Hey folks!
Is there a particular reason why go mod edit -json is used instead of go list -json -m all?
I wrote down my idea to explain the question in a lot more detail:
What is the actual behaviour?
The dependency-check just analyzes direct modules. That's because go mod edit -json is used which returns a list of required modules provided in the go.mod file.
What is expected?
The dependency-check should analyze indirect modules, too. That can be achieved by using the go list -json -m all command instead. It returns all modules and dependencies that are needed for that project, so indirect modules, too.
Why is this important?
Modules can simply require other modules, so they are nested. The dependency-check may miss vulnerabilities in indirect modules while analyzing only the direct modules.
Hey folks!
Is there a particular reason why
go mod edit -jsonis used instead ofgo list -json -m all?I wrote down my idea to explain the question in a lot more detail:
What is the actual behaviour?
The dependency-check just analyzes direct modules. That's because
go mod edit -jsonis used which returns a list of required modules provided in thego.modfile.What is expected?
The dependency-check should analyze indirect modules, too. That can be achieved by using the
go list -json -m allcommand instead. It returns all modules and dependencies that are needed for that project, so indirect modules, too.Why is this important?
Modules can simply require other modules, so they are nested. The dependency-check may miss vulnerabilities in indirect modules while analyzing only the direct modules.