feat!: set golang mvs true as default (#255)

* feat!: set golang mvs true as default

Signed-off-by: Ruben Romero Montes <[email protected]>

* feat: update tests

Signed-off-by: Ruben Romero Montes <[email protected]>

* feat: update provider to trustify

Signed-off-by: Ruben Romero Montes <[email protected]>

* fix: ci build

Signed-off-by: Ruben Romero Montes <[email protected]>

* fix: update new perl-base sbom

Signed-off-by: Ruben Romero Montes <[email protected]>

* fix: align providers

Signed-off-by: Ruben Romero Montes <[email protected]>

---------

Signed-off-by: Ruben Romero Montes <[email protected]>

Author: ruromero

.mocharc.json

@@ -10,5 +10,6 @@
   "check-leaks": false,
   "color": true,
   "fail-zero": true,
-  "recursive": true
+  "recursive": true,
+  "reporter-options": ["maxDiffSize=0"]
 } 

README.md

@@ -444,26 +444,25 @@ Two possible values for this setting:
 2. MATCH_MANIFEST_VERSIONS="true" - means that before starting the analysis,
    the api will compare all the versions of packages in manifest against installed/resolved versions on client' environment, in case there is a difference, it will throw an error to the client/user with message containing the first encountered versions mismatch, including package name, and the versions difference, and will suggest to set setting `MATCH_MANIFEST_VERSIONS`="false" to ignore all differences
 
-
 #### Golang Support
 
-By default, all go.mod' packages' transitive modules will be taken to analysis with their original package version, that is,
-if go.mod has 2 modules, `a` and `b`, and each one of them has the same package c with same major version v1, but different minor versions:
-- namespace/c/[email protected]
-- namespace/c/[email protected]
-
+By default, Golang dependency resolution follows the [Minimal Version Selection (MVS) Algorithm](https://go.dev/ref/mod#minimal-version-selection).  
+This means that when analyzing a project, only the module versions that would actually be included in the final executable are considered.
 
-Then both of these packages will be entered to the generated sbom and will be included in analysis returned to client.
-In golang, in an actual build of an application into an actual application executable binary, only one of the minor versions will be included in the executable, as only packages with same name but different major versions considered different packages ,
-hence can co-exist together in the application executable.
+For example, if your `go.mod` file declares two modules, `a` and `b`, and both depend on the same package `c` (same major version `v1`) but with different minor versions:
 
-Go ecosystem knows how to select one minor version among all the minor versions of the same major version of a given package, using the [MVS Algorithm](https://go.dev/ref/mod#minimal-version-selection).
-
-In order to enable this behavior, that only shows in analysis modules versions that are actually built into the application executable, please set
-system property/environment variable - `EXHORT_GO_MVS_LOGIC_ENABLED=true`(Default is false)
+- `namespace/c/[email protected]`
+- `namespace/c/[email protected]`
 
+Only one of these versions — the minimal version selected by MVS — will be included in the generated SBOM and analysis results.  
+This mirrors the behavior of a real Go build, where only one minor version of a given major version can be present in the executable (since Go treats packages with the same name and major version as identical).
 
+The MVS-based resolution is **enabled by default**.  
+If you want to disable this behavior and instead include **all transitive module versions** (as listed in `go.mod` dependencies), set the system property or environment variable:
 
+```bash
+EXHORT_GO_MVS_LOGIC_ENABLED=false
+```
 
 #### Python Support
 

docker-image/Dockerfiles/Dockerfile

@@ -56,7 +56,7 @@ ENV EXHORT_PIP_FREEZE=''
 # contains pip show data for all packages, base64 encoded
 ENV EXHORT_PIP_SHOW=''
 # indicate whether to use the Minimal version selection (MVS) algorithm to select a set of module versions to use when building Go packages.
-ENV EXHORT_GO_MVS_LOGIC_ENABLED='false'
+ENV EXHORT_GO_MVS_LOGIC_ENABLED='true'
 
 # Copy java executable from the builder stage
 COPY --from=builder /usr/jdk-21.0.1/ /usr/jdk-21.0.1/

src/providers/golang_gomodules.js

@@ -24,6 +24,7 @@ export default { isSupported, validateLockFile, provideComponent, provideStack }
  */
 const ecosystem = 'golang'
 const defaultMainModuleVersion = "v0.0.0";
+
 /**
  * @param {string} manifestName - the subject manifest name-type
  * @returns {boolean} - return true if `pom.xml` is the manifest name-type
@@ -281,7 +282,7 @@ function getSBOM(manifest, opts = {}, includeTransitive) {
 
 	const mainModule = toPurl(root, "@")
 	sbom.addRoot(mainModule)
-	const exhortGoMvsLogicEnabled = getCustom("EXHORT_GO_MVS_LOGIC_ENABLED", "false", opts)
+	const exhortGoMvsLogicEnabled = getCustom("EXHORT_GO_MVS_LOGIC_ENABLED", "true", opts)
 	if(includeTransitive && exhortGoMvsLogicEnabled === "true") {
 		rows = getFinalPackagesVersionsForModule(rows, manifest, goBin)
 	}
@@ -377,15 +378,25 @@ function getFinalPackagesVersionsForModule(rows,manifestPath,goBin) {
 		let childName = getPackageName(child)
 		let parentFinalVersion = finalVersionModules[parentName]
 		let childFinalVersion =  finalVersionModules[childName]
-		// if this condition will be uncommented, there will be several differences between sbom and go list -m all listing...
-		// let parentOriginalVersion = getVersionOfPackage(parent)
-		// if( parentOriginalVersion !== undefined && parentOriginalVersion === parentFinalVersion) {
-		if (parentName !== parent) {
-			finalVersionModulesArray.push(`${parentName}@${parentFinalVersion} ${childName}@${childFinalVersion}`)
+
+		// Handle special cases for go and toolchain modules that aren't in go list -m all
+		if (isSpecialGoModule(parentName) || isSpecialGoModule(childName)) {
+			// For go and toolchain modules, use the original versions from the graph
+			let parentVersion = getVersionOfPackage(parent)
+			let childVersion = getVersionOfPackage(child)
+			if (parentName !== parent) {
+				finalVersionModulesArray.push(`${parentName}@${parentVersion} ${childName}@${childVersion}`)
+			} else {
+				finalVersionModulesArray.push(`${parentName} ${childName}@${childVersion}`)
+			}
 		} else {
-			finalVersionModulesArray.push(`${parentName} ${childName}@${childFinalVersion}`)
+			// For regular modules, use MVS logic
+			if (parentName !== parent) {
+				finalVersionModulesArray.push(`${parentName}@${parentFinalVersion} ${childName}@${childFinalVersion}`)
+			} else {
+				finalVersionModulesArray.push(`${parentName} ${childName}@${childFinalVersion}`)
+			}
 		}
-		// }
 	})
 
 	return finalVersionModulesArray
@@ -401,6 +412,27 @@ function getPackageName(fullPackage) {
 	return fullPackage.split("@")[0]
 }
 
+/**
+ * Check if a module name is a special Go module (go or toolchain)
+ * @param {string} moduleName - the module name to check
+ * @return {boolean} true if it's a special Go module
+ * @private
+ */
+function isSpecialGoModule(moduleName) {
+	return moduleName === 'go' || moduleName === 'toolchain';
+}
+
+/**
+ *
+ * @param {string} fullPackage - full package with its name and version
+ * @return -{string} package version only
+ * @private
+ */
+function getVersionOfPackage(fullPackage) {
+	let parts = fullPackage.split("@")
+	return parts.length > 1 ? parts[1] : undefined
+}
+
 function getLineSeparatorGolang() {
 	let reg = /\n|\r\n/
 	return reg

test/it/end-to-end.js

@@ -22,8 +22,10 @@ function getParsedKeyFromHtml(html, key,keyLength) {
 }
 
 function extractTotalsGeneralOrFromProvider(providedDataForStack, provider) {
-	if(providedDataForStack.providers[provider].sources.length > 0) {
-		return providedDataForStack.providers[provider].sources[provider].summary.total;
+	if(providedDataForStack.providers[provider].sources && Object.keys(providedDataForStack.providers[provider].sources).length > 0) {
+		// Get the first source (e.g., "osv") and return its summary total
+		const firstSource = Object.keys(providedDataForStack.providers[provider].sources)[0];
+		return providedDataForStack.providers[provider].sources[firstSource].summary.total;
 	} else {
 		return providedDataForStack.scanned.total;
 	}
@@ -53,7 +55,7 @@ suite('Integration Tests', () => {
 			let pomPath = `test/it/test_manifests/${packageManager}/${manifestName}`
 			let providedDataForStack = await index.stackAnalysis(pomPath)
 			console.log(JSON.stringify(providedDataForStack,null , 4))
-			let providers = ["tpa"]
+			let providers = ["rhtpa"]
 			providers.forEach(provider => expect(extractTotalsGeneralOrFromProvider(providedDataForStack, provider)).greaterThan(0))
 			// TODO: if sources doesn't exist, add "scanned" instead
 			// python transitive count for stack analysis is awaiting fix in exhort backend
@@ -74,7 +76,7 @@ suite('Integration Tests', () => {
 			}
 			let reportParsedFromHtml
 			let parsedSummaryFromHtml
-			let parsedStatusFromHtmlOsvNvd
+			let parsedStatusFromProvider
 			let parsedScannedFromHtml
 			try {
 				reportParsedFromHtml = JSON.parse(html.substring(html.indexOf("\"report\" :") + 10, html.search(/([}](\s*)){5}/) + html.substring(html.search(/([}](\s*)){5}/)).indexOf(",")))
@@ -85,8 +87,8 @@ suite('Integration Tests', () => {
 				reportParsedFromHtml = JSON.parse("{" + startOfJson.substring(0,startOfJson.indexOf("};") + 1))
 				reportParsedFromHtml = reportParsedFromHtml.report
 			} finally {
-				parsedStatusFromHtmlOsvNvd = reportParsedFromHtml.providers["tpa"].status
-				expect(parsedStatusFromHtmlOsvNvd.code).equals(200)
+				parsedStatusFromProvider = reportParsedFromHtml.providers["rhtpa"].status
+				expect(parsedStatusFromProvider.code).equals(200)
 				parsedScannedFromHtml = reportParsedFromHtml.scanned
 				expect( typeof html).equals("string")
 				expect(html).include("html").include("svg")
@@ -102,7 +104,7 @@ suite('Integration Tests', () => {
 
 			expect(analysisReport.scanned.total).greaterThan(0)
 			expect(analysisReport.scanned.transitive).equal(0)
-			let providers = ["tpa"]
+			let providers = ["rhtpa"]
 			providers.forEach(provider => expect(extractTotalsGeneralOrFromProvider(analysisReport, provider)).greaterThan(0))
 			providers.forEach(provider => expect(analysisReport.providers[provider].status.code).equals(200))
 		}).timeout(20000);