Closed mcoops closed 2 years ago
mcoops
commented
2 years ago Did also think about doing this for all languages, but I think it might require more thought if we want to silently fail on stuff like go - not sure. Def want to continue on nodejs tho.
sfowl
commented
2 years ago Hmm, this is an improvement in that I now I get the Go deps for the openshift/console repo, but it's still failing on the frontend yarn.lock, so no js deps are returned:
$ deplist -debug . | grep -v '^pkg:go'
DEBU[0000] GetNodeJSDeps frontend/dynamic-demo-plugin/yarn.lock
DEBU[0000] failed to scan for nodejs: frontend/dynamic-demo-plugin/yarn.lock
DEBU[0000] GetNodeJSDeps frontend/yarn.lock
DEBU[0001] failed to scan for nodejs: frontend/yarn.lock
DEBU[0001] GetGolangDeps go.mod
DEBU[0001] verifying github.com/mikefarah/yaml/v2@v2.4.0/go.mod: checksum mismatch
downloaded: h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
go.sum: h1:ahVqZF4n1W4NqwvVnZzC4es67xsW9uR/RRf2RRxieJU=
SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.
For more information, see 'go help module-auth'.This was actually due to some problem with my environment. Fixed now, this LGTM.
Since moving to recursively scanning for all package.lock files it may be that we find lockfiles that fail to process. Current state will get an error and return, instead just log and continue.