Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expose a static only Go modules tactic. #1486

Merged
merged 6 commits into from
Dec 3, 2024
Merged

Expose a static only Go modules tactic. #1486

merged 6 commits into from
Dec 3, 2024

Conversation

csasarak
Copy link
Contributor

@csasarak csasarak commented Dec 3, 2024
edited
Loading

Overview

We initially didn't expose a static only analysis method in the CLI for Go modules despite there being a pretty low-effort path to providing one. This PR makes a truly static Go analysis method and exposes it for use with the --static-only-analysis flag.

Acceptance criteria

It is possible to analyze go projects statically.

Testing plan

Compare running fossa analyze --static-only-analysis on this branch and in a release version. Static Go analysis fails using the current release version:

Screenshot 2024-12-02 at 6 16 30 PM
But succeeds in the one on this branch:

Screenshot 2024-12-02 at 6 34 52 PM

Risks

The main risk is that projects which didn't produce a result in the past may start to. This is the correct thing to do, but may result in more questions.

Metrics

References

slack thread

Checklist

  • I added tests for this PR's change (or explained in the PR description why tests don't make sense).
  • If this PR introduced a user-visible change, I added documentation into docs/.
  • If this PR added docs, I added links as appropriate to the user manual's ToC in docs/README.ms and gave consideration to how discoverable or not my documentation is.
  • If this change is externally visible, I updated Changelog.md. If this PR did not mark a release, I added my changes into an ## Unreleased section at the top.
  • If I made changes to .fossa.yml or fossa-deps.{json.yml}, I updated docs/references/files/*.schema.json AND I have updated example files used by fossa init command. You may also need to update these if you have added/removed new dependency type (e.g. pip) or analysis target type (e.g. poetry).
  • If I made changes to a subcommand's options, I updated docs/references/subcommands/<subcommand>.md.

@csasarak csasarak requested review from a team and jssblck and removed request for a team December 3, 2024 00:50
@csasarak csasarak marked this pull request as ready for review December 3, 2024 00:51
@csasarak csasarak requested a review from a team as a code owner December 3, 2024 00:51
jssblck
jssblck approved these changes Dec 3, 2024
View reviewed changes
src/Strategy/Go/Gomod.hs
Comment on lines +400 to +401
-- | This variant of analyze will not attempt to fill in transitive dependencies.
analyzeStatic :: (Has ReadFS sig m, Has Diagnostics sig m) => Path Abs File -> m (Graphing Dependency, GraphBreadth)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this isn't in the user facing docs already please add it!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea, I've added it.

@csasarak csasarak enabled auto-merge (squash) December 3, 2024 15:26
@csasarak csasarak merged commit 513a3a5 into master Dec 3, 2024
17 of 18 checks passed
@csasarak csasarak deleted the go-static-analysis branch December 3, 2024 15:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jssblck jssblck jssblck approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@csasarak @jssblck