search

projectcalico / calico

Cloud native networking and network security
https://docs.tigera.io/calico/latest/about/
Apache License 2.0
5.92k stars 1.32k forks source link

libcaligo-go: retracted module golang.zx2c4.com/wireguard #5724

Open bzbikowski opened 2 years ago

bzbikowski commented 2 years ago

Hello, we are using a third-party tool, that is running go list -mod=readonly -m -u -json all to parse the dependencies of the projects. But the command returns an error, that module golang.zx2c4.com/wireguard@v0.0.20200121 is retracted by module author, when github.com/projectcalico/libcalico-go is used. That module is used by golang.zx2c4.com/wireguard/wgctrl@v0.0.0-20200324154536-ceff61240acf, which is included in your go.mod file.

Expected Behavior

Command go list -mod=readonly -m -u -json all should pass without issues and should return list of modules in JSON.

Current Behavior

Command go list -mod=readonly -m -u -json all fails with error code 1 with following output:

go list -m: golang.zx2c4.com/wireguard@v0.0.20200121: retracted by module author

Possible Solution

Bump up version of golang.zx2c4.com/wireguard/wgctrl to the latest available.

Context

Blackduck scans (for GO_MOD detector) are failing due to this problem, when libcalico-go is used as dependency. At some point during scan the command above is being called, which fails whole process.

Your Environment

lwr20 commented 2 years ago

Maybe @fasaxc or @caseydavenport might know?

mgleung commented 2 years ago

I think since the issue appears to be that the retracted version is found as the dependency for our wgctrl version, the easiest solution is to go with the proprosed solution and just update the wgctrl version. I tested it on the most recent commit and it fixes the go list command. @mikestephen any idea if updating the wgctrl version might cause any issues?

mikestephen commented 2 years ago

I was able to upgrade locally to commit fde48d68ee68e3f7af735747d6b97ecb713d924a and it seemed to work, though it would need further testing.

caseydavenport commented 2 years ago

We should definitely stop using a retracted version (and should probably have some CI on our end to catch when we are using a retracted version).

@mikestephen would you be able to submit a PR with that pin update? We should bump to whatever the latest compatible released module version is.