Misinterpretation of Multiple replace Directives in Golang #2721
Labels
bug
Something isn't working
ecosystem:go
relating to the golang ecosystem
good-first-issue
Good for newcomers
What happened:
It does not apply replace directive to the module version that's also in the replace directly. For example,
If I run syft with the working dir
syft .
, the result will showgolang.org/x/net@v0.18.0
is being used, which is originated from grpc@v1.61.0's go.mod while both module should be overridden to the specified version.What you expected to happen:
If I build and run syft against the binary file instead,
syft <bin_file>
, orgo version -m <bin_file>
, both will showgolang.org/x/net@v0.22.0
is actually being used.Steps to reproduce the issue:
replace
directive with M to any specific versionreplace
directive with another module required by M (pick one from M's go.mod), let's name it module Ncd
to the project root directory, set$GOPATH
withexport GOPATH="$(pwd)/dep
go mod download
, to download all dependencies into./dep
.syft
with the project directory, inspect the N's version, it will be the version specified in M's go.mod, while it should actually be thereplace
directive version.Environment:
syft version
:cat /etc/os-release
or similar):The text was updated successfully, but these errors were encountered: