diff --git a/Changelog.md b/Changelog.md index 579a8def59..656c19c17d 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,9 @@ # FOSSA CLI Changelog +## 3.10.10 + +- go: support the `tool` directive introduced in go Feb 2025 ([#1553](https://github.com/fossas/fossa-cli/pull/1553)) + ## 3.10.9 - CLI Args: Add a `--tee-output` argument to allow uploading results and also printing them to stdout.([#1546](https://github.com/fossas/fossa-cli/pull/1546)) diff --git a/docs/references/strategies/languages/golang/gomodules.md b/docs/references/strategies/languages/golang/gomodules.md index 808c4a9521..7e2d2e107d 100644 --- a/docs/references/strategies/languages/golang/gomodules.md +++ b/docs/references/strategies/languages/golang/gomodules.md @@ -110,6 +110,15 @@ If it fails or `fossa analyze` is invoked with `--static-analysis-only`, the str ## FAQ +### What happens to the other directives in the `go.mod` file? + +The `go.mod` [file has a number of directives](https://go.dev/doc/modules/gomod-ref) other than require and replace which we parse but discard: + +- go - The version of GO that the project is built upon. The CLI does not support scanning build tools. +- toolchain - Specifies the toolchain to use during compilation. +- tool - Developer tools that should be imported with the project. Developer tools are excluded by default. +- godebug - Specifies default GODEBUG settings. + ### Why do I see a dependency in `go.mod`, but it is not reflected in FOSSA? To explain how this can be the case, it's important to note that just because a package is in `go.mod` doesn't mean that it's actually used in the project; diff --git a/src/Strategy/Go/Gomod.hs b/src/Strategy/Go/Gomod.hs index e5920f77f5..7f8d4842dc 100644 --- a/src/Strategy/Go/Gomod.hs +++ b/src/Strategy/Go/Gomod.hs @@ -87,6 +87,13 @@ data Statement -- the toolchain block as they are of no use to us today. -- Refer to: https://go.dev/doc/modules/gomod-ref#toolchain ToolchainStatement Text + | -- | dependencies in the tool block are development tools + -- which we do not currently support scanning, so we skip this. + -- Refer to: https://tip.golang.org/doc/modules/managing-dependencies#tools + ToolStatement Text + | -- | Specifies the default GODEBUG settings. + -- Refer to: https://go.dev/doc/modules/gomod-ref#godebug + GoDebugStatements Text deriving (Eq, Ord, Show) type PackageName = Text @@ -222,8 +229,10 @@ gomodParser = do pure (toGomod name statements') where statement = - (singleton <$> goVersionStatement) -- singleton wraps the Parser Statement into a Parser [Statement] + (singleton <$> goDebugStatements) -- singleton wraps the Parser Statement into a Parser [Statement] <|> (singleton <$> toolChainStatements) + <|> (singleton <$> toolStatements) + <|> (singleton <$> goVersionStatement) <|> requireStatements <|> replaceStatements <|> excludeStatements @@ -234,11 +243,21 @@ gomodParser = do goVersionStatement :: Parser Statement goVersionStatement = GoVersionStatement <$ lexeme (chunk "go") <*> goVersion - -- top-level go version statement + -- top-level toolchain statement -- e.g., toolchain go1.21.1 toolChainStatements :: Parser Statement toolChainStatements = ToolchainStatement <$ lexeme (chunk "toolchain") <*> anyToken + -- top-level tool statement + -- e.g., tool golang.org/x/tools/cmd/stringer + toolStatements :: Parser Statement + toolStatements = ToolStatement <$ lexeme (chunk "tool") <*> anyToken + + -- top-level godebug statement + -- e.g., godebug asynctimerchan=0 + goDebugStatements :: Parser Statement + goDebugStatements = GoDebugStatements <$ lexeme (chunk "godebug") <*> anyToken + -- top-level require statements -- e.g.: -- require golang.org/x/text v1.0.0 diff --git a/test/Go/testdata/go.mod.edgecases b/test/Go/testdata/go.mod.edgecases index af19ead67d..244625e826 100644 --- a/test/Go/testdata/go.mod.edgecases +++ b/test/Go/testdata/go.mod.edgecases @@ -7,6 +7,10 @@ go 1.12 toolchain go1.21.1 +tool github.com/golangci/golangci-lint/v2/cmd/golangci-lint + +godebug asynctimerchan=0 + require repo/name/A v1.0.0 // indirect require (