Checking if a go.mod file should be included in the Scan Results - Unified Agent
This article will provide instructions on how to determine whether a dependency listed in the go.mod or go.sum files should be included in the scan results.
How is the new Go Modules resolver different than the original resolver?
The new Go Modules resolver now makes use of the ‘go list
' command. This command only returns effective dependencies. This means it reviews your source code and only returns dependencies that are included in the source code via import statements. This resolver also now takes into account any replace directives you include in your files. When moving to use the new Go Modules resolver, you may see fewer dependencies resolved since the legacy version returned all dependencies within the go.mod and go.sum files regardless of whether they were used in the source code.
How to find the full list of Go dependencies that should be resolved using the new Go Modules resolver
The command that the Unified Agent uses to obtain the full list of dependencies resolved via Go Modules resolution is ‘go list -deps -json all
'
When troubleshooting any missing dependencies, Mend Support will need the results of this command. The reason why these results are necessary during an investigation is due the fact that with the new resolution, we cannot obtain the list of dependencies without your source code.
If I think a dependency should be included in the results, how can I check on that specific dependency?
Go mod why
go mod why -m <module>
: This command let’s you find out where any of your dependencies are used. To demonstrate this I will use http://github.com/dsnet/compress found in my go.mod
file.
go mod why -m github.com/dsnet/compress
# github.com/dsnet/compress
wse5947
github.com/dsnet/compress/brotli
The output shows that github.com/dsnet/compress
gets consumed by github.com/dsnet/compress/brotli
In the event that the dependency is not used, it will return 'main module does not need package'