Comments (2)
Hi @albert0815, great question!
The tl;dr is that everything is working as expected, and here's why:
Go is a lot smarter than other ecosystems when it comes to detecting which dependencies are actually needed. There are lots of situations where a module may be included in the output of cat go.mod
, cat go.sum
, go list -m all
, or go mod graph
, despite there not being an actual dependency. When building, Go analyzes all imports transitively. If no package in a module is ever imported in the "active" code, that module is not included in the build.
Go provides the go mod why
command, that
[...] shows a shortest path in the import graph from the main module to each of the listed packages
It also has the -m
flag, which allows to query for modules rather than for packages:
The
-m
flag causesgo mod why
to treat its arguments as a list of modules. go mod why will print a path to any package in each of the modules
If we query k8s.io/apimachinery
for k8s.io/kube-openapi
, we get:
$ go mod why -m k8s.io/kube-openapi
# k8s.io/kube-openapi
k8s.io/apimachinery/pkg/util/managedfields
k8s.io/kube-openapi/pkg/schemaconv
So k8s.io/kube-openapi
is required because the k8s.io/apimachinery/pkg/util/managedfields
package depends on k8s.io/kube-openapi/pkg/schemaconv
. If we repeat this for github.com/ghodss/yaml
, we get:
$ go mod why -m github.com/ghodss/yaml
# github.com/ghodss/yaml
(main module does not need module github.com/ghodss/yaml)
OK, github.com/ghodss/yaml
is not required at all by k8s.io/apimachinery
. As a sanity check, we can repeat this for gopkg.in/yaml.v2
:
$ go mod why -m gopkg.in/yaml.v2
# gopkg.in/yaml.v2
k8s.io/apimachinery/pkg/runtime
sigs.k8s.io/structured-merge-diff/v4/value
gopkg.in/yaml.v2
We now see that transitive relationships are indeed discovered, but for some reason github.com/ghodss/yaml
is not recognized. Why?
Well, switching to k8s.io/kube-openapi
now, we repeat the procedure above:
$ go mod why -m github.com/ghodss/yaml
# github.com/ghodss/yaml
k8s.io/kube-openapi/test/integration/builder3
github.com/getkin/kin-openapi/openapi3
github.com/ghodss/yaml
This tells us that github.com/ghodss/yaml
is required by github.com/getkin/kin-openapi/openapi3
, which in turn is imported by k8s.io/kube-openapi/test/integration/builder3
. builder3
is an application (package main
) and is apparently used to generate test data for kube-openapi
's integration tests. The main
package can not be imported by other packages, so there is no path in the "import graph" that could lead to k8s.io/apimachinery
depending on k8s.io/kube-openapi/test/integration/builder3
.
Output of cyclonedx-gomod mod
thus does not include github.com/ghodss/yaml
, because it uses go mod why -m
to prune the dependency graph from cases like this. You can see this process happening if you use the -verbose
flag:
10:52AM DBG loading modules includeTest=false moduleDir=.
10:52AM DBG executing command cmd="/opt/homebrew/bin/go list -mod readonly -json -m all" dir=.
10:52AM DBG filtering modules includeTest=false moduleCount=87 moduleDir=.
10:52AM DBG executing command cmd="/opt/homebrew/bin/go mod why -m -vendor [...] github.com/ghodss/yaml" dir=.
10:52AM DBG filtering module module=github.com/ghodss/yaml reason="not needed"
Most other tools will just read the go.mod
or go.sum
file. Maybe they also run go list -m
, but all these strategies lead to unbearable noise. You shouldn't have to worry about github.com/ghodss/yaml
if there's no way for your module to ever use it.
Hope this helps, please let me know if you need further clarification.
from cyclonedx-gomod.
Thank you very much for the detailled explanation! I got it, closing the ticket.
from cyclonedx-gomod.
Related Issues (20)
- mod failed due to calculating has of non go file HOT 8
- Troubles to scan vendored private modules if there's no access to the private repository HOT 1
- flag provided but not defined: -output-version HOT 2
- GitHub API rate limit HOT 2
- Using the gh-gomod-generate-sbom action, fails when execution the "Cheap trick" gocmd.ModWhy call HOT 8
- Support for non linux and amd64 for running unit test
- Can you please cut a new release? HOT 2
- Support optional name input
- 8:57PM ERR error="failed to convert modules: failed to calculate module hash: open /Makefile: no such file or directory" HOT 1
- I just want to plug in SBOM for my project, use cyclonedx-gomd command why download cyclonedx-go first, how to solve this problem HOT 3
- No Author information in SBOM HOT 2
- Add license text and copyright to SBOM
- cyclonedx-gomod mod -licenses -json -output ./sbom.json 生成的许可证信息为什么是这种 "evidence": { "licenses": [ { "license": { "id": "MIT" } } ] }而不是 "licenses": [ { "license": { "id": "MIT" } } ] HOT 1
- Last repository tag picked over first reachable when determining version HOT 3
- Failed to load stdlib module when executing cyclonedx-gomod HOT 3
- Module cloned with --shared fails version retrieval
- cyclonedx-gomod:latest doesn't support go project with version 1.22 ? HOT 1
- Display errors from go command HOT 2
- Indirect dependencies not added BOM file while generation BOM using Cyclonedx HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cyclonedx-gomod.