search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.3k stars 1.26k forks source link

Errors parsing go.mod, invalid go version format #5907

Open sbszcz opened 1 year ago

sbszcz commented 1 year ago

Describe the bug

The process yields the error complaining about the go version format.

go: errors parsing go.mod:
/src/go.mod:3: invalid go version '1.21.0': must match format 1.23

Version of dependency-check used The problem occurs using version 8.4.0 of the docker image

Log file

Excerpt:

[INFO] Analysis Started
[INFO] Finished Archive Analyzer (0 seconds)
[INFO] Finished File Name Analyzer (0 seconds)
[INFO] Finished Python Distribution Analyzer (0 seconds)
[WARN] While analyzing `/src/go.mod` `go` generated the following warnings:
go: errors parsing go.mod:
/src/go.mod:3: invalid go version '1.21.0': must match format 1.23

[WARN] An error occurred while analyzing '/src/go.mod' (Golang Mod Analyzer).
[INFO] Finished Golang Mod Analyzer (0 seconds)
[INFO] Finished Dependency Merging Analyzer (0 seconds)
[INFO] Finished Hint Analyzer (0 seconds)
[INFO] Finished Version Filter Analyzer (0 seconds)
[INFO] Created CPE Index (0 seconds)
[INFO] Finished NPM CPE Analyzer (1 seconds)
[INFO] Created CPE Index (0 seconds)
[INFO] Finished CPE Analyzer (0 seconds)
[INFO] Finished False Positive Analyzer (0 seconds)
[INFO] Finished NVD CVE Analyzer (0 seconds)
[WARN] Unable to determine Package-URL identifiers for 1 dependencies
[INFO] Finished Sonatype OSS Index Analyzer (0 seconds)
[INFO] Finished Vulnerability Suppression Analyzer (0 seconds)
[INFO] Finished Known Exploited Vulnerability Analyzer (0 seconds)
[INFO] Finished Dependency Bundling Analyzer (0 seconds)
[INFO] Finished Unused Suppression Rule Analyzer (0 seconds)
[INFO] Analysis Complete (1 seconds)
[INFO] Writing report to: /report/dependency-check-report.xml
[INFO] Writing report to: /report/dependency-check-report.html
[INFO] Writing report to: /report/dependency-check-report.json
[INFO] Writing report to: /report/dependency-check-report.csv
[INFO] Writing report to: /report/dependency-check-report.sarif
[INFO] Writing report to: /report/dependency-check-jenkins.html
[INFO] Writing report to: /report/dependency-check-junit.xml
[ERROR] Error analyzing '/src/go.mod'; Error parsing output from `go list -json -m all`

To Reproduce Steps to reproduce the behavior:

  1. Install golang v1.21.0
  2. mkdir example && cd example
  3. go mod init foobar
  4. Run the script of the docker page adding the --enableExperimental flag

Expected behavior Scanning process should proceed with no error

Additional context The obvious workaround is to edit the go.mod file and adjust the format.

aikebah commented 1 year ago

The output that the Golang Mod Analyzer shows you in the error message is the output generated by go (go list -m -json -mod=readonly -all) and just handed to you in the output. You should ensure to start off with a proper formatted go.mod for the version of go in the image

aikebah commented 1 year ago

The docker image embeds go from the golang 1.17.1-alpine image.

https://github.com/jeremylong/DependencyCheck/blob/main/Dockerfile

sbszcz commented 1 year ago

Ah okay ... Thank you. I didn't see that.

aikebah commented 1 year ago

Sounds strange to me by the way that your sequence of events leads to a quoted version as go documentation appear to suggest that it would be unquoted.

https://go.dev/doc/modules/gomod-ref#module-syntax

jeremylong commented 11 months ago

Try running go list -m -json -all without the readonly and see if that corrects the problem?

Tolrod22 commented 9 months ago

Hello,

I got the same issue, seems it's only broken if you use semantic versioning (X.Y.Z). If you use go 1.21 in you go.mod file, it'll work

Also reported here: https://github.com/jeremylong/DependencyCheck/issues/6052, but it's how go works, I guess

harsh-sri commented 8 months ago

Thanks @Tolrod22 , it worked for me :)

jeremylong commented 8 months ago

When you are using the semantic versioning - what happens when you run:

go list -json -m all

jjeejj commented 5 months ago

Hello,

I got the same issue, seems it's only broken if you use semantic versioning (X.Y.Z). If you use go 1.21 in you go.mod file, it'll work

Also reported here: #6052, but it's how go works, I guess

thanks, solved my problem

itsecforu commented 2 months ago

so how to update go version into docker image with openjdk?

maroda commented 2 months ago

This is happening to me on a brand new 'go mod init'. It is writing my go version correctly at 1.22.4 but I have to manually remove the '.4' to avoid the error.