-
-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use go list
instead of go mod graph
to build dependency graph
#64
Comments
Oh man, of course! The Indirect bool // is this module only an indirect dependency of main module? So we can just prune edges from the main module to its indirect dependencies that way! |
Alright, so there's still a distinction to be made between direct dependencies and indirect dependencies that have been explicitly declared in |
* prune edges to indirect dependencies of main module Signed-off-by: nscuro <nscuro@protonmail.com> * regenerate example sboms Signed-off-by: nscuro <nscuro@protonmail.com> (partly) addresses #64
see #64 (comment) and #64 (comment) Signed-off-by: nscuro <nscuro@protonmail.com>
Maybe a flag to toggle removal of indirect dependencies? I think it makes more sense to include all dependencies so the SBOM can cover tests and tools.go. |
@cleaton Transitive dependencies are always included. This issue is more about the dependency graph and the edges within it. As of now, it may be possible that indirect dependencies are considered to be direct. The component inventory is complete in any case. Regarding test dependencies: This is supported in the |
go mod graph
apparently isn't really intended for generating an accurate dependency graph (that is, differentiating between direct and transitive dependencies). This becomes painfully obvious when running that command on modules that havego 1.17
in theirgo.mod
file (golang/go#47648).The output of
go list -deps -json
has a.Deps
field which we could use to build a dependency graph instead. Butgo list
as of today is still subject to build constraints. That will work for the newapp
command, but not formod
.There is however an effort of supporting "unconstrained" use of
go list
: golang/go#42504The text was updated successfully, but these errors were encountered: