Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use go list instead of go mod graph to build dependency graph #64

Open
nscuro opened this issue Sep 19, 2021 · 4 comments
Open

Use go list instead of go mod graph to build dependency graph #64

nscuro opened this issue Sep 19, 2021 · 4 comments
Labels
enhancement New feature or request

Comments

@nscuro
Copy link
Member

nscuro commented Sep 19, 2021

go mod graph apparently isn't really intended for generating an accurate dependency graph (that is, differentiating between direct and transitive dependencies). This becomes painfully obvious when running that command on modules that have go 1.17 in their go.mod file (golang/go#47648).

The output of go list -deps -json has a .Deps field which we could use to build a dependency graph instead. But go list as of today is still subject to build constraints. That will work for the new app command, but not for mod.

There is however an effort of supporting "unconstrained" use of go list: golang/go#42504

@nscuro nscuro added the enhancement New feature or request label Sep 19, 2021
@nscuro
Copy link
Member Author

nscuro commented Sep 27, 2021

Oh man, of course! The Module struct has an Indirect field:

Indirect bool // is this module only an indirect dependency of main module?

So we can just prune edges from the main module to its indirect dependencies that way!
I'm not 100% sure that this completely solves the problem, but it certainly is a quick win.

@nscuro
Copy link
Member Author

nscuro commented Sep 27, 2021

Alright, so there's still a distinction to be made between direct dependencies and indirect dependencies that have been explicitly declared in go.mod (e.g. to force-update them to a newer version). go mod graph treats explicit, transitive dependencies as edges as well.

nscuro added a commit that referenced this issue Sep 27, 2021
* prune edges to indirect dependencies of main module

Signed-off-by: nscuro <nscuro@protonmail.com>

* regenerate example sboms

Signed-off-by: nscuro <nscuro@protonmail.com>

(partly) addresses #64
nscuro added a commit that referenced this issue Sep 27, 2021
see #64 (comment) and #64 (comment)

Signed-off-by: nscuro <nscuro@protonmail.com>
@cleaton
Copy link

cleaton commented Jan 27, 2022

Maybe a flag to toggle removal of indirect dependencies? I think it makes more sense to include all dependencies so the SBOM can cover tests and tools.go.

@nscuro
Copy link
Member Author

nscuro commented Jan 27, 2022

@cleaton Transitive dependencies are always included. This issue is more about the dependency graph and the edges within it. As of now, it may be possible that indirect dependencies are considered to be direct. The component inventory is complete in any case.

Regarding test dependencies: This is supported in the mod command.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants