Dependabot not parsing sub-repositories on full package imports in, missing known vulnerabilities. #8549
Labels
T: bug 🐞
Something isn't working
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is there an existing issue for this?
Package ecosystem
gomod
Package manager version
No response
Language version
Golang 1.19
Manifest location and content before the Dependabot update
No response
dependabot.yml content
https://gist.github.com/magnetikonline/6f215db058e327905bce66c37f92426c#file-dependabot-yml
Updated dependency
No response
What you expected to see, versus what you actually saw
Two known vulnerabilities in dependencies are not detected if an entire package is imported in go.mod. Specific examples are specified in this issue.
gcla/termshark#157
Currently, all of ´golang.org/x/` is imported, and the sub-packages are used.
By specifying the specific sub-packages in go.mod such as 'golang.org/x/net', Dependabot is able to instantly pick up on them. I don't know if this is a problem with a regex pattern and wildcard imports or if it's due to how Go handles packages through go.mod and go.sum.
In the reference repo, Dependabot has not detected them. But if you create a fork, set up Dependabot, and explicitly specify
golang.org/x/net & golang.org/x/textin go.mod, it will pick up on them instantly.Maybe this is because Dependabot is looking for "*" for wildcard imports, which seems to not be needed in Go?"
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
No response
Smallest manifest that reproduces the issue
No response
The text was updated successfully, but these errors were encountered: