Read Go packages using `go list`
What does this MR do?
The packages.Load
function would not discover packages when they were
only used in tests. This meant that the go.sum parser would be used if
a project only used Go for tests and did not produce other build artifacts.
The go list
command does not have this issue and produces a
list of the packages used by the main module regardless if it was in
a test or in the final artifact.
Additional info
In Go 1.19 and newer the go list
command allows the -json
flag to
specify the list of fields it should return.
Since we've upgraded the analyzer images to use Go 1.19 or newer
in !571 (merged),
we leverage the -json
flag, and this reduces the noise in the debug logs.
What are the relevant issue numbers?
Closes Dependency scanning uses go.sum parser for Go p... (gitlab-org/gitlab#396918 - closed)
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer
Edited by Fabien Catteau