Feat. Go mod file detector #1547
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR introduces a new Go mod file detector that provides buildless inspection of Go module dependencies by parsing go.mod files directly. The detector fetches transitive dependencies from the Go proxy (proxy.golang.org) and handles Go directives like toolchain, exclude, and replace.
- Creates a Go Mod File detector with high accuracy
- Implements recursive dependency resolution via Go proxy API calls
- Supports configuration override for Go forge URL through
--detect.go.forgeproperty
Reviewed Changes
Copilot reviewed 29 out of 30 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| DetectDetectableFactory.java | Adds factory method for creating GoModFileDetectable instances |
| DetectorRuleFactory.java | Configures Go Mod File detector as fallback after Go Mod CLI detector |
| DetectableOptionFactory.java | Creates options factory with Go proxy URL configuration |
| DetectProperties.java | Adds new property for configuring Go forge URL |
| DetectableFactory.java | Integrates GoModFileDetectable creation into main factory |
| GoModFile*.java | Core implementation files for parsing, dependency resolution, and proxy communication |
| Test files | Comprehensive test coverage for all components |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
src/main/java/com/blackduck/integration/detect/configuration/DetectProperties.java
Outdated
Show resolved
Hide resolved
...blackduck/integration/detectable/detectables/go/gomodfile/parse/GoModDependencyResolver.java
Outdated
Show resolved
Hide resolved
...in/java/com/blackduck/integration/detectable/detectables/go/gomodfile/parse/GoModParser.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 28 out of 30 changed files in this pull request and generated no new comments.
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
sig-abyreddy
changed the title
sig-abyreddy
requested review from
cpottsbd,
dterrybd,
andrian-sevastyanov,
shantyk and
bd-samratmuk
| ## Go Mod CLI (GO_MOD) detector | ||
|
|
||
| * Discovers dependencies of go language (GoLang) projects. | ||
| * Discovers dependencies of Go projects that uses Go Mod package manager. |
There was a problem hiding this comment.
Perhaps a small change to reflect the go mod command versus the Go Module package manager?
- Discovers dependencies of Go projects that use Go Module package manager.
|
|
||
| ## Overview | ||
|
|
||
| [detect_product_short] has four detectors for GoLang: |
There was a problem hiding this comment.
Are we up to six detectors now I think?
| [detect_product_short] has four detectors for GoLang: | ||
|
|
||
| * Go Mod CLI (GO_MOD) detector (recommended) | ||
| * Go Mod File (GO_MOD) detector |
There was a problem hiding this comment.
Should this be using something other than (GO_MOD) to differentiate from Go Mod CLI?
|
|
||
| ## Go Mod File (GO_MOD) detector | ||
|
|
||
| * Discovers dependencies of Go projects that uses Go Mod package manager. |
There was a problem hiding this comment.
Suggestion:
- Discovers dependencies of Go projects that use Go Module package manager.
|
There are a couple of tests that seem to perform real HTTP requests. |
| import com.blackduck.integration.detectable.detectables.go.gomodfile.parse.model.GoModuleInfo; | ||
| import com.blackduck.integration.detectable.detectables.go.gomodfile.parse.model.GoReplaceDirective; | ||
|
|
||
| import java.util.*; |
There was a problem hiding this comment.
nit: We generally try to make imports explicit and avoid wildcards. Same applies to other classes in this PR.
| Set<GoModuleInfo> retractedVersions) { | ||
|
|
||
| // Check for block starts | ||
| if (line.startsWith("require (")) { |
There was a problem hiding this comment.
Do we need to be a bit more flexible regarding the number of spaces between the word and parentheses?
Same question applies to other similar checks.
| return fileParser.parseGoModFile(goModContents); | ||
| } | ||
|
|
||
| private void printDependencyGraphOfIndirectDependency(Dependency dependency, List<GoDependencyNode> path) { |
There was a problem hiding this comment.
While this doesn't print anything to the logs in debug mode, there's still quite a bit of processing going on when not in debug mode. You can avoid the unnecessary processing by introducing a check like if (logger.isDebugEnabled()) { ... }.
| return graph; | ||
| } | ||
|
|
||
| public List<GoDependencyNode> GetDependencyPathFromGraph(GoDependencyNode targetNode, GoDependencyNode graph, List<GoDependencyNode> visited) { |
There was a problem hiding this comment.
nit: method names should start with a lowercase letter
| this.externalIdFactory = externalIdFactory; | ||
| } | ||
|
|
||
| public Dependency CreateDependency(GoModuleInfo moduleInfo) { |
There was a problem hiding this comment.
nit:c at the start of the method name should be lower cased
| if (childPath.isEmpty()) { | ||
| visited.remove(visited.size() - 1); | ||
| } | ||
| if (!childPath.isEmpty()) { |
There was a problem hiding this comment.
nit: duplicate check to the one a few lines above. This could be an if/else instead.
| HttpClient client = HttpClient.newBuilder().followRedirects(Redirect.ALWAYS).build(); | ||
| try { | ||
| // configure http client to follow redirects | ||
| HttpRequest request = HttpRequest.newBuilder() |
There was a problem hiding this comment.
We should set some timeout settings. Otherwise the request may hang too long or even indefinitely.
Same applies to the requests that fetch dependency information.
| * Discovers dependencies of Go projects that uses Go Mod package manager. | ||
| * Attempts to run on your project if a go.mod file is found in your source directory. | ||
| * Parses go.mod file to gather dependency information. | ||
| * It computes dependency graph of transitives by fetching go.mod files of direct dependencies from proxy.golang.org or custom Go proxy supplied via [detect.go.forge](../properties/detectors/go.md#go-forge) property. If the proxy is not reachable, then the transitive dependencies are listed as additional components under the root module. |
There was a problem hiding this comment.
Minor wording change suggestion:
- Computes transitive dependency graph by fetching go.mod files of direct dependencies from proxy.golang.org or custom Go proxy supplied via detect.go.forge property. If the proxy is not reachable, the transitive dependencies are listed as additional components under the root module.
Description
Support for buildless inspection of Go Mod package manager through parsing of go.mod file.
Changes/Additions/Notes
--detect.go.forgepropertytoolchain,exclude, andreplacego directivesGo Mod (1)>Go Mod File (2)