Update expectations to use more accurate gomod dependency generation
In Add golang builder to gemnasium and sbomgen-gol... (gitlab-org/security-products/analyzers/gemnasium!392 - merged) the logic for scanning go projects was changed to the following:
- the analyzer first invokes a builder and attempts to generate a build list (more accurate dependency reporting)
- if the build list fails, we fall back to parsing the
go.sum
file (less accurate dependency reporting, with possible false positives)
If this test project only had a go.sum
file, we would automatically use option 2.
above, and the expectations would remain the same. However, since this test project has a main.go
and go.mod
file, we're able to use the more accurate scan in option 1.
which removes false positives, and therefore we currently have broken tests due to a mismatch in the expectations, as shown here.
In order to fix this, we have two options:
-
Remove the
main.go
andgo.mod
files. This will then force the analyzer to parse thego.sum
file and the expectations will no longer need to be updatedThis is difficult because if we remove the
main.go
file, the qa-gosec-sast job will fail because it requires a*.go
file to exist. -
Update the expectations so they refer to the more accurate dependency scanning results obtained when we can generate a build list based on the
main.go
andgo.mod
files.This has the disadvantage of changing the test, since we're now checking the behaviour of the analyzer when generating a build list, whereas before, we were checking the behaviour of the analyzer when parsing the
go.sum
file. I believe this is an acceptable tradeoff, since the purpose of this test is a sanity check for the Dependency-Scanning.gitlab-ci.yml template, and the more thorough tests forgo-modules
are tested in the gemnasium integration tests.
This MR implements option 2.
above - it updates the expectations.