ci: add depguard

.golangci.yaml

@@ -1,4 +1,14 @@
 linters-settings:
+  depguard:
+    rules:
+      main:
+        list-mode: lax
+        deny:
+          # Cannot use gomodguard, which examines go.mod, as "golang.org/x/exp/slices" is not a module and doesn't appear in go.mod.
+          - pkg: "golang.org/x/exp/slices"
+            desc: "Use 'slices' instead"
+          - pkg: "golang.org/x/exp/maps"
+            desc: "Use 'maps' or 'github.com/samber/lo' instead"
   dupl:
     threshold: 100
   errcheck:
@@ -81,6 +91,7 @@ linters:
   disable-all: true
   enable:
     - bodyclose
+    - depguard
     - gci
     - goconst
     - gocritic

go.mod

@@ -119,7 +119,7 @@ require (
 	github.com/zclconf/go-cty-yaml v1.0.3
 	go.etcd.io/bbolt v1.3.10
 	golang.org/x/crypto v0.24.0
-	golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa
+	golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa // indirect
 	golang.org/x/mod v0.17.0
 	golang.org/x/net v0.26.0
 	golang.org/x/sync v0.7.0

pkg/cloud/aws/commands/run.go

@@ -3,11 +3,11 @@ package commands
 import (
 	"context"
 	"errors"
+	"slices"
 	"sort"
 	"strings"
 
 	"github.com/aws/aws-sdk-go-v2/service/sts"
-	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"
 
 	"github.com/aquasecurity/trivy-aws/pkg/errs"

pkg/commands/artifact/run.go

@@ -4,11 +4,11 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"slices"
 
 	"github.com/hashicorp/go-multierror"
 	"github.com/samber/lo"
 	"github.com/spf13/viper"
-	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"
 
 	"github.com/aquasecurity/go-version/pkg/semver"

pkg/compliance/spec/compliance.go

@@ -5,7 +5,7 @@ import (
 	"os"
 	"strings"
 
-	"golang.org/x/exp/maps"
+	"github.com/samber/lo"
 	"golang.org/x/xerrors"
 	"gopkg.in/yaml.v3"
 
@@ -39,7 +39,7 @@ func (cs *ComplianceSpec) Scanners() (types.Scanners, error) {
 			scannerTypes[scannerType] = struct{}{}
 		}
 	}
-	return maps.Keys(scannerTypes), nil
+	return lo.Keys(scannerTypes), nil
 }
 
 // CheckIDs return list of compliance check IDs

pkg/compliance/spec/mapper.go

@@ -1,7 +1,7 @@
 package spec
 
 import (
-	"golang.org/x/exp/slices"
+	"slices"
 
 	"github.com/aquasecurity/trivy/pkg/types"
 )

pkg/dependency/parser/c/conan/parse.go

@@ -2,11 +2,11 @@ package conan
 
 import (
 	"io"
+	"slices"
 	"strings"
 
 	"github.com/liamg/jfather"
 	"github.com/samber/lo"
-	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"
 
 	"github.com/aquasecurity/trivy/pkg/dependency"

pkg/dependency/parser/golang/mod/parse.go

@@ -7,7 +7,6 @@ import (
 	"strings"
 
 	"github.com/samber/lo"
-	"golang.org/x/exp/maps"
 	"golang.org/x/mod/modfile"
 	"golang.org/x/xerrors"
 
@@ -148,7 +147,7 @@ func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependenc
 		}
 	}
 
-	return maps.Values(pkgs), nil, nil
+	return lo.Values(pkgs), nil, nil
 }
 
 // Check if the Go version is less than 1.17

pkg/dependency/parser/java/pom/artifact.go

@@ -4,10 +4,10 @@ import (
 	"fmt"
 	"os"
 	"regexp"
+	"slices"
 	"strings"
 
 	"github.com/samber/lo"
-	"golang.org/x/exp/slices"
 
 	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/log"

pkg/dependency/parser/java/pom/parse.go

@@ -9,12 +9,12 @@ import (
 	"os"
 	"path"
 	"path/filepath"
+	"slices"
 	"sort"
 	"strings"
 
 	multierror "github.com/hashicorp/go-multierror"
 	"github.com/samber/lo"
-	"golang.org/x/exp/slices"
 	"golang.org/x/net/html/charset"
 	"golang.org/x/xerrors"
 

pkg/dependency/parser/julia/manifest/parse.go

@@ -5,7 +5,7 @@ import (
 	"sort"
 
 	"github.com/BurntSushi/toml"
-	"golang.org/x/exp/maps"
+	"github.com/samber/lo"
 	"golang.org/x/xerrors"
 
 	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
@@ -156,7 +156,7 @@ func decodeDependency(man *primitiveManifest, dep primitiveDependency, metadata
 	var possibleDepsMap map[string]string
 	err = metadata.PrimitiveDecode(dep.Dependencies, &possibleDepsMap)
 	if err == nil {
-		possibleUuids := maps.Values(possibleDepsMap)
+		possibleUuids := lo.Values(possibleDepsMap)
 		sort.Strings(possibleUuids)
 		dep.DependsOn = possibleUuids
 		return dep, nil

pkg/dependency/parser/nodejs/npm/parse.go

@@ -3,14 +3,14 @@ package npm
 import (
 	"fmt"
 	"io"
+	"maps"
 	"path"
 	"slices"
 	"sort"
 	"strings"
 
 	"github.com/liamg/jfather"
 	"github.com/samber/lo"
-	"golang.org/x/exp/maps"
 	"golang.org/x/xerrors"
 
 	"github.com/aquasecurity/trivy/pkg/dependency"
@@ -186,7 +186,7 @@ func (p *Parser) parseV2(packages map[string]Package) ([]ftypes.Package, []ftype
 
 	}
 
-	return maps.Values(pkgs), deps
+	return lo.Values(pkgs), deps
 }
 
 // for local package npm uses links. e.g.:

pkg/dependency/parser/nodejs/pnpm/parse.go

@@ -7,7 +7,6 @@ import (
 	"strings"
 
 	"github.com/samber/lo"
-	"golang.org/x/exp/maps"
 	"golang.org/x/xerrors"
 	"gopkg.in/yaml.v3"
 
@@ -216,7 +215,7 @@ func (p *Parser) parseV9(lockFile LockFile) ([]ftypes.Package, []ftypes.Dependen
 		}
 	}
 
-	return maps.Values(resolvedPkgs), maps.Values(resolvedDeps)
+	return lo.Values(resolvedPkgs), lo.Values(resolvedDeps)
 }
 
 // markRootPkgs sets `Dev` to false for non dev dependency.

pkg/dependency/parser/php/composer/parse.go

@@ -6,7 +6,7 @@ import (
 	"strings"
 
 	"github.com/liamg/jfather"
-	"golang.org/x/exp/maps"
+	"github.com/samber/lo"
 	"golang.org/x/xerrors"
 
 	"github.com/aquasecurity/trivy/pkg/dependency"
@@ -98,7 +98,7 @@ func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependenc
 		})
 	}
 
-	pkgSlice := maps.Values(pkgs)
+	pkgSlice := lo.Values(pkgs)
 	sort.Sort(ftypes.Packages(pkgSlice))
 	sort.Sort(deps)
 

pkg/dependency/parser/ruby/bundler/parse.go

@@ -5,7 +5,7 @@ import (
 	"sort"
 	"strings"
 
-	"golang.org/x/exp/maps"
+	"github.com/samber/lo"
 	"golang.org/x/xerrors"
 
 	"github.com/aquasecurity/trivy/pkg/dependency"
@@ -103,7 +103,7 @@ func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependenc
 		return nil, nil, xerrors.Errorf("scan error: %w", err)
 	}
 
-	pkgSlice := maps.Values(pkgs)
+	pkgSlice := lo.Values(pkgs)
 	sort.Sort(ftypes.Packages(pkgSlice))
 	return pkgSlice, deps, nil
 }

pkg/dependency/parser/swift/cocoapods/parse.go

@@ -4,7 +4,7 @@ import (
 	"sort"
 	"strings"
 
-	"golang.org/x/exp/maps"
+	"github.com/samber/lo"
 	"golang.org/x/xerrors"
 	"gopkg.in/yaml.v3"
 
@@ -86,7 +86,7 @@ func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependenc
 	}
 
 	sort.Sort(deps)
-	return utils.UniquePackages(maps.Values(parsedDeps)), deps, nil
+	return utils.UniquePackages(lo.Values(parsedDeps)), deps, nil
 }
 
 func parseDep(dep string) (ftypes.Package, error) {

pkg/dependency/parser/utils/utils.go

@@ -2,9 +2,10 @@ package utils
 
 import (
 	"fmt"
+	"maps"
 	"sort"
 
-	"golang.org/x/exp/maps"
+	"github.com/samber/lo"
 
 	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 )
@@ -48,7 +49,7 @@ func UniquePackages(pkgs []ftypes.Package) []ftypes.Package {
 			}
 		}
 	}
-	pkgSlice := maps.Values(unique)
+	pkgSlice := lo.Values(unique)
 	sort.Sort(ftypes.Packages(pkgSlice))
 
 	return pkgSlice

pkg/detector/ospkg/redhat/redhat.go

@@ -3,13 +3,13 @@ package redhat
 import (
 	"context"
 	"fmt"
+	"slices"
 	"sort"
 	"strings"
 	"time"
 
 	version "github.com/knqyf263/go-rpm-version"
-	"golang.org/x/exp/maps"
-	"golang.org/x/exp/slices"
+	"github.com/samber/lo"
 	"golang.org/x/xerrors"
 
 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
@@ -176,7 +176,7 @@ func (s *Scanner) detect(osVer string, pkg ftypes.Package) ([]types.DetectedVuln
 		}
 	}
 
-	vulns := maps.Values(uniqVulns)
+	vulns := lo.Values(uniqVulns)
 	sort.Slice(vulns, func(i, j int) bool {
 		return vulns[i].VulnerabilityID < vulns[j].VulnerabilityID
 	})

pkg/downloader/download.go

@@ -2,10 +2,10 @@ package downloader
 
 import (
 	"context"
+	"maps"
 	"os"
 
 	getter "github.com/hashicorp/go-getter"
-	"golang.org/x/exp/maps"
 	"golang.org/x/xerrors"
 )
 

pkg/fanal/analyzer/analyzer.go

@@ -6,12 +6,12 @@ import (
 	"io/fs"
 	"os"
 	"regexp"
+	"slices"
 	"sort"
 	"strings"
 	"sync"
 
 	"github.com/samber/lo"
-	"golang.org/x/exp/slices"
 	"golang.org/x/sync/semaphore"
 	"golang.org/x/xerrors"
 

pkg/fanal/analyzer/config_analyzer.go

@@ -2,9 +2,9 @@ package analyzer
 
 import (
 	"context"
+	"slices"
 
 	v1 "github.com/google/go-containerregistry/pkg/v1"
-	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"
 
 	"github.com/aquasecurity/trivy/pkg/fanal/types"

pkg/fanal/analyzer/imgconf/apk/apk.go

@@ -13,7 +13,7 @@ import (
 	"time"
 
 	v1 "github.com/google/go-containerregistry/pkg/v1"
-	"golang.org/x/exp/maps"
+	"github.com/samber/lo"
 	"golang.org/x/xerrors"
 
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
@@ -138,7 +138,7 @@ func (a alpineCmdAnalyzer) parseConfig(apkIndexArchive *apkIndex, config *v1.Con
 		}
 	}
 
-	return maps.Values(uniqPkgs)
+	return lo.Values(uniqPkgs)
 }
 
 func (a alpineCmdAnalyzer) parseCommand(command string, envs map[string]string) (pkgs []string) {

pkg/fanal/analyzer/language/dart/pub/pubspec.go

@@ -10,7 +10,6 @@ import (
 	"sort"
 
 	"github.com/samber/lo"
-	"golang.org/x/exp/maps"
 	"golang.org/x/xerrors"
 	"gopkg.in/yaml.v3"
 
@@ -166,7 +165,7 @@ func parsePubSpecYaml(r io.Reader) (string, []string, error) {
 
 	// pubspec.yaml uses version ranges
 	// save only dependencies names
-	dependsOn := maps.Keys(spec.Dependencies)
+	dependsOn := lo.Keys(spec.Dependencies)
 
 	return dependency.ID(types.Pub, spec.Name, spec.Version), dependsOn, nil
 }

pkg/fanal/analyzer/language/dotnet/nuget/nuget.go

@@ -7,9 +7,9 @@ import (
 	"io/fs"
 	"os"
 	"path/filepath"
+	"slices"
 	"sort"
 
-	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"
 
 	"github.com/aquasecurity/trivy/pkg/dependency/parser/nuget/config"