Overview

We initially didn't expose a static only analysis method in the CLI for Go modules despite there being a pretty low-effort path to providing one. This PR makes a truly static Go analysis method and exposes it for use with the --static-only-analysis flag.

Acceptance criteria

It is possible to analyze go projects statically.

Testing plan

Compare running fossa analyze --static-only-analysis on this branch and in a release version. Static Go analysis fails using the current release version:

But succeeds in the one on this branch:

Risks

The main risk is that projects which didn't produce a result in the past may start to. This is the correct thing to do, but may result in more questions.

Metrics

References

slack thread

Checklist

• I added tests for this PR's change (or explained in the PR description why tests don't make sense).
• If this PR introduced a user-visible change, I added documentation into docs/.
• If this PR added docs, I added links as appropriate to the user manual's ToC in docs/README.ms and gave consideration to how discoverable or not my documentation is.
• If this change is externally visible, I updated Changelog.md. If this PR did not mark a release, I added my changes into an ## Unreleased section at the top.
• If I made changes to .fossa.yml or fossa-deps.{json.yml}, I updated docs/references/files/*.schema.json AND I have updated example files used by fossa init command. You may also need to update these if you have added/removed new dependency type (e.g. pip) or analysis target type (e.g. poetry).
• If I made changes to a subcommand's options, I updated docs/references/subcommands/<subcommand>.md.