ No newline at end of file +require golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect diff --git a/pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/!burnt!sushi/toml@v0.3.1/COPYING b/pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/!burnt!sushi/toml@v0.3.1/COPYING deleted file mode 100644 index 01b5743200..0000000000 --- a/pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/!burnt!sushi/toml@v0.3.1/COPYING +++ /dev/null @@ -1,21 +0,0 @@ -The MIT License (MIT) - -Copyright (c) 2013 TOML authors - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in -all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -THE SOFTWARE. diff --git a/pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.0-20220406074731-71021a481237/LICENSE b/pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.0-20220406074731-71021a481237/LICENSE deleted file mode 100644 index 7ce066ea33..0000000000 --- a/pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.0-20220406074731-71021a481237/LICENSE +++ /dev/null @@ -1,21 +0,0 @@ -MIT License - -Copyright (c) 2019 Teppei Fukuda - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. diff --git a/pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.0-20220406074731-71021a481237/go.mod b/pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.0-20220406074731-71021a481237/go.mod deleted file mode 100644 index 9c840195c3..0000000000 --- a/pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.0-20220406074731-71021a481237/go.mod +++ /dev/null @@ -1,31 +0,0 @@ -module github.com/aquasecurity/go-dep-parser - -go 1.18 - -require ( - github.com/BurntSushi/toml v1.2.1 - github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46 - github.com/hashicorp/go-multierror v1.1.1 - github.com/hashicorp/go-retryablehttp v0.7.2 - github.com/liamg/jfather v0.0.7 - github.com/microsoft/go-rustaudit v0.0.0-20220808201409-204dfee52032 - github.com/samber/lo v1.37.0 - github.com/stretchr/testify v1.8.1 - go.uber.org/zap v1.24.0 - golang.org/x/exp v0.0.0-20220407100705-7b9b53b0aca4 - golang.org/x/mod v0.8.0 - golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f - golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 - gopkg.in/yaml.v3 v3.0.1 -) - -require ( - github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492 // indirect - github.com/davecgh/go-spew v1.1.1 // indirect - github.com/hashicorp/errwrap v1.0.0 // indirect - github.com/hashicorp/go-cleanhttp v0.5.2 // indirect - github.com/pmezard/go-difflib v1.0.0 // indirect - go.uber.org/atomic v1.7.0 // indirect - go.uber.org/multierr v1.6.0 // indirect - golang.org/x/text v0.3.8 // indirect -) diff --git a/pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.0-20230219131432-590b1dfb6edd/go.mod b/pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.0-20230219131432-590b1dfb6edd/go.mod deleted file mode 100644 index 9c840195c3..0000000000 --- a/pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.0-20230219131432-590b1dfb6edd/go.mod +++ /dev/null @@ -1,31 +0,0 @@ -module github.com/aquasecurity/go-dep-parser - -go 1.18 - -require ( - github.com/BurntSushi/toml v1.2.1 - github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46 - github.com/hashicorp/go-multierror v1.1.1 - github.com/hashicorp/go-retryablehttp v0.7.2 - github.com/liamg/jfather v0.0.7 - github.com/microsoft/go-rustaudit v0.0.0-20220808201409-204dfee52032 - github.com/samber/lo v1.37.0 - github.com/stretchr/testify v1.8.1 - go.uber.org/zap v1.24.0 - golang.org/x/exp v0.0.0-20220407100705-7b9b53b0aca4 - golang.org/x/mod v0.8.0 - golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f - golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 - gopkg.in/yaml.v3 v3.0.1 -) - -require ( - github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492 // indirect - github.com/davecgh/go-spew v1.1.1 // indirect - github.com/hashicorp/errwrap v1.0.0 // indirect - github.com/hashicorp/go-cleanhttp v0.5.2 // indirect - github.com/pmezard/go-difflib v1.0.0 // indirect - go.uber.org/atomic v1.7.0 // indirect - go.uber.org/multierr v1.6.0 // indirect - golang.org/x/text v0.3.8 // indirect -) diff --git a/pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.1/go.mod b/pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.1/go.mod deleted file mode 100644 index 578bed1868..0000000000 --- a/pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.1/go.mod +++ /dev/null @@ -1,7 +0,0 @@ -module github.com/aquasecurity/go-dep-parser - -go 1.18 - -require ( - golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 -) \ No newline at end of file diff --git a/pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/sad/sad@v0.0.1/go.mod b/pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/sad/sad@v0.0.1/go.mod deleted file mode 100644 index 688dd9e29a..0000000000 --- a/pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/sad/sad@v0.0.1/go.mod +++ /dev/null @@ -1 +0,0 @@ -wrong \ No newline at end of file diff --git a/pkg/fanal/analyzer/language/golang/mod/testdata/sad.txtar b/pkg/fanal/analyzer/language/golang/mod/testdata/sad.txtar new file mode 100644 index 0000000000..b752639590 --- /dev/null +++ b/pkg/fanal/analyzer/language/golang/mod/testdata/sad.txtar @@ -0,0 +1,5 @@ +Test case with invalid go.mod file. +This tests error handling for malformed go.mod files. + +-- go.mod -- +invalid diff --git a/pkg/fanal/analyzer/language/golang/mod/testdata/sad/mod b/pkg/fanal/analyzer/language/golang/mod/testdata/sad/mod deleted file mode 100644 index e466dcbd8e..0000000000 --- a/pkg/fanal/analyzer/language/golang/mod/testdata/sad/mod +++ /dev/null @@ -1 +0,0 @@ -invalid \ No newline at end of file diff --git a/pkg/fanal/analyzer/language/golang/mod/testdata/vendor-dir-exists/vendor/github.com/aquasecurity/go-dep-parser/LICENSE b/pkg/fanal/analyzer/language/golang/mod/testdata/vendor-dir-exists.txtar similarity index 96% rename from pkg/fanal/analyzer/language/golang/mod/testdata/vendor-dir-exists/vendor/github.com/aquasecurity/go-dep-parser/LICENSE rename to pkg/fanal/analyzer/language/golang/mod/testdata/vendor-dir-exists.txtar index f49a4e16e6..a8c8029935 100644 --- a/pkg/fanal/analyzer/language/golang/mod/testdata/vendor-dir-exists/vendor/github.com/aquasecurity/go-dep-parser/LICENSE +++ b/pkg/fanal/analyzer/language/golang/mod/testdata/vendor-dir-exists.txtar @@ -1,3 +1,15 @@ +Test case with vendor directory. +This tests getting dependency licenses from the vendor directory instead of GOPATH. + +-- go.mod -- +module github.com/org/repo + +go 1.17 + +require github.com/aquasecurity/go-dep-parser v0.0.1 + +require golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect +-- vendor/github.com/aquasecurity/go-dep-parser/LICENSE -- Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ @@ -198,4 +210,4 @@ distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and - limitations under the License. \ No newline at end of file + limitations under the License. diff --git a/pkg/fanal/analyzer/language/golang/mod/testdata/vendor-dir-exists/mod b/pkg/fanal/analyzer/language/golang/mod/testdata/vendor-dir-exists/mod deleted file mode 100644 index 55585492f7..0000000000 --- a/pkg/fanal/analyzer/language/golang/mod/testdata/vendor-dir-exists/mod +++ /dev/null @@ -1,7 +0,0 @@ -module github.com/org/repo - -go 1.17 - -require github.com/aquasecurity/go-dep-parser v0.0.1 - -require golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect \ No newline at end of file diff --git a/pkg/fanal/analyzer/language/golang/mod/testdata/wrong-gomod-in-pkg.txtar b/pkg/fanal/analyzer/language/golang/mod/testdata/wrong-gomod-in-pkg.txtar new file mode 100644 index 0000000000..9993f94040 --- /dev/null +++ b/pkg/fanal/analyzer/language/golang/mod/testdata/wrong-gomod-in-pkg.txtar @@ -0,0 +1,9 @@ +Test case with invalid go.mod in GOPATH pkg/mod directory. +This tests handling of broken dependency go.mod files. + +-- go.mod -- +module github.com/org/repo + +go 1.17 + +require github.com/sad/sad v0.0.1 diff --git a/pkg/fanal/analyzer/language/golang/mod/testdata/wrong-gomod-in-pkg/mod b/pkg/fanal/analyzer/language/golang/mod/testdata/wrong-gomod-in-pkg/mod deleted file mode 100644 index eb68112644..0000000000 --- a/pkg/fanal/analyzer/language/golang/mod/testdata/wrong-gomod-in-pkg/mod +++ /dev/null @@ -1,5 +0,0 @@ -module github.com/org/repo - -go 1.17 - -require github.com/sad/sad v0.0.1 \ No newline at end of file