Unable to go get gosec with athens

[bradleyjames]

Describe the bug go get github.com/securego/gosec/cmd/gosec succeeds when not using athens. When using athens, the same command fails with a 404. Error Message

Used myproxy below to represent the URL.

go get github.com/securego/gosec/cmd/gosec: module github.com/securego/gosec/cmd/gosec: reading http://myproxy/github.com/securego/gosec/cmd/gosec/@v/list: 404 Not Found

To Reproduce

$ go env | grep GOPROXY
GOPROXY="https://proxy.golang.org,direct"
$ go get github.com/securego/gosec/cmd/gosec
go: found github.com/securego/gosec/cmd/gosec in github.com/securego/gosec v0.0.0-20200401082031-e946c8c39989
$ export GOPROXY=http://myproxy
$ go env | grep GOPROXY
GOPROXY="http://myproxy"
$ go get github.com/securego/gosec/cmd/gosec
go get github.com/securego/gosec/cmd/gosec: module github.com/securego/gosec/cmd/gosec: reading http://myproxy/github.com/securego/gosec/cmd/gosec/@v/list: 404 Not Found

Expected behavior Successfully get gosec.

Environment (please complete the following information):

• OS: macOS Catalina 10.15.5
• Go version : go version go1.14 darwin/amd64
• Proxy version : gomods/athens:latest (how do i find the version?)
• Storage (fs/mongodb/s3 etc.) : s3

Additional context I can go get golang.org/x/lint/golint successfully when using athens with the result of go: found golang.org/x/lint/golint in golang.org/x/lint v0.0.0-20200302205851-738671d3881b.

To debug, I deleted the github.com "folder" in the S3 bucket. I saw the same results. When performing other actions like go build the proxy was able to write to the bucket so it's not an S3 permissions issue.

[marwan-at-work]

@bradleyjames this is because github.com/securego/gosec is stored in proxy.golang.org but it is not working correctly with GOPROXY=direct

Note that Go by default sets its GOPROXY as proxy.golang.org,direct while Athens sets it as direct. This is a good use case for having Athens behave similarly to Go so I can def be convinced that Athens should change its default GOPROXY to be proxy.golang.org,direct.

For example, if you try GOPROXY=direct github.com/securego/gosec/cmd/gosec, you will notice the same error:

GOPATH=/Users/marwansulaiman/rme GOPROXY=direct go get github.com/securego/gosec/cmd/gosec
go get github.com/securego/gosec/cmd/gosec: no matching versions for query "upgrade"

And if you run Athens with GOPROXY pointed to proxy.golang.org,direct, then you will notice that Athens will work correctly:

ATHENS_GO_BINARY_ENV_VARS='GOPROXY=proxy.golang.org,direct' go run cmd/proxy/main.go

GOPATH=/Users/marwansulaiman/rme GOPROXY=http://localhost:3000 go get github.com/securego/gosec/cmd/gosec
go: downloading github.com/securego/gosec v0.0.0-20200401082031-e946c8c39989
go: found github.com/securego/gosec/cmd/gosec in github.com/securego/gosec v0.0.0-20200401082031-e946c8c39989
go: downloading golang.org/x/tools v0.0.0-20200331202046-9d5940d49312
go: downloading github.com/nbutton23/zxcvbn-go v0.0.0-20180912185939-ae427f1e4c1d
go: downloading gopkg.in/yaml.v2 v2.2.8

All of that said, I'm not sure why gosec fails when using go list -m without a prox...I'll keep the issue open as I look more into it...It could possibly be a bug on the Go command side or it could be that the gosec repo is somehow misconfigured.

[nitesh-epifi]

I was facing the same issue with github.com/google/tink/go

GOPROXY=http://localhost:3000 go get github.com/google/tink/go@v1.5.0                                                    
go: github.com/google/tink/go@v1.5.0: reading http://localhost:3000/github.com/google/tink/go/@v/v1.5.0.mod: 404 Not Found

This got later fixed by solution suggested by @marwan-at-work. Thanks

[arschles]

Since running Athens with GOPROXY=proxy.golang.org,direct (using the ATHENS_BINARY_ENV_VARS env var), as @marwan-at-work suggested above, works, closing this issue. @nitesh-epifi I'm glad it worked for you!

if anybody thinks that athens should run with GOPROXY=proxy.golang.org,direct by default, please feel free to open another issue 👍