Support replaced Go modules in Gemnasium
Go modules can be replaced in go.mod
files. This feature is used for different purposes, one being to use a fork of an upstream project where we patch some code. This is the case for example in gitlab-shell where golang.org/x/crypto
is replaced by gitlab-org/golang-crypto
: https://gitlab.com/gitlab-org/gitlab-shell/-/blob/68d860f64eb02b46d9d8f861770b4edee77e1aa5/go.mod#L98
Yet, this replacement isn't reflected in the dependency list, which can alter the SBOM generated for this project.
Proposal
Short term solution: Include the replacement as a new dependency.
Long term solution: Support replacements in the dependency scanning report schema.
Implementation
- Update the
module
struct so that it includes the module replacement field. - Add a test to verify that it generates the correct command and parses the output correctly.
- Update the Go builder so that it checks if the replacement module field is set.
- Update specs to verify that the module replacement detection is working as intended.