fossas · zlav · Jun 3, 2025 · Jun 2, 2025 · Jun 2, 2025 · Jun 2, 2025
@@ -1,5 +1,9 @@
 # FOSSA CLI Changelog
 
+## 3.10.10
+
+- go: support the `tool` directive introduced in go Feb 2025 ([#1553](https://github.com/fossas/fossa-cli/pull/1553))
+
 ## 3.10.9
 
 - CLI Args: Add a `--tee-output` argument to allow uploading results and also printing them to stdout.([#1546](https://github.com/fossas/fossa-cli/pull/1546))

@@ -110,6 +110,15 @@ If it fails or `fossa analyze` is invoked with `--static-analysis-only`, the str
 
 ## FAQ
 
+### What happens to the other directives in the `go.mod` file?
+
+The `go.mod` [file has a number of directives](https://go.dev/doc/modules/gomod-ref) other than require and replace which we parse but discard:
+
+- go - The version of GO that the project is built upon. The CLI does not support scanning build tools.
+- toolchain - Specifies the toolchain to use during compilation. 
+- tool - Developer tools that should be imported with the project. Developer tools are excluded by default.
+- godebug - Specifies default GODEBUG settings.
+
 ### Why do I see a dependency in `go.mod`, but it is not reflected in FOSSA?
 
 To explain how this can be the case, it's important to note that just because a package is in `go.mod` doesn't mean that it's actually used in the project;

@@ -87,6 +87,13 @@ data Statement
     -- the toolchain block as they are of no use to us today.
     -- Refer to: https://go.dev/doc/modules/gomod-ref#toolchain
     ToolchainStatement Text
+  | -- | dependencies in the tool block are development tools
+    -- which we do not currently support scanning, so we skip this.
+    -- Refer to: https://tip.golang.org/doc/modules/managing-dependencies#tools
+    ToolStatement Text
+  | -- | Specifies the default GODEBUG settings.
+    -- Refer to: https://go.dev/doc/modules/gomod-ref#godebug
+    GoDebugStatements Text
   deriving (Eq, Ord, Show)
 
 type PackageName = Text
@@ -222,8 +229,10 @@ gomodParser = do
   pure (toGomod name statements')
   where
     statement =
-      (singleton <$> goVersionStatement) -- singleton wraps the Parser Statement into a Parser [Statement]
+      (singleton <$> goDebugStatements) -- singleton wraps the Parser Statement into a Parser [Statement]
         <|> (singleton <$> toolChainStatements)
+        <|> (singleton <$> toolStatements)
+        <|> (singleton <$> goVersionStatement)
         <|> requireStatements
         <|> replaceStatements
         <|> excludeStatements
@@ -234,11 +243,21 @@ gomodParser = do
     goVersionStatement :: Parser Statement
     goVersionStatement = GoVersionStatement <$ lexeme (chunk "go") <*> goVersion
 
-    -- top-level go version statement
+    -- top-level toolchain statement
     -- e.g., toolchain go1.21.1
     toolChainStatements :: Parser Statement
     toolChainStatements = ToolchainStatement <$ lexeme (chunk "toolchain") <*> anyToken
 
+    -- top-level tool statement
+    -- e.g., tool golang.org/x/tools/cmd/stringer
+    toolStatements :: Parser Statement
+    toolStatements = ToolStatement <$ lexeme (chunk "tool") <*> anyToken
+
+    -- top-level godebug statement
+    -- e.g., godebug asynctimerchan=0
+    goDebugStatements :: Parser Statement
+    goDebugStatements = GoDebugStatements <$ lexeme (chunk "godebug") <*> anyToken
+
     -- top-level require statements
     -- e.g.:
     --   require golang.org/x/text v1.0.0

@@ -7,6 +7,10 @@ go 1.12
 
 toolchain go1.21.1
 
+tool github.com/golangci/golangci-lint/v2/cmd/golangci-lint
+
+godebug asynctimerchan=0
+
 require repo/name/A v1.0.0 // indirect
 
 require (