Open fviernau opened 2 years ago
@fviernau I would word the above slightly differently
A good place to implement such logic could be the PackageProvenanceResolver
:
A possible risk if this is implemented outside the analyzer is that it needs to be verified that all code relying on the VCS path of the package is made aware that the scan result might use a different path.
Depending on the package manager it may be possible to better set the VCS path so that scan scope is narrowed down a bit. For example:
go.mod
file resides in. So, one could find that directory and set the VCS path without risk...TBC
This ticket is not yet an implementation ticket, but for now for figuring out whether and how we could solve that.