Open t-nero opened 6 months ago
kzantow
commented
6 months ago I believe this is a duplicate of https://github.com/anchore/syft/issues/2038, but it does describe a slightly different replace directive. This particular variant would be a lot easier to handle, ignoring the local filesystem references.
bhavyastar
commented
3 months ago Hey @kzantow I would like to work on this issue.
kzantow
commented
3 months ago @bhavyastar that would be great! I've assigned you (I think that's one thing you were asking for?), let me know if there's anything you need!
What happened: It does not apply replace directive to the module version that's also in the replace directly. For example,
If I run syft with the working dir
syft ., the result will showgolang.org/x/net@v0.18.0is being used, which is originated from grpc@v1.61.0's go.mod while both module should be overridden to the specified version.What you expected to happen: If I build and run syft against the binary file instead,
syft <bin_file>, orgo version -m <bin_file>, both will showgolang.org/x/net@v0.22.0is actually being used.Steps to reproduce the issue:
replacedirective with M to any specific versionreplacedirective with another module required by M (pick one from M's go.mod), let's name it module Ncdto the project root directory, set$GOPATHwithexport GOPATH="$(pwd)/depgo mod download, to download all dependencies into./dep.syftwith the project directory, inspect the N's version, it will be the version specified in M's go.mod, while it should actually be thereplacedirective version.Environment:
syft version:cat /etc/os-releaseor similar):