go module doesn't find any dependencies.

[cobbr2]

I'm scanning a go repository with a top-level go.mod file that looks like:

module github.com/MyCompany/my-module

go 1.13.14

// 0.3.9 has issues merging public fields in embedded structs
replace github.com/imdario/mergo => github.com/imdario/mergo v0.3.7

require (
·⁖⁖⁖⁖⁖⁖⁖github.com/aws/aws-sdk-go v1.33.17
·⁖⁖⁖⁖⁖⁖⁖github.com/banzaicloud/k8s-objectmatcher v1.4.0
·⁖⁖⁖⁖⁖⁖⁖github.com/go-logr/logr v0.1.0
·⁖⁖⁖⁖⁖⁖⁖github.com/golang/mock v1.4.4
·⁖⁖⁖⁖⁖⁖⁖github.com/imdario/mergo v0.3.9
·⁖⁖⁖⁖⁖⁖⁖github.com/onsi/ginkgo v1.14.0
·⁖⁖⁖⁖⁖⁖⁖github.com/onsi/gomega v1.10.1
·⁖⁖⁖⁖⁖⁖⁖github.com/prometheus/common v0.7.0 // indirect
·⁖⁖⁖⁖⁖⁖⁖github.com/sirupsen/logrus v1.6.0
·⁖⁖⁖⁖⁖⁖⁖github.com/stretchr/testify v1.6.1
·⁖⁖⁖⁖⁖⁖⁖golang.org/x/time v0.0.0-20191024005414-555d28b269f0 // indirect
·⁖⁖⁖⁖⁖⁖⁖istio.io/api v0.0.0-20200227124350-5ce1c9cc553f
·⁖⁖⁖⁖⁖⁖⁖istio.io/client-go v0.0.0-20200227190314-99bd63aa63ba
·⁖⁖⁖⁖⁖⁖⁖k8s.io/api v0.18.6
·⁖⁖⁖⁖⁖⁖⁖k8s.io/apimachinery v0.18.6
·⁖⁖⁖⁖⁖⁖⁖k8s.io/client-go v0.18.6
·⁖⁖⁖⁖⁖⁖⁖k8s.io/kubectl v0.18.6
·⁖⁖⁖⁖⁖⁖⁖sigs.k8s.io/controller-runtime v0.6.1
)

(all those ·⁖ just represent a tab)

I do:

$ dlf "license_finder -p"
LicenseFinder::GoModules: is active

No dependencies recognized!

This is with version 6.6.2, with a locally customized Dockerfile to handle our system libraries. I have successfully built the module on the docker host, but the LF docker image does not build it, perhaps because it's running go 1.14, not 1.13:

root@dc73b0b88684:/scan# go build
go: errors parsing go.mod:
/scan/go.mod:3: usage: go 1.23
root@dc73b0b88684:/scan# go version
go version go1.14.3 linux/amd64

If this is indeed the case, is there a way we can get a more sensible error message than just "No dependencies recognized!"? And what would you recommend as a workaround? This is only one of many go repos we need to scan; AFAIK, any repo could have chosen to use any version of go (we're fans of asdf here).

[cf-gitbot]

We have created an issue in Pivotal Tracker to manage this. Unfortunately, the Pivotal Tracker project is private so you may be unable to view the contents of the story.

The labels on this github issue will be updated when the story is started.

[cobbr2]

It's definitely about the go.mod version statement; changing it to 1.23 makes it work. OTOH: a better error message would be very nice. And so would some strategy for dealing with multiple go versions.

[ohlookadollar]

Could you give us a sample repo to reproduce the bug.

Thanks

[cobbr2]

Sure thing! https://github.com/ConsultingMD/license_finder_repro_repo . Thanks! I've stripped enough stuff out that it now tries to run both detectors, but they both fail the same way:

rcobb@rcobb-t480: (master) ~/license_finder_repro_repo$ go version 
go version go1.13.9 linux/amd64
rcobb@rcobb-t480: (master) ~/license_finder_repro_repo$ dlf "go version"
go version go1.14.3 linux/amd64

rcobb@rcobb-t480: (master) ~/license_finder_repro_repo$ license_finder -p | head -5
LicenseFinder::GoModules: is active
LicenseFinder::Go15VendorExperiment: is active

Dependencies that need approval:
cloud.google.com/go, v0.38.0, "Apache 2.0"
rcobb@rcobb-t480: (master) ~/license_finder_repro_repo$ dlf "license_finder -p | head -5"
LicenseFinder::GoModules: is active
LicenseFinder::Go15VendorExperiment: is active

No dependencies recognized!

And maybe this is a clue:

rcobb@rcobb-t480: (master) ~/license_finder_repro_repo$ go list | head -2
github.com/ConsultingMD/protean-operator
rcobb@rcobb-t480: (master) ~/license_finder_repro_repo$ dlf "go list | head -2"
go: errors parsing go.mod:
/scan/go.mod:3: usage: go 1.23

[mr-karan]

+1 I am facing the same.

[Pivotal-Jeff-Jun]

@cobbr2 We made a quick change to have more sensible error in go_module_error branch. Let us know if it looks alright to you.

As for compatibility with multiple go version, we will bring it up to our team. We will let you know with further updates.