Overview

Go introduced a new tools directive in version 1.24. Tools directive documentation

Tool dependencies let you manage developer tools that are written in Go and used when working on your module.

The explicit purpose is to allow users to download developer dependencies that are not shipped with the tool. We currently do not support differentiating between developer dependencies so I believe the correct behavior here is to ignore any dependencies in this directive.

This PR also ignores the godebug directive that we previously did not support. This specifies the default GODEBUG environment variable settings for the project. Unsure when this was introduced, but this causes a failure.

Acceptance criteria

GO projects with tool and godebug directives with single lines declarations properly scan.

Note: In the process of writing this PR I realized that multi-line syntax for toolchain and by extension, now tool and godebug directives is not supported by the CLI. I am going to work on this as a follow up item.

Testing plan

• I downloaded a project that has this tools directive
• I scanned it with the older version of the CLI and saw it fail
• I scanned it with this new branch and saw it succeed with the correct list of dependencies

Risks

• Tool support
• The way I'm ignoring tool support accidentally starts ignoring other things. I don't believe this is possible as the parser should encompass only what comes after the tool section and nothing else.
• After further testing I've found that toolchain, tool, and godebug support as implemented do not support multi line ignores. I'm investigating this but may put up a PR without this for the time being.

References

• PS-655: Implement tool support

Checklist

• I added tests for this PR's change (or explained in the PR description why tests don't make sense).
• If this PR introduced a user-visible change, I added documentation into docs/.
• If this PR added docs, I added links as appropriate to the user manual's ToC in docs/README.ms and gave consideration to how discoverable or not my documentation is.
• If this change is externally visible, I updated Changelog.md. If this PR did not mark a release, I added my changes into an ## Unreleased section at the top.
• If I made changes to .fossa.yml or fossa-deps.{json.yml}, I updated docs/references/files/*.schema.json AND I have updated example files used by fossa init command. You may also need to update these if you have added/removed new dependency type (e.g. pip) or analysis target type (e.g. poetry).
• If I made changes to a subcommand's options, I updated docs/references/subcommands/<subcommand>.md.