Treat go.mod as a lockfile for commands that need resolved dependencies

andrew · andrew · commit d238a0a3fa97 · 2026-02-06T09:21:32.000Z
Go has no traditional lockfile checked into repos. go.mod contains pinned
versions and is the closest equivalent. SQL queries filtering on
kind='lockfile' now also accept Go manifests so that stale, vulns sync,
and vuln stats work for Go projects.

Also fixes isResolvedDependency comparing against 'Go' when the stored
ecosystem value is 'golang'.
diff --git a/cmd/analysis_test.go b/cmd/analysis_test.go
@@ -3,6 +3,7 @@ package cmd_test
 import (
 	"bytes"
 	"encoding/json"
+	"os"
 	"strings"
 	"testing"
 
@@ -863,4 +864,53 @@ func TestStaleCommand(t *testing.T) {
 			t.Error("expected 'name' field in stale JSON")
 		}
 	})
+
+	t.Run("includes go.mod dependencies", func(t *testing.T) {
+		repoDir := createTestRepo(t)
+
+		goMod, err := os.ReadFile("testdata/ades-go.mod")
+		if err != nil {
+			t.Fatalf("failed to read fixture: %v", err)
+		}
+		addFileAndCommit(t, repoDir, "go.mod", string(goMod), "Add go.mod")
+
+		cleanup := chdir(t, repoDir)
+		defer cleanup()
+
+		rootCmd := cmd.NewRootCmd()
+		rootCmd.SetArgs([]string{"init"})
+		if err := rootCmd.Execute(); err != nil {
+			t.Fatalf("init failed: %v", err)
+		}
+
+		var stdout bytes.Buffer
+		rootCmd = cmd.NewRootCmd()
+		rootCmd.SetArgs([]string{"stale", "--days", "0", "--format", "json"})
+		rootCmd.SetOut(&stdout)
+
+		if err := rootCmd.Execute(); err != nil {
+			t.Fatalf("stale failed: %v", err)
+		}
+
+		var result []map[string]interface{}
+		if err := json.Unmarshal(stdout.Bytes(), &result); err != nil {
+			t.Fatalf("failed to parse JSON: %v", err)
+		}
+
+		if len(result) == 0 {
+			t.Fatal("expected Go dependencies in stale output, got none")
+		}
+
+		// Verify a known go.mod dependency appears
+		found := false
+		for _, entry := range result {
+			if name, ok := entry["name"].(string); ok && name == "golang.org/x/mod" {
+				found = true
+				break
+			}
+		}
+		if !found {
+			t.Error("expected golang.org/x/mod in stale output")
+		}
+	})
 }
diff --git a/cmd/helpers.go b/cmd/helpers.go
@@ -50,7 +50,7 @@ func shortSHA(sha string) string {
 }
 
 func isResolvedDependency(d database.Dependency) bool {
-	return d.Requirement != "" && (d.ManifestKind == "lockfile" || d.Ecosystem == "Go")
+	return d.Requirement != "" && (d.ManifestKind == "lockfile" || d.Ecosystem == "golang")
 }
 
 func filterByEcosystem(deps []database.Dependency, ecosystem string) []database.Dependency {
diff --git a/internal/database/queries.go b/internal/database/queries.go
@@ -683,7 +683,7 @@ func (db *DB) GetStaleDependencies(branchID int64, ecosystem string, days int) (
 			JOIN branch_commits bc ON bc.commit_id = ds.commit_id
 			WHERE bc.branch_id = ?
 			AND bc.position = (SELECT MAX(position) FROM branch_commits WHERE branch_id = ?)
-			AND m.kind = 'lockfile'
+			AND (m.kind = 'lockfile' OR (m.kind = 'manifest' AND m.ecosystem = 'golang'))
 		),
 		last_changed AS (
 			SELECT dc.name, m.path, MAX(c.committed_at) as last_changed
@@ -1581,7 +1581,7 @@ func (db *DB) GetVulnSyncStatus(branchID int64) ([]VulnSyncStatus, error) {
 		JOIN branch_commits bc ON bc.commit_id = ds.commit_id
 		JOIN manifests m ON m.id = ds.manifest_id
 		WHERE bc.branch_id = ?
-		AND m.kind = 'lockfile'
+		AND (m.kind = 'lockfile' OR (m.kind = 'manifest' AND m.ecosystem = 'golang'))
 		AND ds.ecosystem IS NOT NULL AND ds.ecosystem != ''
 		ORDER BY ds.ecosystem, ds.name
 	`, branchID)
@@ -1705,7 +1705,7 @@ func (db *DB) GetVulnerabilityStats(branchID int64) (map[string]int, error) {
 		JOIN manifests m ON m.id = ds.manifest_id
 		WHERE bc.branch_id = ?
 		AND bc.position = (SELECT MAX(position) FROM branch_commits WHERE branch_id = ?)
-		AND m.kind = 'lockfile'
+		AND (m.kind = 'lockfile' OR (m.kind = 'manifest' AND m.ecosystem = 'golang'))
 		GROUP BY v.severity
 	`, branchID, branchID)
 	if err != nil {

Original file line number	Diff line number	Diff line change
`@@ -50,7 +50,7 @@ func shortSHA(sha string) string {`
`50`	`50`	`}`
`51`	`51`
`52`	`52`	`func isResolvedDependency(d database.Dependency) bool {`
`53`		`- return d.Requirement != "" && (d.ManifestKind == "lockfile" \|\| d.Ecosystem == "Go")`
	`53`	`+ return d.Requirement != "" && (d.ManifestKind == "lockfile" \|\| d.Ecosystem == "golang")`
`54`	`54`	`}`
`55`	`55`
`56`	`56`	`func filterByEcosystem(deps []database.Dependency, ecosystem string) []database.Dependency {`