test(go): refactor mod_test.go to use txtar format (#9775)

go.mod

@@ -111,6 +111,7 @@ require (
 	github.com/twitchtv/twirp v8.1.3+incompatible
 	github.com/xeipuuv/gojsonschema v1.2.0
 	github.com/xlab/treeprint v1.2.0
+	github.com/zalando/go-keyring v0.2.6
 	github.com/zclconf/go-cty v1.17.0
 	github.com/zclconf/go-cty-yaml v1.1.0
 	go.etcd.io/bbolt v1.4.3
@@ -120,6 +121,7 @@ require (
 	golang.org/x/sync v0.17.0
 	golang.org/x/term v0.35.0
 	golang.org/x/text v0.28.0
+	golang.org/x/tools v0.35.1-0.20250728180453-01a3475a31bc
 	golang.org/x/vuln v1.1.4
 	golang.org/x/xerrors v0.0.0-20240716161551-93cc26a95ae9
 	google.golang.org/protobuf v1.36.10
@@ -130,8 +132,6 @@ require (
 	modernc.org/sqlite v1.39.0
 )
 
-require github.com/zalando/go-keyring v0.2.6
-
 require (
 	al.essio.dev/pkg/shellescape v1.5.1 // indirect
 	buf.build/gen/go/bufbuild/bufplugin/protocolbuffers/go v1.36.6-20250718181942-e35f9b667443.1 // indirect
@@ -471,7 +471,6 @@ require (
 	golang.org/x/sys v0.36.0 // indirect
 	golang.org/x/telemetry v0.0.0-20250807160809-1a19826ec488 // indirect
 	golang.org/x/time v0.13.0 // indirect
-	golang.org/x/tools v0.35.1-0.20250728180453-01a3475a31bc // indirect
 	golang.org/x/tools/gopls v0.20.0 // indirect
 	google.golang.org/api v0.248.0 // indirect
 	google.golang.org/genproto v0.0.0-20250603155806-513f23925822 // indirect

internal/testutil/txtar.go

@@ -0,0 +1,19 @@
+package testutil
+
+import (
+	"io/fs"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"golang.org/x/tools/txtar"
+)
+
+// TxtarToFS reads a txtar file and returns it as an fs.FS.
+func TxtarToFS(t *testing.T, path string) fs.FS {
+	t.Helper()
+	archive, err := txtar.ParseFile(path)
+	require.NoError(t, err)
+	fsys, err := txtar.FS(archive)
+	require.NoError(t, err)
+	return fsys
+}

pkg/fanal/analyzer/language/golang/mod/mod.go

@@ -9,6 +9,7 @@ import (
 	"io"
 	"io/fs"
 	"os"
+	"path"
 	"path/filepath"
 	"regexp"
 	"slices"
@@ -53,6 +54,10 @@ type gomodAnalyzer struct {
 
 	licenseClassifierConfidenceLevel float64
 
+	// gopathFS represents the $GOPATH directory as an fs.FS.
+	// It should contain the "pkg/mod" subdirectory structure.
+	gopathFS fs.FS
+
 	logger *log.Logger
 }
 
@@ -62,6 +67,7 @@ func newGoModAnalyzer(opt analyzer.AnalyzerOptions) (analyzer.PostAnalyzer, erro
 		sumParser:                        sum.NewParser(),
 		leafModParser:                    mod.NewParser(false, false), // Don't detect stdlib for non-root go.mod files
 		licenseClassifierConfidenceLevel: opt.LicenseScannerOption.ClassifierConfidenceLevel,
+		gopathFS:                         os.DirFS(cmp.Or(os.Getenv("GOPATH"), build.Default.GOPATH)),
 		logger:                           log.WithPrefix("golang"),
 	}, nil
 }
@@ -142,7 +148,7 @@ func (a *gomodAnalyzer) fillAdditionalData(ctx context.Context, fsys fs.FS, apps
 	var modSearchDirs []searchDir
 
 	// $GOPATH/pkg/mod
-	if gopath, err := newGOPATH(); err != nil {
+	if gopath, err := newGOPATH(a.gopathFS); err != nil {
 		a.logger.Debug("GOPATH not found. Run 'go mod download' or 'go mod tidy' for identifying dependency graph and licenses", log.Err(err))
 	} else {
 		modSearchDirs = append(modSearchDirs, gopath)
@@ -413,18 +419,26 @@ type searchDir interface {
 }
 
 type gopathDir struct {
-	root string
+	root fs.FS // $GOPATH/pkg/mod as fs.FS (can be os.DirFS or test fixture)
 }
 
-func newGOPATH() (searchDir, error) {
-	gopath := cmp.Or(os.Getenv("GOPATH"), build.Default.GOPATH)
-
+func newGOPATH(gopathFS fs.FS) (searchDir, error) {
 	// $GOPATH/pkg/mod
-	modPath := filepath.Join(gopath, "pkg", "mod")
-	if !fsutils.DirExists(modPath) {
-		return nil, xerrors.Errorf("GOPATH not found: %s", modPath)
+	// Use path.Join instead of filepath.Join because fs.FS always uses forward slashes,
+	// regardless of the operating system.
+	modFS, err := fs.Sub(gopathFS, path.Join("pkg", "mod"))
+	if err != nil {
+		return nil, xerrors.Errorf("failed to access $GOPATH/pkg/mod: %w", err)
 	}
-	return &gopathDir{root: modPath}, nil
+
+	// Check if the directory exists.
+	// fs.Sub doesn't return an error for non-existent directories,
+	// so we need to explicitly verify the directory exists.
+	if _, err := fs.Stat(modFS, "."); err != nil {
+		return nil, xerrors.Errorf("$GOPATH/pkg/mod does not exist: %w", err)
+	}
+
+	return &gopathDir{root: modFS}, nil
 }
 
 // Resolve resolves the module directory for a given package.
@@ -437,9 +451,7 @@ func (d *gopathDir) Resolve(pkg types.Package) (fs.FS, error) {
 	// e.g. github.com/aquasecurity/go-dep-parser@v1.0.0
 	modDirName := fmt.Sprintf("%s@%s", name, pkg.Version)
 
-	// e.g. $GOPATH/pkg/mod/github.com/aquasecurity/go-dep-parser@v1.0.0
-	modDir := filepath.Join(d.root, modDirName)
-	return os.DirFS(modDir), nil
+	return fs.Sub(d.root, modDirName)
 }
 
 type vendorDir struct {
@@ -451,8 +463,16 @@ func newVendorDir(fsys fs.FS, modPath string) (vendorDir, error) {
 	vendor := filepath.Join(filepath.Dir(modPath), "vendor")
 	sub, err := fs.Sub(fsys, vendor)
 	if err != nil {
-		return vendorDir{}, xerrors.Errorf("vendor directory not found: %w", err)
+		return vendorDir{}, xerrors.Errorf("failed to access vendor directory: %w", err)
 	}
+
+	// Check if the directory exists.
+	// fs.Sub doesn't return an error for non-existent directories,
+	// so we need to explicitly verify the directory exists.
+	if _, err := fs.Stat(sub, "."); err != nil {
+		return vendorDir{}, xerrors.Errorf("vendor directory does not exist: %w", err)
+	}
+
 	return vendorDir{root: sub}, nil
 }
 

pkg/fanal/analyzer/language/golang/mod/mod_test.go

@@ -1,30 +1,30 @@
 package mod
 
 import (
-	"path/filepath"
 	"sort"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
+	"github.com/aquasecurity/trivy/internal/testutil"
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
 	"github.com/aquasecurity/trivy/pkg/fanal/types"
-	"github.com/aquasecurity/trivy/pkg/mapfs"
 )
 
+const gopathFixture = "testdata/gopath.txtar"
+
 func Test_gomodAnalyzer_Analyze(t *testing.T) {
 	tests := []struct {
-		name  string
-		files []string
-		want  *analyzer.AnalysisResult
+		name   string
+		txtar  string
+		gopath bool
+		want   *analyzer.AnalysisResult
 	}{
 		{
-			name: "happy",
-			files: []string{
-				"testdata/happy/mod",
-				"testdata/happy/sum",
-			},
+			name:   "happy",
+			txtar:  "testdata/happy.txtar",
+			gopath: true,
 			want: &analyzer.AnalysisResult{
 				Applications: []types.Application{
 					{
@@ -74,10 +74,9 @@ func Test_gomodAnalyzer_Analyze(t *testing.T) {
 			},
 		},
 		{
-			name: "wrong go.mod from `pkg`",
-			files: []string{
-				"testdata/wrong-gomod-in-pkg/mod",
-			},
+			name:   "wrong go.mod from `pkg`",
+			txtar:  "testdata/wrong-gomod-in-pkg.txtar",
+			gopath: true,
 			want: &analyzer.AnalysisResult{
 				Applications: []types.Application{
 					{
@@ -116,10 +115,9 @@ func Test_gomodAnalyzer_Analyze(t *testing.T) {
 			},
 		},
 		{
-			name: "no pkg dir found",
-			files: []string{
-				"testdata/no-pkg-found/mod",
-			},
+			name:   "no pkg dir found",
+			txtar:  "testdata/no-pkg-found.txtar",
+			gopath: false,
 			want: &analyzer.AnalysisResult{
 				Applications: []types.Application{
 					{
@@ -179,11 +177,9 @@ func Test_gomodAnalyzer_Analyze(t *testing.T) {
 			},
 		},
 		{
-			name: "less than 1.17",
-			files: []string{
-				"testdata/merge/mod",
-				"testdata/merge/sum",
-			},
+			name:   "less than 1.17",
+			txtar:  "testdata/merge.txtar",
+			gopath: true,
 			want: &analyzer.AnalysisResult{
 				Applications: []types.Application{
 					{
@@ -235,10 +231,9 @@ func Test_gomodAnalyzer_Analyze(t *testing.T) {
 			},
 		},
 		{
-			name: "no go.sum",
-			files: []string{
-				"testdata/merge/mod",
-			},
+			name:   "no go.sum",
+			txtar:  "testdata/no-go-sum.txtar",
+			gopath: true,
 			want: &analyzer.AnalysisResult{
 				Applications: []types.Application{
 					{
@@ -278,18 +273,15 @@ func Test_gomodAnalyzer_Analyze(t *testing.T) {
 			},
 		},
 		{
-			name: "sad go.mod",
-			files: []string{
-				"testdata/sad/mod",
-			},
-			want: &analyzer.AnalysisResult{},
+			name:   "sad go.mod",
+			txtar:  "testdata/sad.txtar",
+			gopath: false,
+			want:   &analyzer.AnalysisResult{},
 		},
 		{
-			name: "deps from GOPATH and license from vendor dir",
-			files: []string{
-				"testdata/vendor-dir-exists/mod",
-				"testdata/vendor-dir-exists/vendor",
-			},
+			name:   "deps from GOPATH and license from vendor dir",
+			txtar:  "testdata/vendor-dir-exists.txtar",
+			gopath: true,
 			want: &analyzer.AnalysisResult{
 				Applications: []types.Application{
 					{
@@ -339,28 +331,27 @@ func Test_gomodAnalyzer_Analyze(t *testing.T) {
 			},
 		},
 	}
+
+	// Load GOPATH fixture once as fs.FS (represents $GOPATH/pkg/mod)
+	gopathFS := testutil.TxtarToFS(t, gopathFixture)
+
 	for _, tt := range tests {
-		t.Setenv("GOPATH", "testdata")
 		t.Run(tt.name, func(t *testing.T) {
+			// Load test case txtar as fs.FS
+			fsys := testutil.TxtarToFS(t, tt.txtar)
+
 			a, err := newGoModAnalyzer(analyzer.AnalyzerOptions{})
 			require.NoError(t, err)
 
-			mfs := mapfs.New()
-			for _, file := range tt.files {
-				// Since broken go.mod files bothers IDE, we should use other file names than "go.mod" and "go.sum".
-				switch filepath.Base(file) {
-				case "mod":
-					require.NoError(t, mfs.WriteFile("go.mod", file))
-				case "sum":
-					require.NoError(t, mfs.WriteFile("go.sum", file))
-				case "vendor":
-					require.NoError(t, mfs.CopyDir(file, "."))
-				}
+			// Set GOPATH fs.FS for testing
+			ma := a.(*gomodAnalyzer)
+			if tt.gopath {
+				ma.gopathFS = gopathFS
 			}
 
 			ctx := t.Context()
-			got, err := a.PostAnalyze(ctx, analyzer.PostAnalysisInput{
-				FS: mfs,
+			got, err := ma.PostAnalyze(ctx, analyzer.PostAnalysisInput{
+				FS: fsys,
 			})
 			require.NoError(t, err)
 
@@ -368,7 +359,6 @@ func Test_gomodAnalyzer_Analyze(t *testing.T) {
 				sort.Sort(got.Applications[0].Packages)
 				sort.Sort(tt.want.Applications[0].Packages)
 			}
-			require.NoError(t, err)
 			assert.Equal(t, tt.want, got)
 		})
 	}

pkg/fanal/analyzer/language/golang/mod/testdata/gopath.txtar

@@ -0,0 +1,122 @@
+GOPATH directory structure containing pkg/mod with cached Go module dependencies.
+This is used as a shared test fixture across multiple test cases.
+All file paths must include the "pkg/mod/" prefix to properly represent the GOPATH structure.
+
+-- pkg/mod/github.com/!burnt!sushi/toml@v0.3.1/COPYING --
+The MIT License (MIT)
+
+Copyright (c) 2013 TOML authors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+-- pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.0-20220406074731-71021a481237/LICENSE --
+MIT License
+
+Copyright (c) 2019 Teppei Fukuda
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+-- pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.0-20220406074731-71021a481237/go.mod --
+module github.com/aquasecurity/go-dep-parser
+
+go 1.18
+
+require (
+	github.com/BurntSushi/toml v1.2.1
+	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
+	github.com/hashicorp/go-multierror v1.1.1
+	github.com/hashicorp/go-retryablehttp v0.7.2
+	github.com/liamg/jfather v0.0.7
+	github.com/microsoft/go-rustaudit v0.0.0-20220808201409-204dfee52032
+	github.com/samber/lo v1.37.0
+	github.com/stretchr/testify v1.8.1
+	go.uber.org/zap v1.24.0
+	golang.org/x/exp v0.0.0-20220407100705-7b9b53b0aca4
+	golang.org/x/mod v0.8.0
+	golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f
+	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2
+	gopkg.in/yaml.v3 v3.0.1
+)
+
+require (
+	github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/hashicorp/errwrap v1.0.0 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	go.uber.org/atomic v1.7.0 // indirect
+	go.uber.org/multierr v1.6.0 // indirect
+	golang.org/x/text v0.3.8 // indirect
+)
+-- pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.0-20230219131432-590b1dfb6edd/go.mod --
+module github.com/aquasecurity/go-dep-parser
+
+go 1.18
+
+require (
+	github.com/BurntSushi/toml v1.2.1
+	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
+	github.com/hashicorp/go-multierror v1.1.1
+	github.com/hashicorp/go-retryablehttp v0.7.2
+	github.com/liamg/jfather v0.0.7
+	github.com/microsoft/go-rustaudit v0.0.0-20220808201409-204dfee52032
+	github.com/samber/lo v1.37.0
+	github.com/stretchr/testify v1.8.1
+	go.uber.org/zap v1.24.0
+	golang.org/x/exp v0.0.0-20220407100705-7b9b53b0aca4
+	golang.org/x/mod v0.8.0
+	golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f
+	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2
+	gopkg.in/yaml.v3 v3.0.1
+)
+
+require (
+	github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/hashicorp/errwrap v1.0.0 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	go.uber.org/atomic v1.7.0 // indirect
+	go.uber.org/multierr v1.6.0 // indirect
+	golang.org/x/text v0.3.8 // indirect
+)
+-- pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.1/go.mod --
+module github.com/aquasecurity/go-dep-parser
+
+go 1.18
+
+require (
+	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2
+)
+-- pkg/mod/github.com/sad/sad@v0.0.1/go.mod --
+wrong

pkg/fanal/analyzer/language/golang/mod/testdata/happy.txtar

@@ -1,3 +1,17 @@
+Test case with go.mod, go.sum, and GOPATH pkg/mod dependencies.
+This tests the happy path where all dependencies can be resolved from GOPATH.
+
+-- go.mod --
+module github.com/org/repo
+
+go 1.17
+
+require github.com/aquasecurity/go-dep-parser v0.0.0-20211110174639-8257534ffed3
+
+require golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
+
+replace github.com/aquasecurity/go-dep-parser => github.com/aquasecurity/go-dep-parser v0.0.0-20220406074731-71021a481237
+-- go.sum --
 github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d h1:U+s90UTSYgptZMwQh2aRr3LuazLJIa+Pg3Kc1ylSYVY=
@@ -21,4 +35,4 @@ golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8T
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

pkg/fanal/analyzer/language/golang/mod/testdata/happy/mod

@@ -1,9 +0,0 @@
-module github.com/org/repo
-
-go 1.17
-
-require github.com/aquasecurity/go-dep-parser v0.0.0-20211110174639-8257534ffed3
-
-require golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
-
-replace github.com/aquasecurity/go-dep-parser => github.com/aquasecurity/go-dep-parser v0.0.0-20220406074731-71021a481237

pkg/fanal/analyzer/language/golang/mod/testdata/merge.txtar

@@ -0,0 +1,16 @@
+Test case for Go version < 1.17 with go.sum.
+This tests merging dependency information from both go.mod and go.sum.
+
+-- go.mod --
+module github.com/org/repo
+
+go 1.15
+
+require github.com/aquasecurity/go-dep-parser v0.0.0-20211110174639-8257534ffed3
+
+replace github.com/aquasecurity/go-dep-parser => github.com/aquasecurity/go-dep-parser v0.0.0-20230219131432-590b1dfb6edd
+-- go.sum --
+github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
+github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/aquasecurity/go-dep-parser v0.0.0-20230219131432-590b1dfb6edd h1:H9IR14rR3+Z13ZH7ay9bs2hHBL7WAqdEJLLr8nhx/Rs=
+github.com/aquasecurity/go-dep-parser v0.0.0-20230219131432-590b1dfb6edd/go.mod h1:4dZHU2Ntsh9EopNVdTKf8UjSGDNTMVoyB5B34RjD75g=

pkg/fanal/analyzer/language/golang/mod/testdata/merge/sum

@@ -1,4 +0,0 @@
-github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
-github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/aquasecurity/go-dep-parser v0.0.0-20230219131432-590b1dfb6edd h1:H9IR14rR3+Z13ZH7ay9bs2hHBL7WAqdEJLLr8nhx/Rs=
-github.com/aquasecurity/go-dep-parser v0.0.0-20230219131432-590b1dfb6edd/go.mod h1:4dZHU2Ntsh9EopNVdTKf8UjSGDNTMVoyB5B34RjD75g=

pkg/fanal/analyzer/language/golang/mod/testdata/no-go-sum.txtar

@@ -1,7 +1,11 @@
+Test case without go.sum file.
+This tests that the analyzer works when only go.mod is present.
+
+-- go.mod --
 module github.com/org/repo
 
 go 1.15
 
 require github.com/aquasecurity/go-dep-parser v0.0.0-20211110174639-8257534ffed3
 
-replace github.com/aquasecurity/go-dep-parser => github.com/aquasecurity/go-dep-parser v0.0.0-20230219131432-590b1dfb6edd
+replace github.com/aquasecurity/go-dep-parser => github.com/aquasecurity/go-dep-parser v0.0.0-20230219131432-590b1dfb6edd

pkg/fanal/analyzer/language/golang/mod/testdata/no-pkg-found.txtar

@@ -1,3 +1,7 @@
+Test case where no GOPATH pkg/mod directory is found.
+This tests the fallback behavior when dependencies cannot be found in GOPATH.
+
+-- go.mod --
 module github.com/org/repo
 
 go 1.23
@@ -7,4 +11,4 @@ require (
     github.com/aquasecurity/go-version v1.0.1
 )
 
-require golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
+require golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect

pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/!burnt!sushi/toml@v0.3.1/COPYING

@@ -1,21 +0,0 @@
-The MIT License (MIT)
-
-Copyright (c) 2013 TOML authors
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.

pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.0-20220406074731-71021a481237/LICENSE

@@ -1,21 +0,0 @@
-MIT License
-
-Copyright (c) 2019 Teppei Fukuda
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.

pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.0-20220406074731-71021a481237/go.mod

@@ -1,31 +0,0 @@
-module github.com/aquasecurity/go-dep-parser
-
-go 1.18
-
-require (
-	github.com/BurntSushi/toml v1.2.1
-	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
-	github.com/hashicorp/go-multierror v1.1.1
-	github.com/hashicorp/go-retryablehttp v0.7.2
-	github.com/liamg/jfather v0.0.7
-	github.com/microsoft/go-rustaudit v0.0.0-20220808201409-204dfee52032
-	github.com/samber/lo v1.37.0
-	github.com/stretchr/testify v1.8.1
-	go.uber.org/zap v1.24.0
-	golang.org/x/exp v0.0.0-20220407100705-7b9b53b0aca4
-	golang.org/x/mod v0.8.0
-	golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f
-	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2
-	gopkg.in/yaml.v3 v3.0.1
-)
-
-require (
-	github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/hashicorp/errwrap v1.0.0 // indirect
-	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
-	go.uber.org/atomic v1.7.0 // indirect
-	go.uber.org/multierr v1.6.0 // indirect
-	golang.org/x/text v0.3.8 // indirect
-)

pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.0-20230219131432-590b1dfb6edd/go.mod

@@ -1,31 +0,0 @@
-module github.com/aquasecurity/go-dep-parser
-
-go 1.18
-
-require (
-	github.com/BurntSushi/toml v1.2.1
-	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
-	github.com/hashicorp/go-multierror v1.1.1
-	github.com/hashicorp/go-retryablehttp v0.7.2
-	github.com/liamg/jfather v0.0.7
-	github.com/microsoft/go-rustaudit v0.0.0-20220808201409-204dfee52032
-	github.com/samber/lo v1.37.0
-	github.com/stretchr/testify v1.8.1
-	go.uber.org/zap v1.24.0
-	golang.org/x/exp v0.0.0-20220407100705-7b9b53b0aca4
-	golang.org/x/mod v0.8.0
-	golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f
-	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2
-	gopkg.in/yaml.v3 v3.0.1
-)
-
-require (
-	github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/hashicorp/errwrap v1.0.0 // indirect
-	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
-	go.uber.org/atomic v1.7.0 // indirect
-	go.uber.org/multierr v1.6.0 // indirect
-	golang.org/x/text v0.3.8 // indirect
-)

pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.1/go.mod

@@ -1,7 +0,0 @@
-module github.com/aquasecurity/go-dep-parser
-
-go 1.18
-
-require (
-	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2
-)

pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/sad/sad@v0.0.1/go.mod

@@ -1 +0,0 @@
-wrong

pkg/fanal/analyzer/language/golang/mod/testdata/sad.txtar

@@ -0,0 +1,5 @@
+Test case with invalid go.mod file.
+This tests error handling for malformed go.mod files.
+
+-- go.mod --
+invalid

pkg/fanal/analyzer/language/golang/mod/testdata/sad/mod

@@ -1 +0,0 @@
-invalid

pkg/fanal/analyzer/language/golang/mod/testdata/vendor-dir-exists.txtar

@@ -1,3 +1,15 @@
+Test case with vendor directory.
+This tests getting dependency licenses from the vendor directory instead of GOPATH.
+
+-- go.mod --
+module github.com/org/repo
+
+go 1.17
+
+require github.com/aquasecurity/go-dep-parser v0.0.1
+
+require golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
+-- vendor/github.com/aquasecurity/go-dep-parser/LICENSE --
                                  Apache License
                            Version 2.0, January 2004
                         http://www.apache.org/licenses/
@@ -198,4 +210,4 @@
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
-   limitations under the License.
+   limitations under the License.

pkg/fanal/analyzer/language/golang/mod/testdata/vendor-dir-exists/mod

@@ -1,7 +0,0 @@
-module github.com/org/repo
-
-go 1.17
-
-require github.com/aquasecurity/go-dep-parser v0.0.1
-
-require golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect

pkg/fanal/analyzer/language/golang/mod/testdata/wrong-gomod-in-pkg.txtar

@@ -0,0 +1,9 @@
+Test case with invalid go.mod in GOPATH pkg/mod directory.
+This tests handling of broken dependency go.mod files.
+
+-- go.mod --
+module github.com/org/repo
+
+go 1.17
+
+require github.com/sad/sad v0.0.1

pkg/fanal/analyzer/language/golang/mod/testdata/wrong-gomod-in-pkg/mod

@@ -1,5 +0,0 @@
-module github.com/org/repo
-
-go 1.17
-
-require github.com/sad/sad v0.0.1