cataloger: golang source cataloger
Opened this issue · 0 comments
What would you like to be added:
A cataloger that is invoked on a directory scan for the Golang Ecosystem that discovers all **/go.mod
files. The cataloger will use the main
module at the top of the modfile and then load all the root packages via the Golang tools utilities found here golang.org/x/tools/go/packages
.
These root packages will be created as syft packages for the SBOM. The cataloger will also visit all of the packages in the import graph whose roots are in the inital root package list. This will allow the cataloger to surface all direct and transitive dependencies for a given main
module. Vendored dependencies also have the additional bonus of allowing for license discovery during this method since the modules dirPath
is surfaced during its discovery by the x/tools/go/packages
utility
Why is this needed:
More accurate Golang source cataloging. Currently we only parse the flat list from go.mod
or dependency information from discovered go binaries. This new feature will give a more complete overview of all the modules imported by a go project. Some projects can have more than one go.mod
file which could lead to "duplicate" dependencies being discovered during this process. It's important to include in the main package discovered the root parent so that it's obvious to consumers of the SBOM that these "duplicates" belong to different main
modules.