aquasecurity · knqyf263 · Nov 22, 2024 · Nov 21, 2024 · Nov 21, 2024 · Nov 21, 2024
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"io"
 	"regexp"
+	"sort"
 	"strconv"
 	"strings"
 
@@ -101,17 +102,6 @@ func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependenc
 		}
 	}
 
-	// Main module
-	if m := modFileParsed.Module; m != nil {
-		pkgs[m.Mod.Path] = ftypes.Package{
-			ID:                 packageID(m.Mod.Path, m.Mod.Version),
-			Name:               m.Mod.Path,
-			Version:            m.Mod.Version,
-			ExternalReferences: p.GetExternalRefs(m.Mod.Path),
-			Relationship:       ftypes.RelationshipRoot,
-		}
-	}
-
 	// Required modules
 	for _, require := range modFileParsed.Require {
 		// Skip indirect dependencies less than Go 1.17
@@ -163,7 +153,38 @@ func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependenc
 		}
 	}
 
-	return lo.Values(pkgs), nil, nil
+	var deps ftypes.Dependencies
+	// Main module
+	if m := modFileParsed.Module; m != nil {
+		root := ftypes.Package{
+			ID:                 packageID(m.Mod.Path, m.Mod.Version),
+			Name:               m.Mod.Path,
+			Version:            m.Mod.Version,
+			ExternalReferences: p.GetExternalRefs(m.Mod.Path),
+			Relationship:       ftypes.RelationshipRoot,
+		}
+
+		// Store child dependencies for the root package (main module).
+		// We will build a dependency graph for Direct/Indirect in `fanal` using additional files.
+		dependsOn := lo.FilterMap(lo.Values(pkgs), func(pkg ftypes.Package, _ int) (string, bool) {
+			return pkg.ID, pkg.Relationship == ftypes.RelationshipDirect
+		})
+
+		if len(dependsOn) > 0 {
 pkgs[i].DependsOn = deps[pkg.ID] 
 for _, dep := range pkg.DependsOn { 
 	dependsOn, ok := dependencies[dep] 
 	if !ok { 
 		continue 
 	} 
 	e.bom.AddRelationship(c, dependsOn, core.RelationshipDependsOn) 
 } 
 // Components that do not have their own dependencies MUST be declared as empty elements within the graph. 
 // TODO: Should check if the component has actually no dependencies or the dependency graph is not supported. 
 if len(pkg.DependsOn) == 0 { 
 	e.bom.AddRelationship(c, nil, "") 
 } 
 pkgs[i].DependsOn = deps[pkg.ID] 
 for _, dep := range pkg.DependsOn { 
 	dependsOn, ok := dependencies[dep] 
 	if !ok { 
 		continue 
 	} 
 	e.bom.AddRelationship(c, dependsOn, core.RelationshipDependsOn) 
 } 
  
 // Components that do not have their own dependencies MUST be declared as empty elements within the graph. 
 // TODO: Should check if the component has actually no dependencies or the dependency graph is not supported. 
 if len(pkg.DependsOn) == 0 { 
 	e.bom.AddRelationship(c, nil, "") 
 } 
+			sort.Strings(dependsOn)
+			deps = append(deps, ftypes.Dependency{
+				ID:        root.ID,
+				DependsOn: dependsOn,
+			})
+		}
+
+		pkgs[root.Name] = root
+	}
+
+	pkgSlice := lo.Values(pkgs)
+	sort.Sort(ftypes.Packages(pkgSlice))
+
+	return pkgSlice, deps, nil
 }
 
 // lessThan checks if the Go version is less than `<majorVer>.<minorVer>`

@@ -2,7 +2,6 @@ package mod
 
 import (
 	"os"
-	"sort"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -18,74 +17,86 @@ func TestParse(t *testing.T) {
 		file          string
 		replace       bool
 		useMinVersion bool
-		want          []ftypes.Package
+		wantPkgs      []ftypes.Package
+		wantDeps      []ftypes.Dependency
 	}{
 		{
 			name:          "normal with stdlib",
 			file:          "testdata/normal/go.mod",
 			replace:       true,
 			useMinVersion: true,
-			want:          GoModNormal,
+			wantPkgs:      GoModNormal,
+			wantDeps:      GoModNormalDeps,
 		},
 		{
-			name:    "normal",
-			file:    "testdata/normal/go.mod",
-			replace: true,
-			want:    GoModNormalWithoutStdlib,
+			name:     "normal",
+			file:     "testdata/normal/go.mod",
+			replace:  true,
+			wantPkgs: GoModNormalWithoutStdlib,
+			wantDeps: GoModNormalWithoutStdlibDeps,
 		},
 		{
-			name:    "without go version",
-			file:    "testdata/no-go-version/gomod",
-			replace: true,
-			want:    GoModNoGoVersion,
+			name:     "without go version",
+			file:     "testdata/no-go-version/gomod",
+			replace:  true,
+			wantPkgs: GoModNoGoVersion,
+			wantDeps: defaultGoDepParserDeps,
 		},
 		{
-			name:    "replace",
-			file:    "testdata/replaced/go.mod",
-			replace: true,
-			want:    GoModReplaced,
+			name:     "replace",
+			file:     "testdata/replaced/go.mod",
+			replace:  true,
+			wantPkgs: GoModReplaced,
+			wantDeps: GoModReplacedDeps,
 		},
 		{
-			name:    "no replace",
-			file:    "testdata/replaced/go.mod",
-			replace: false,
-			want:    GoModUnreplaced,
+			name:     "no replace",
+			file:     "testdata/replaced/go.mod",
+			replace:  false,
+			wantPkgs: GoModUnreplaced,
+			wantDeps: GoModUnreplacedDeps,
 		},
 		{
-			name:    "replace with version",
-			file:    "testdata/replaced-with-version/go.mod",
-			replace: true,
-			want:    GoModReplacedWithVersion,
+			name:     "replace with version",
+			file:     "testdata/replaced-with-version/go.mod",
+			replace:  true,
+			wantPkgs: GoModReplacedWithVersion,
+			wantDeps: GoModReplacedWithVersionDeps,
 		},
 		{
-			name:    "replaced with version mismatch",
-			file:    "testdata/replaced-with-version-mismatch/go.mod",
-			replace: true,
-			want:    GoModReplacedWithVersionMismatch,
+			name:     "replaced with version mismatch",
+			file:     "testdata/replaced-with-version-mismatch/go.mod",
+			replace:  true,
+			wantPkgs: GoModReplacedWithVersionMismatch,
+			wantDeps: defaultGoDepParserDeps,
 		},
 		{
-			name:    "replaced with local path",
-			file:    "testdata/replaced-with-local-path/go.mod",
-			replace: true,
-			want:    GoModReplacedWithLocalPath,
+			name:     "replaced with local path",
+			file:     "testdata/replaced-with-local-path/go.mod",
+			replace:  true,
+			wantPkgs: GoModReplacedWithLocalPath,
+			wantDeps: defaultGoDepParserDeps,
 		},
 		{
-			name:    "replaced with local path and version",
-			file:    "testdata/replaced-with-local-path-and-version/go.mod",
-			replace: true,
-			want:    GoModReplacedWithLocalPathAndVersion,
+			name:     "replaced with local path and version",
+			file:     "testdata/replaced-with-local-path-and-version/go.mod",
+			replace:  true,
+			wantPkgs: GoModReplacedWithLocalPathAndVersion,
+			wantDeps: defaultGoDepParserDeps,
 		},
 		{
-			name:    "replaced with local path and version, mismatch",
-			file:    "testdata/replaced-with-local-path-and-version-mismatch/go.mod",
-			replace: true,
-			want:    GoModReplacedWithLocalPathAndVersionMismatch,
+			name:     "replaced with local path and version, mismatch",
+			file:     "testdata/replaced-with-local-path-and-version-mismatch/go.mod",
+			replace:  true,
+			wantPkgs: GoModReplacedWithLocalPathAndVersionMismatch,
+			wantDeps: defaultGoDepParserDeps,
 		},
 		{
-			name:    "go 1.16",
-			file:    "testdata/go116/go.mod",
-			replace: true,
-			want:    GoMod116,
+			name:     "go 1.16",
+			file:     "testdata/go116/go.mod",
+			replace:  true,
+			wantPkgs: GoMod116,
+			wantDeps: defaultGoDepParserDeps,
 		},
 	}
 
@@ -94,13 +105,11 @@ func TestParse(t *testing.T) {
 			f, err := os.Open(tt.file)
 			require.NoError(t, err)
 
-			got, _, err := NewParser(tt.replace, tt.useMinVersion).Parse(f)
+			gotPkgs, gotDeps, err := NewParser(tt.replace, tt.useMinVersion).Parse(f)
 			require.NoError(t, err)
 
-			sort.Sort(ftypes.Packages(got))
-			sort.Sort(ftypes.Packages(tt.want))
-
-			assert.Equal(t, tt.want, got)
+			assert.Equal(t, tt.wantPkgs, gotPkgs)
+			assert.Equal(t, tt.wantDeps, gotDeps)
 		})
 	}
 }

@@ -20,12 +20,6 @@ var (
 				},
 			},
 		},
-		{
-			ID:           "[email protected]",
-			Name:         "stdlib",
-			Version:      "v1.22.5",
-			Relationship: ftypes.RelationshipDirect,
-		},
 		{
 			ID:           "github.com/aquasecurity/[email protected]",
 			Name:         "github.com/aquasecurity/go-version",
@@ -38,6 +32,12 @@ var (
 				},
 			},
 		},
+		{
+			ID:           "[email protected]",
+			Name:         "stdlib",
+			Version:      "v1.22.5",
+			Relationship: ftypes.RelationshipDirect,
+		},
 		{
 			ID:           "github.com/davecgh/[email protected]",
 			Name:         "github.com/davecgh/go-spew",
@@ -82,10 +82,29 @@ var (
 		},
 	}
 
+	GoModNormalDeps = ftypes.Dependencies{
+		{
+			ID: "github.com/org/repo",
+			DependsOn: []string{
+				"github.com/aquasecurity/[email protected]",
+				"[email protected]",
+			},
+		},
+	}
+
 	GoModNormalWithoutStdlib = slices.DeleteFunc(slices.Clone(GoModNormal), func(f ftypes.Package) bool {
 		return f.Name == "stdlib"
 	})
 
+	GoModNormalWithoutStdlibDeps = ftypes.Dependencies{
+		{
+			ID: "github.com/org/repo",
+			DependsOn: []string{
+				"github.com/aquasecurity/[email protected]",
+			},
+		},
+	}
+
 	// execute go mod tidy in replaced folder
 	GoModReplaced = []ftypes.Package{
 		{
@@ -118,6 +137,14 @@ var (
 			Relationship: ftypes.RelationshipIndirect,
 		},
 	}
+	GoModReplacedDeps = ftypes.Dependencies{
+		{
+			ID: "github.com/org/repo",
+			DependsOn: []string{
+				"github.com/aquasecurity/[email protected]",
+			},
+		},
+	}
 
 	// execute go mod tidy in replaced folder
 	GoModUnreplaced = []ftypes.Package{
@@ -152,6 +179,15 @@ var (
 		},
 	}
 
+	GoModUnreplacedDeps = ftypes.Dependencies{
+		{
+			ID: "github.com/org/repo",
+			DependsOn: []string{
+				"github.com/aquasecurity/[email protected]",
+			},
+		},
+	}
+
 	// execute go mod tidy in replaced-with-version folder
 	GoModReplacedWithVersion = []ftypes.Package{
 		{
@@ -185,6 +221,15 @@ var (
 		},
 	}
 
+	GoModReplacedWithVersionDeps = ftypes.Dependencies{
+		{
+			ID: "github.com/org/repo",
+			DependsOn: []string{
+				"github.com/aquasecurity/[email protected]",
+			},
+		},
+	}
+
 	// execute go mod tidy in replaced-with-version-mismatch folder
 	GoModReplacedWithVersionMismatch = []ftypes.Package{
 		{
@@ -230,6 +275,15 @@ var (
 		},
 	}
 
+	defaultGoDepParserDeps = ftypes.Dependencies{
+		{
+			ID: "github.com/org/repo",
+			DependsOn: []string{
+				"github.com/aquasecurity/[email protected]",
+			},
+		},
+	}
+
 	// execute go mod tidy in replaced-with-local-path folder
 	GoModReplacedWithLocalPath = []ftypes.Package{
 		{

@@ -36,6 +36,9 @@ func Test_gomodAnalyzer_Analyze(t *testing.T) {
 								ID:           "github.com/org/repo",
 								Name:         "github.com/org/repo",
 								Relationship: types.RelationshipRoot,
+								DependsOn: []string{
+									"github.com/aquasecurity/[email protected]",
+								},
 								ExternalReferences: []types.ExternalRef{
 									{
 										Type: types.RefVCS,
@@ -86,6 +89,9 @@ func Test_gomodAnalyzer_Analyze(t *testing.T) {
 								ID:           "github.com/org/repo",
 								Name:         "github.com/org/repo",
 								Relationship: types.RelationshipRoot,
+								DependsOn: []string{
+									"github.com/sad/[email protected]",
+								},
 								ExternalReferences: []types.ExternalRef{
 									{
 										Type: types.RefVCS,
@@ -126,6 +132,9 @@ func Test_gomodAnalyzer_Analyze(t *testing.T) {
 								ID:           "github.com/org/repo",
 								Name:         "github.com/org/repo",
 								Relationship: types.RelationshipRoot,
+								DependsOn: []string{
+									"github.com/aquasecurity/[email protected]",
+								},
 								ExternalReferences: []types.ExternalRef{
 									{
 										Type: types.RefVCS,
@@ -178,6 +187,9 @@ func Test_gomodAnalyzer_Analyze(t *testing.T) {
 								ID:           "github.com/org/repo",
 								Name:         "github.com/org/repo",
 								Relationship: types.RelationshipRoot,
+								DependsOn: []string{
+									"github.com/aquasecurity/[email protected]",
+								},
 								ExternalReferences: []types.ExternalRef{
 									{
 										Type: types.RefVCS,