You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/detectors/go.md
+18-16Lines changed: 18 additions & 16 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,13 +6,13 @@ Go detection runs when one of the following files is found in the project:
6
6
7
7
-`go.mod` or `go.sum`
8
8
9
-
## Default Detection strategy
9
+
## Detection strategy
10
10
11
-
### go.mod
11
+
### go.mod parsing
12
12
- All go.mod are parsed to detect dependencies. This parsing doesn't depend on presence of `go cli`.
13
13
14
-
### go cli (go list) or go.sum Parsing
15
-
- If a `go.sum` file is found, detector first checks if go version in the adjacent `go.mod`>= `1.17`. If it is `>= 1.17`, the file is skipped. If it is `< 1.17`, the detector proceeds as follows. Read [Go Module Changes in Go 1.17](#go-module-changes-in-go-117) to understand why `1.17` is relevant.
14
+
### go cli (go list) or go.sum parsing
15
+
- If a `go.sum` file is found, detector first checks if go version in the adjacent `go.mod`≥`1.17`. If it is `≥1.17`, the file is skipped. If it is `< 1.17`, the detector proceeds as follows. Read [Go Module Changes in Go 1.17](#go-module-changes-in-go-117) to understand why `1.17` is relevant.
16
16
- If `go cli` is found and not [disabled](#environment-variables), `go list` command is preferred over parsing `go.sum` file since `go.sum` files contains history of dependencies and including these dependencies can lead to [over-reporting](#known-limitations).
17
17
- If `go list` was not used or did not run successfully, detector falls back to parsing `go.sum` manually.
18
18
@@ -22,22 +22,24 @@ on the build agent. To generate the graph, the command
22
22
[go mod graph][2] is executed. This only adds edges between the components
23
23
that were already registered.
24
24
25
-
## Fallback Detection strategy
25
+
## Default Detection Strategy
26
26
27
-
The fallback strategy refers to detector parsing `go.sum` manually.
28
-
TThis strategy is known to overreport (see the
29
-
[known limitations](#known-limitations)). Read through the
for tips on how to ensure that the newer, more accurate default
32
-
detection strategy runs successfully.
27
+
The Go detector’s default behavior is optimized to reduce over-reporting by leveraging improvements introduced in Go 1.17.
33
28
34
-
To force the fallback detection strategy, set the environment
35
-
variable: `DisableGoCliScan=true`
29
+
- When a go.mod file declares a Go version ≥ 1.17, the detector analyzes only the go.mod file to determine dependencies.
30
+
- If the go.mod file specifies a Go version < 1.17, the detector uses a fallback strategy to ensure coverage.
31
+
Read more about this in the [Fallback Detection Strategy](#fallback-detection-strategy)
32
+
33
+
## Fallback Detection Strategy
34
+
35
+
The fallback detection strategy is used when the default strategy (based on `go.mod` files with `Go 1.17` or later) cannot be applied.
36
+
In this mode, the detector uses `Go CLI` or manually parses `go.sum` to resolve dependencies. This strategy is known to overreport (see the [known limitations](#known-limitations)). Read through the [troubleshooting-section](#troubleshooting-failures-to-run-the-default-go-detection-strategy) for tips on how to ensure that the newer, more accurate default detection strategy runs successfully.
37
+
38
+
To force the fallback detection strategy, set the environment variable: `DisableGoCliScan=true`
36
39
37
40
### `go.mod` before go 1.17
38
41
39
-
Go detection is performed by parsing any `go.mod` or `go.sum` found
40
-
under the scan directory.
42
+
Go detection is performed by parsing any `go.mod` files, and either invoking the `Go CLI` or manually parsing `go.sum` files found under the scan directory.
41
43
42
44
Only root dependency information is generated in the fallback detection
43
45
strategy. The full graph is not detected.
@@ -263,7 +265,7 @@ file now includes information about both direct and transitive
263
265
dependencies. This improvement enhances the clarity and completeness
264
266
of dependency information within the `go.mod` file.
265
267
266
-
The completeness of `go.mod` file in `>= 1.17` allows the detector to skip `go.sum` files entirely.
268
+
The completeness of `go.mod` file in `≥1.17` allows the detector to skip `go.sum` files entirely.
0 commit comments