skitt
commented
1 year ago For security analysis, go mod graph can be misleading, notably because it includes all test dependencies. For accurate analysis, it’s better to list the modules present in our binaries (go version -m path/to/binary, on binaries built without upx).
To quickly and reliably determine if we're impacted by a CVE, we need to be able to check all repos, at all release tags and at the tip of all release branches.
I think the best way to determine this is with
go mod graph. That shows all direct and indirect dependencies, and why they are needed.