Skip to content

Refactor fs.DirFS file resolution

Oscar Tovarrequested to merge
otovar/oknnvulpxpom into main

What does this MR do and why?

We noticed that some tests started to fail in the CI/CD component when we released v0.39.1. Upon investigating further, we discovered that the fs.DirFS initialization was pointing to the wrong directory. This MR does a couple of things to address this:

  1. We remove the project file resolution logic, and replace this with a fs.DirFS that's rooted at the project directory. The parser is then able to resolve files by doing simple opens like fsys.Open("go.graph").
  2. We replace the string literals with constants to ensure that we're referring to the right file names at all times.
  3. We've added a nested directory test for Go projects. This will catch regressions before they're pushed to main.

Related to Incomplete Dependency Graph Generation in `depe... (gitlab-org/gitlab#548363 - closed)

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

before:

go run ./cmd/dependency-scanning/ run --target-dir tmp/asdf/
[INFO] [dependency-scanning] [2025-09-16T11:54:36-04:00] [/Users/hacks4oats/code/dependency-scanning/cmd/dependency-scanning/main.go:46] ▶ Starting GitLab dependency-scanning version not-configured (00000000)
[DEBU] [dependency-scanning] [2025-09-16T11:54:36-04:00] [/Users/hacks4oats/code/dependency-scanning/finder/finder.go:56] ▶ Inspect directory: .
[DEBU] [dependency-scanning] [2025-09-16T11:54:36-04:00] [/Users/hacks4oats/code/dependency-scanning/finder/finder.go:56] ▶ Inspect directory: asdf
[DEBU] [dependency-scanning] [2025-09-16T11:54:36-04:00] [/Users/hacks4oats/code/dependency-scanning/finder/finder.go:56] ▶ Inspect directory: asdf/gomod
[DEBU] [dependency-scanning] [2025-09-16T11:54:36-04:00] [/Users/hacks4oats/code/dependency-scanning/fevent/fevent.go:86] ▶ Sending "asdf/gomod/go.graph" to "go_a1ff6937" subscriber on interest "go.graph"
[DEBU] [dependency-scanning] [2025-09-16T11:54:36-04:00] [/Users/hacks4oats/code/dependency-scanning/fevent/fevent.go:86] ▶ Sending "asdf/gomod/go.mod" to "go_a1ff6937" subscriber on interest "go.mod"
[WARN] [dependency-scanning] [2025-09-16T11:54:36-04:00] [/Users/hacks4oats/code/dependency-scanning/finder/finder.go:70] ▶ Subdirectories of asdf/gomod are not searched due to the environment variable DS_MAX_DEPTH value o
f 2
[FATA] [dependency-scanning] [2025-09-16T11:54:36-04:00] [/Users/hacks4oats/code/dependency-scanning/cmd/dependency-scanning/main.go:58] ▶ opening go.mod at asdf/gomod/go.mod: open asdf/gomod/go.mod: no such file or direct
ory
exit status 1

after:

go run ./cmd/dependency-scanning/ run --target-dir tmp/asdf/
[INFO] [dependency-scanning] [2025-09-16T11:56:54-04:00] [/Users/hacks4oats/code/dependency-scanning/cmd/dependency-scanning/main.go:46] ▶ Starting GitLab dependency-scanning version not-configured (00000000)
[DEBU] [dependency-scanning] [2025-09-16T11:56:54-04:00] [/Users/hacks4oats/code/dependency-scanning/finder/finder.go:56] ▶ Inspect directory: .
[DEBU] [dependency-scanning] [2025-09-16T11:56:54-04:00] [/Users/hacks4oats/code/dependency-scanning/finder/finder.go:56] ▶ Inspect directory: asdf
[DEBU] [dependency-scanning] [2025-09-16T11:56:54-04:00] [/Users/hacks4oats/code/dependency-scanning/finder/finder.go:56] ▶ Inspect directory: asdf/gomod
[DEBU] [dependency-scanning] [2025-09-16T11:56:54-04:00] [/Users/hacks4oats/code/dependency-scanning/fevent/fevent.go:86] ▶ Sending "asdf/gomod/go.graph" to "go_a1ff6937" subscriber on interest "go.graph"
[DEBU] [dependency-scanning] [2025-09-16T11:56:54-04:00] [/Users/hacks4oats/code/dependency-scanning/fevent/fevent.go:86] ▶ Sending "asdf/gomod/go.mod" to "go_a1ff6937" subscriber on interest "go.mod"
[WARN] [dependency-scanning] [2025-09-16T11:56:54-04:00] [/Users/hacks4oats/code/dependency-scanning/finder/finder.go:70] ▶ Subdirectories of asdf/gomod are not searched due to the environment variable DS_MAX_DEPTH value o
f 2
[INFO] [dependency-scanning] [2025-09-16T11:56:54-04:00] [/Users/hacks4oats/code/dependency-scanning/cyclonedx/convert.go:88] ▶ generated SBOM /Users/hacks4oats/code/dependency-scanning/tmp/asdf/asdf/gomod/gl-sbom-go-go-1.
cdx.json for lock file asdf/gomod/go.mod

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Nest a Go project with a go.mod
  2. Run the analyzer with the target directory set to its parent directory.
  3. Verify that the scan completes successfully.
Edited by Oscar Tovar

Merge request reports