What would you like to be added:
A cataloger that is invoked on a directory scan for the Golang Ecosystem that discovers all **/go.mod files. The cataloger will use the main module at the top of the modfile and then load all the root packages via the Golang tools utilities found here golang.org/x/tools/go/packages.
These root packages will be created as syft packages for the SBOM. The cataloger will also visit all of the packages in the import graph whose roots are in the inital root package list. This will allow the cataloger to surface all direct and transitive dependencies for a given main module. Vendored dependencies also have the additional bonus of allowing for license discovery during this method since the modules dirPath is surfaced during its discovery by the x/tools/go/packages utility
Why is this needed:
More accurate Golang source cataloging. Currently we only parse the flat list from go.mod or dependency information from discovered go binaries. This new feature will give a more complete overview of all the modules imported by a go project. Some projects can have more than one go.mod file which could lead to "duplicate" dependencies being discovered during this process. It's important to include in the main package discovered the root parent so that it's obvious to consumers of the SBOM that these "duplicates" belong to different main modules.
What would you like to be added: A cataloger that is invoked on a directory scan for the Golang Ecosystem that discovers all
**/go.mod
files. The cataloger will use themain
module at the top of the modfile and then load all the root packages via the Golang tools utilities found heregolang.org/x/tools/go/packages
.These root packages will be created as syft packages for the SBOM. The cataloger will also visit all of the packages in the import graph whose roots are in the inital root package list. This will allow the cataloger to surface all direct and transitive dependencies for a given
main
module. Vendored dependencies also have the additional bonus of allowing for license discovery during this method since the modulesdirPath
is surfaced during its discovery by thex/tools/go/packages
utilityWhy is this needed:
More accurate Golang source cataloging. Currently we only parse the flat list from
go.mod
or dependency information from discovered go binaries. This new feature will give a more complete overview of all the modules imported by a go project. Some projects can have more than onego.mod
file which could lead to "duplicate" dependencies being discovered during this process. It's important to include in the main package discovered the root parent so that it's obvious to consumers of the SBOM that these "duplicates" belong to differentmain
modules.