Merge pull request #47 from actions/juxtin/update-dep-sub-toolkit

Update dependency-submission-toolkit

.gitattributes

@@ -0,0 +1 @@
+dist/* linguist-generated=true

.github/workflows/go-dependency-submission.yml

@@ -1,5 +1,5 @@
 name: Go Dependency Submission
-on
+on:
   push:
     branches:
       - main
@@ -20,7 +20,7 @@ jobs:
           go-version: ">=1.18.0"
 
       - name: Run snapshot action
-        uses: actions/go-dependency-submission@main
+        uses: actions/go-dependency-submission@v1
         with:
           go-mod-path: go-example/go.mod
           go-build-target: go-example/cmd/octocat.go

.github/workflows/release-new-action-version.yml

@@ -0,0 +1,26 @@
+name: Release new action version
+on:
+  release:
+    types: [released]
+  workflow_dispatch:
+    inputs:
+      TAG_NAME:
+        description: 'Tag name that the major tag will point to'
+        required: true
+
+env:
+  TAG_NAME: ${{ github.event.inputs.TAG_NAME || github.event.release.tag_name }}
+permissions:
+  contents: write
+
+jobs:
+  update_tag:
+    name: Update the major tag to include the ${{ github.event.inputs.TAG_NAME || github.event.release.tag_name }} changes
+    environment:
+      name: releaseNewActionVersion
+    runs-on: ubuntu-latest
+    steps:
+    - name: Update the ${{ env.TAG_NAME }} tag
+      uses: actions/publish-action@v0.2.1
+      with:
+        source-tag: ${{ env.TAG_NAME }}

.github/workflows/test.yml

@@ -20,12 +20,13 @@ jobs:
         uses: actions/setup-node@v3
         with:
           node-version: 16
-          registry-url: 'https://npm.pkg.github.com'
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }}
 
-      - run: npm ci --ignore-scripts
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }}
+      - name: Install NPM dependencies
+        run: npm ci --ignore-scripts
 
-      - run: npm rebuild && npm run all
+      - name: Build and run tests 
+        run: npm rebuild && npm run all
+
+      - name: Verify no uncommitted files
+        run: '[ -z "$(git status --porcelain=v1 2>/dev/null)" ]'
+        shell: bash

README.md

@@ -3,6 +3,15 @@
 This GitHub Action calculates dependencies for a Go build-target (a Go file with a
 `main` function) and submits the list to the [Dependency submission API](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api). Dependencies then appear in your repository's dependency graph, and you'll receive Dependabot alerts and updates for vulnerable or out-of-date dependencies. 
 
+### Running locally
+
+Because we are checking in the Typescript output, you may see check failures if you don't generate the contents of `dist/` in a similar manner to our CI check. You can easily rectify this by regenerating in a codespace and using what we use in our workflow YAML:
+
+```
+npm ci --ignore-scripts
+npm rebuild && npm run all
+```
+
 ### Example
 ```yaml
 name: Go Dependency Submission
@@ -32,7 +41,7 @@ jobs:
           go-version: ">=1.18.0"
 
       - name: Run snapshot action
-        uses: actions/go-dependency-submission@main
+        uses: actions/go-dependency-submission@v1
         with:
             # Required: Define the repo path to the go.mod file used by the
             # build target

action.yml

@@ -1,6 +1,6 @@
-name: 'Go Action for Creating Dependency Snapshots'
-description: 'Detects go dependencies in projects using go mod graph utility'
-author: 'lorenanicole'
+name: 'Go Dependency Submission'
+description: 'Calculates dependencies for a Go build-target and submits the list to the Dependency Submission API'
+author: 'GitHub'
 inputs:
   token:
     description: "GitHub Personal Access Token (PAT). Defaults to PAT provided by Action runner"
@@ -11,7 +11,8 @@ inputs:
     description: 'User provided map of max key/value pairs of metadata to include with the snapshot e.g. {"lastModified": "12-31-2022"}'
   go-mod-path:
     required: true
-    description: 'Repo path to the go.mod file used to detect dependencies for the Go build target'
+    description: 'Repo path to the go.mod file used to detect dependencies for the Go build target. Defaults to go.mod in the root of the repository.'
+    default: 'go.mod'
   go-build-target:
     required: true
     description: 'Build target to detect build dependencies. If unspecified, will use "all", with will detect all dependencies used in all build targets (including tests and tools).'

dist/licenses.txt

@@ -614,6 +614,19 @@ Permission to use, copy, modify, and/or distribute this software for any purpose
 THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
 
+uuid
+MIT
+The MIT License (MIT)
+
+Copyright (c) 2010-2020 Robert Kieffer and other contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+
 webidl-conversions
 BSD-2-Clause
 # The BSD 2-Clause License

dist/parse.js

@@ -0,0 +1,58 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseGoModGraph = exports.parseGoList = exports.parseGoPackage = void 0;
+const path_1 = __importDefault(require("path"));
+const packageurl_js_1 = require("packageurl-js");
+function parseGoPackage(pkg) {
+    const [qualifiedPackage, version] = pkg.split('@');
+    let namespace = null;
+    let name;
+    if (qualifiedPackage.indexOf('/') !== -1) {
+        namespace = path_1.default.dirname(qualifiedPackage);
+        name = path_1.default.basename(qualifiedPackage);
+    }
+    else {
+        name = qualifiedPackage;
+    }
+    return new packageurl_js_1.PackageURL('golang', namespace, name, version !== null && version !== void 0 ? version : null, null, null);
+}
+exports.parseGoPackage = parseGoPackage;
+/**
+ * parseGoList parses a list of Go packages (one per line) matching the format
+ * "${GO_PACKAGE}@v{VERSION}" into Package URLs. This expects the output of 'go
+ * list -deps' as input.
+ *
+ * @param {string} contents
+ * @returns {Array<PackageURL>}
+ */
+function parseGoList(contents) {
+    // split the input by newlines, sort, and dedup
+    const packages = Array.from(new Set(contents.split('\n').map((p) => p.trim())));
+    const purls = [];
+    packages.forEach((pkg) => {
+        if (!pkg.trim())
+            return;
+        purls.push(parseGoPackage(pkg));
+    });
+    return purls;
+}
+exports.parseGoList = parseGoList;
+/**
+ * parseGoModGraph parses an *associative list* of Go packages into tuples into
+ * an associative list of PackageURLs. This expects the output of 'go mod
+ * graph' as input
+ */
+function parseGoModGraph(contents) {
+    const pkgAssocList = [];
+    contents.split('\n').forEach((line) => {
+        if (!line.trim())
+            return;
+        const [parentPkg, childPkg] = line.split(' ');
+        pkgAssocList.push([parseGoPackage(parentPkg), parseGoPackage(childPkg)]);
+    });
+    return pkgAssocList;
+}
+exports.parseGoModGraph = parseGoModGraph;

dist/process.js

@@ -0,0 +1,128 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.processGoIndirectDependencies = exports.processGoDirectDependencies = exports.processGoGraph = void 0;
+const exec = __importStar(require("@actions/exec"));
+const core = __importStar(require("@actions/core"));
+const dependency_submission_toolkit_1 = require("@github/dependency-submission-toolkit");
+const parse_1 = require("./parse");
+function processGoGraph(goModDir, directDependencies, indirectDependencies) {
+    return __awaiter(this, void 0, void 0, function* () {
+        console.log(`Running 'go mod graph' in ${goModDir}`);
+        const goModGraph = yield exec.getExecOutput('go', ['mod', 'graph'], {
+            cwd: goModDir
+        });
+        if (goModGraph.exitCode !== 0) {
+            core.error(goModGraph.stderr);
+            core.setFailed("'go mod graph' failed!");
+            throw new Error("Failed to execute 'go mod graph'");
+        }
+        /* add all direct and indirect packages to a new PackageCache */
+        const cache = new dependency_submission_toolkit_1.PackageCache();
+        directDependencies.forEach((pkg) => {
+            cache.package(pkg);
+        });
+        indirectDependencies.forEach((pkg) => {
+            cache.package(pkg);
+        });
+        const packageAssocList = (0, parse_1.parseGoModGraph)(goModGraph.stdout);
+        packageAssocList.forEach(([parentPkg, childPkg]) => {
+            /* Look up the parent package in the cache. go mod graph will return
+             * multiple versions of packages with the same namespace and name. We
+             * select only package versions used in the Go build target. */
+            const targetPackage = cache.lookupPackage(parentPkg);
+            if (!targetPackage)
+                return;
+            /* Build a matcher to select on the namespace+name of the child package in
+             * the cache. The child package version specified by go mod graph is not
+             * the one guaranteed to be selected when building Go build targets. */
+            const matcher = {
+                name: childPkg.name
+            };
+            if (childPkg.namespace)
+                matcher.namespace = childPkg.namespace;
+            /* There should only ever be a single package with a namespace+name in the
+             * build target list. Go does not support multiple versions of the same
+             * package */
+            const matches = cache.packagesMatching(matcher);
+            if (matches.length === 0)
+                return;
+            if (matches.length !== 1) {
+                throw new Error('assertion failed: expected no more than one package in cache with namespace+name. ' +
+                    'Found: ' +
+                    JSON.stringify(matches) +
+                    'for ' +
+                    JSON.stringify(matcher));
+            }
+            // create the dependency relationship
+            targetPackage.dependsOn(matches[0]);
+        });
+        return cache;
+    });
+}
+exports.processGoGraph = processGoGraph;
+// For a specific Go _build target_, these templates list dependencies used to
+// in the build target. It does not provide association between the
+// dependencies (i.e. which dependencies depend on which)
+// eslint-disable-next-line quotes
+// eslint-disable-next-line no-useless-escape
+const GO_DIRECT_DEPS_TEMPLATE = '{{define "M"}}{{if not .Indirect}}{{.Path}}@{{.Version}}{{end}}{{end}}{{with .Module}}{{if not .Main}}{{if .Replace}}{{template "M" .Replace}}{{else}}{{template "M" .}}{{end}}{{end}}{{end}}';
+// eslint-disable-next-line quotes
+// eslint-disable-next-line no-useless-escape
+const GO_INDIRECT_DEPS_TEMPLATE = '{{define "M"}}{{if .Indirect}}{{.Path}}@{{.Version}}{{end}}{{end}}{{with .Module}}{{if not .Main}}{{if .Replace}}{{template "M" .Replace}}{{else}}{{template "M" .}}{{end}}{{end}}{{end}}';
+function processGoDirectDependencies(goModDir, goBuildTarget) {
+    return __awaiter(this, void 0, void 0, function* () {
+        console.log(`go direct package detection in ${goModDir} on build target ${goBuildTarget}`);
+        return processGoList(goModDir, goBuildTarget, GO_DIRECT_DEPS_TEMPLATE);
+    });
+}
+exports.processGoDirectDependencies = processGoDirectDependencies;
+function processGoIndirectDependencies(goModDir, goBuildTarget) {
+    return __awaiter(this, void 0, void 0, function* () {
+        console.log(`go indirect package detection in ${goModDir} on build target ${goBuildTarget}`);
+        return processGoList(goModDir, goBuildTarget, GO_INDIRECT_DEPS_TEMPLATE);
+    });
+}
+exports.processGoIndirectDependencies = processGoIndirectDependencies;
+function processGoList(goModDir, goBuildTarget, goListTemplate) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const goList = yield exec.getExecOutput('go', ['list', '-deps', '-f', goListTemplate, goBuildTarget], { cwd: goModDir });
+        if (goList.exitCode !== 0) {
+            core.error(goList.stderr);
+            core.setFailed("'go list' failed!");
+            throw new Error("Failed to execute 'go list'");
+        }
+        return (0, parse_1.parseGoList)(goList.stdout);
+    });
+}

go-example/go.mod

@@ -7,5 +7,5 @@ require github.com/fatih/color v1.13.0
 require (
 	github.com/mattn/go-colorable v0.1.9 // indirect
 	github.com/mattn/go-isatty v0.0.14 // indirect
-	golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c // indirect
+	golang.org/x/sys v0.1.0 // indirect
 )

go-example/go.sum

@@ -7,5 +7,6 @@ github.com/mattn/go-isatty v0.0.14 h1:yVuAays6BHfxijgZPzw+3Zlu5yQgKGP2/hcQbHb7S9
 github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
 golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c h1:F1jZWGFhYfh0Ci55sIpILtKKK8p3i2/krTr0H1rg74I=
 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U=
+golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

package-lock.json

@@ -9,10 +9,10 @@
       "version": "1.0.0",
       "license": "ISC",
       "dependencies": {
-        "@actions/core": "^1.6.0",
+        "@actions/core": "^1.9.1",
         "@actions/exec": "^1.1.1",
         "@actions/github": "^5.0.3",
-        "@github/dependency-submission-toolkit": "^1.1.2",
+        "@github/dependency-submission-toolkit": "^1.2.10",
         "packageurl-js": "^0.0.6"
       },
       "devDependencies": {
@@ -32,11 +32,12 @@
       }
     },
     "node_modules/@actions/core": {
-      "version": "1.8.2",
-      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.8.2.tgz",
-      "integrity": "sha512-FXcBL7nyik8K5ODeCKlxi+vts7torOkoDAKfeh61EAkAy1HAvwn9uVzZBY0f15YcQTcZZ2/iSGBFHEuioZWfDA==",
+      "version": "1.10.0",
+      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.10.0.tgz",
+      "integrity": "sha512-2aZDDa3zrrZbP5ZYg159sNoLRb61nQ7awl5pSvIq5Qpj81vwDzdMRKzkWJGJuwVvWpvZKx7vspJALyvaaIQyug==",
       "dependencies": {
-        "@actions/http-client": "^2.0.1"
+        "@actions/http-client": "^2.0.1",
+        "uuid": "^8.3.2"
       }
     },
     "node_modules/@actions/exec": {
@@ -136,9 +137,9 @@
       }
     },
     "node_modules/@babel/core/node_modules/json5": {
-      "version": "2.2.1",
-      "resolved": "https://registry.npmjs.org/json5/-/json5-2.2.1.tgz",
-      "integrity": "sha512-1hqLFMSrGHRHxav9q9gNjJ5EXznIxGVO09xQRrwplcS8qs28pZ8s8hupZAmqDwZUmVZ2Qb2jnyPOWcDH8m8dlA==",
+      "version": "2.2.3",
+      "resolved": "https://registry.npmjs.org/json5/-/json5-2.2.3.tgz",
+      "integrity": "sha512-XmOWe7eyHYH14cLdVPoyg+GOH3rYX++KpzrylJwSW98t3Nk+U8XOl8FWKOgwtzdb8lXGf6zYwDUzeHMWfxasyg==",
       "dev": true,
       "bin": {
         "json5": "lib/cli.js"
@@ -673,15 +674,15 @@
       }
     },
     "node_modules/@github/dependency-submission-toolkit": {
-      "version": "1.1.2",
-      "resolved": "https://npm.pkg.github.com/download/@github/dependency-submission-toolkit/1.1.2/742faf4570a1f30532adc02edde4b27b7bd6b9439ce9bb39c2322eaca07239e1",
-      "integrity": "sha512-uJyVJN9fUJf2djNLT9mNwBSbkQ+AdYuOBmUffHnHFhF+3kCN6zqy3m+3Iw//Ixln7kpe8qN7W0ZVGFOesXYZXA==",
-      "license": "MIT",
+      "version": "1.2.10",
+      "resolved": "https://registry.npmjs.org/@github/dependency-submission-toolkit/-/dependency-submission-toolkit-1.2.10.tgz",
+      "integrity": "sha512-J8vpbTpaM+SAQaDHJ5t0lgkIFlFKZhjVLz/ZmED7rg6rwuV6GCZ6gagF7VOM83jiomoIzmA9wj3izFEfIvtXcg==",
       "dependencies": {
-        "@actions/core": "^1.6.0",
+        "@actions/core": "^1.10.0",
         "@actions/exec": "^1.1.1",
         "@actions/github": "^5.0.0",
         "@octokit/rest": "^18.12.0",
+        "@octokit/webhooks-types": "^6.10.0",
         "openapi-typescript": "^5.2.0",
         "packageurl-js": "0.0.6"
       }
@@ -1313,6 +1314,11 @@
         "@octokit/openapi-types": "^11.2.0"
       }
     },
+    "node_modules/@octokit/webhooks-types": {
+      "version": "6.10.0",
+      "resolved": "https://registry.npmjs.org/@octokit/webhooks-types/-/webhooks-types-6.10.0.tgz",
+      "integrity": "sha512-lDNv83BeEyxxukdQ0UttiUXawk9+6DkdjjFtm2GFED+24IQhTVaoSbwV9vWWKONyGLzRmCQqZmoEWkDhkEmPlw=="
+    },
     "node_modules/@sinclair/typebox": {
       "version": "0.23.5",
       "resolved": "https://registry.npmjs.org/@sinclair/typebox/-/typebox-0.23.5.tgz",
@@ -2080,6 +2086,17 @@
         "semver": "^7.0.0"
       }
     },
+    "node_modules/busboy": {
+      "version": "1.6.0",
+      "resolved": "https://registry.npmjs.org/busboy/-/busboy-1.6.0.tgz",
+      "integrity": "sha512-8SFQbg/0hQ9xy3UNTB0YEnsNBbWfhf7RtnzpL7TkBiTBRfrQ9Fxcnz7VJsleJpyp6rVLvXiuORqjlHi5q+PYuA==",
+      "dependencies": {
+        "streamsearch": "^1.1.0"
+      },
+      "engines": {
+        "node": ">=10.16.0"
+      }
+    },
     "node_modules/call-bind": {
       "version": "1.0.2",
       "resolved": "https://registry.npmjs.org/call-bind/-/call-bind-1.0.2.tgz",
@@ -4376,9 +4393,9 @@
       "dev": true
     },
     "node_modules/json5": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/json5/-/json5-1.0.1.tgz",
-      "integrity": "sha512-aKS4WQjPenRxiQsC93MNfjx+nbF4PAdYzmd/1JIj8HYzqfbu86beTuNgXDzPknWk0n0uARlyewZo4s++ES36Ow==",
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/json5/-/json5-1.0.2.tgz",
+      "integrity": "sha512-g1MWMLBiz8FKi1e4w0UyVL3w+iJceWAFBAaBnnGKOpNa5f8TLktkbre1+s6oICydWAm+HRUGTmI+//xv2hvXYA==",
       "dev": true,
       "dependencies": {
         "minimist": "^1.2.0"
@@ -5325,6 +5342,14 @@
         "node": ">=8"
       }
     },
+    "node_modules/streamsearch": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/streamsearch/-/streamsearch-1.1.0.tgz",
+      "integrity": "sha512-Mcc5wHehp9aXz1ax6bZUyY5afg9u2rv5cqQI3mRrYkGC8rW2hM02jWuwjtL++LS5qinSyhj2QfLyNsuc+VsExg==",
+      "engines": {
+        "node": ">=10.0.0"
+      }
+    },
     "node_modules/string-length": {
       "version": "4.0.2",
       "resolved": "https://registry.npmjs.org/string-length/-/string-length-4.0.2.tgz",
@@ -5582,9 +5607,9 @@
       }
     },
     "node_modules/ts-jest/node_modules/json5": {
-      "version": "2.2.1",
-      "resolved": "https://registry.npmjs.org/json5/-/json5-2.2.1.tgz",
-      "integrity": "sha512-1hqLFMSrGHRHxav9q9gNjJ5EXznIxGVO09xQRrwplcS8qs28pZ8s8hupZAmqDwZUmVZ2Qb2jnyPOWcDH8m8dlA==",
+      "version": "2.2.3",
+      "resolved": "https://registry.npmjs.org/json5/-/json5-2.2.3.tgz",
+      "integrity": "sha512-XmOWe7eyHYH14cLdVPoyg+GOH3rYX++KpzrylJwSW98t3Nk+U8XOl8FWKOgwtzdb8lXGf6zYwDUzeHMWfxasyg==",
       "dev": true,
       "bin": {
         "json5": "lib/cli.js"
@@ -5705,9 +5730,12 @@
       }
     },
     "node_modules/undici": {
-      "version": "5.2.0",
-      "resolved": "https://registry.npmjs.org/undici/-/undici-5.2.0.tgz",
-      "integrity": "sha512-XY6+NS3WH9b3TKOHeNz2CjR+qrVz/k4fO9g3etPpLozRvULoQmZ1+dk9JbIz40ehn27xzFk4jYVU2MU3Nle62A==",
+      "version": "5.19.1",
+      "resolved": "https://registry.npmjs.org/undici/-/undici-5.19.1.tgz",
+      "integrity": "sha512-YiZ61LPIgY73E7syxCDxxa3LV2yl3sN8spnIuTct60boiiRaE1J8mNWHO8Im2Zi/sFrPusjLlmRPrsyraSqX6A==",
+      "dependencies": {
+        "busboy": "^1.6.0"
+      },
       "engines": {
         "node": ">=12.18"
       }
@@ -5726,6 +5754,14 @@
         "punycode": "^2.1.0"
       }
     },
+    "node_modules/uuid": {
+      "version": "8.3.2",
+      "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz",
+      "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==",
+      "bin": {
+        "uuid": "dist/bin/uuid"
+      }
+    },
     "node_modules/v8-compile-cache": {
       "version": "2.3.0",
       "resolved": "https://registry.npmjs.org/v8-compile-cache/-/v8-compile-cache-2.3.0.tgz",
@@ -5888,11 +5924,12 @@
   },
   "dependencies": {
     "@actions/core": {
-      "version": "1.8.2",
-      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.8.2.tgz",
-      "integrity": "sha512-FXcBL7nyik8K5ODeCKlxi+vts7torOkoDAKfeh61EAkAy1HAvwn9uVzZBY0f15YcQTcZZ2/iSGBFHEuioZWfDA==",
+      "version": "1.10.0",
+      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.10.0.tgz",
+      "integrity": "sha512-2aZDDa3zrrZbP5ZYg159sNoLRb61nQ7awl5pSvIq5Qpj81vwDzdMRKzkWJGJuwVvWpvZKx7vspJALyvaaIQyug==",
       "requires": {
-        "@actions/http-client": "^2.0.1"
+        "@actions/http-client": "^2.0.1",
+        "uuid": "^8.3.2"
       }
     },
     "@actions/exec": {
@@ -5976,9 +6013,9 @@
       },
       "dependencies": {
         "json5": {
-          "version": "2.2.1",
-          "resolved": "https://registry.npmjs.org/json5/-/json5-2.2.1.tgz",
-          "integrity": "sha512-1hqLFMSrGHRHxav9q9gNjJ5EXznIxGVO09xQRrwplcS8qs28pZ8s8hupZAmqDwZUmVZ2Qb2jnyPOWcDH8m8dlA==",
+          "version": "2.2.3",
+          "resolved": "https://registry.npmjs.org/json5/-/json5-2.2.3.tgz",
+          "integrity": "sha512-XmOWe7eyHYH14cLdVPoyg+GOH3rYX++KpzrylJwSW98t3Nk+U8XOl8FWKOgwtzdb8lXGf6zYwDUzeHMWfxasyg==",
           "dev": true
         },
         "semver": {
@@ -6383,14 +6420,15 @@
       }
     },
     "@github/dependency-submission-toolkit": {
-      "version": "1.1.2",
-      "resolved": "https://npm.pkg.github.com/download/@github/dependency-submission-toolkit/1.1.2/742faf4570a1f30532adc02edde4b27b7bd6b9439ce9bb39c2322eaca07239e1",
-      "integrity": "sha512-uJyVJN9fUJf2djNLT9mNwBSbkQ+AdYuOBmUffHnHFhF+3kCN6zqy3m+3Iw//Ixln7kpe8qN7W0ZVGFOesXYZXA==",
+      "version": "1.2.10",
+      "resolved": "https://registry.npmjs.org/@github/dependency-submission-toolkit/-/dependency-submission-toolkit-1.2.10.tgz",
+      "integrity": "sha512-J8vpbTpaM+SAQaDHJ5t0lgkIFlFKZhjVLz/ZmED7rg6rwuV6GCZ6gagF7VOM83jiomoIzmA9wj3izFEfIvtXcg==",
       "requires": {
-        "@actions/core": "^1.6.0",
+        "@actions/core": "^1.10.0",
         "@actions/exec": "^1.1.1",
         "@actions/github": "^5.0.0",
         "@octokit/rest": "^18.12.0",
+        "@octokit/webhooks-types": "^6.10.0",
         "openapi-typescript": "^5.2.0",
         "packageurl-js": "0.0.6"
       }
@@ -6904,6 +6942,11 @@
         "@octokit/openapi-types": "^11.2.0"
       }
     },
+    "@octokit/webhooks-types": {
+      "version": "6.10.0",
+      "resolved": "https://registry.npmjs.org/@octokit/webhooks-types/-/webhooks-types-6.10.0.tgz",
+      "integrity": "sha512-lDNv83BeEyxxukdQ0UttiUXawk9+6DkdjjFtm2GFED+24IQhTVaoSbwV9vWWKONyGLzRmCQqZmoEWkDhkEmPlw=="
+    },
     "@sinclair/typebox": {
       "version": "0.23.5",
       "resolved": "https://registry.npmjs.org/@sinclair/typebox/-/typebox-0.23.5.tgz",
@@ -7468,6 +7511,14 @@
         "semver": "^7.0.0"
       }
     },
+    "busboy": {
+      "version": "1.6.0",
+      "resolved": "https://registry.npmjs.org/busboy/-/busboy-1.6.0.tgz",
+      "integrity": "sha512-8SFQbg/0hQ9xy3UNTB0YEnsNBbWfhf7RtnzpL7TkBiTBRfrQ9Fxcnz7VJsleJpyp6rVLvXiuORqjlHi5q+PYuA==",
+      "requires": {
+        "streamsearch": "^1.1.0"
+      }
+    },
     "call-bind": {
       "version": "1.0.2",
       "resolved": "https://registry.npmjs.org/call-bind/-/call-bind-1.0.2.tgz",
@@ -9165,9 +9216,9 @@
       "dev": true
     },
     "json5": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/json5/-/json5-1.0.1.tgz",
-      "integrity": "sha512-aKS4WQjPenRxiQsC93MNfjx+nbF4PAdYzmd/1JIj8HYzqfbu86beTuNgXDzPknWk0n0uARlyewZo4s++ES36Ow==",
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/json5/-/json5-1.0.2.tgz",
+      "integrity": "sha512-g1MWMLBiz8FKi1e4w0UyVL3w+iJceWAFBAaBnnGKOpNa5f8TLktkbre1+s6oICydWAm+HRUGTmI+//xv2hvXYA==",
       "dev": true,
       "requires": {
         "minimist": "^1.2.0"
@@ -9840,6 +9891,11 @@
         }
       }
     },
+    "streamsearch": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/streamsearch/-/streamsearch-1.1.0.tgz",
+      "integrity": "sha512-Mcc5wHehp9aXz1ax6bZUyY5afg9u2rv5cqQI3mRrYkGC8rW2hM02jWuwjtL++LS5qinSyhj2QfLyNsuc+VsExg=="
+    },
     "string-length": {
       "version": "4.0.2",
       "resolved": "https://registry.npmjs.org/string-length/-/string-length-4.0.2.tgz",
@@ -10020,9 +10076,9 @@
       },
       "dependencies": {
         "json5": {
-          "version": "2.2.1",
-          "resolved": "https://registry.npmjs.org/json5/-/json5-2.2.1.tgz",
-          "integrity": "sha512-1hqLFMSrGHRHxav9q9gNjJ5EXznIxGVO09xQRrwplcS8qs28pZ8s8hupZAmqDwZUmVZ2Qb2jnyPOWcDH8m8dlA==",
+          "version": "2.2.3",
+          "resolved": "https://registry.npmjs.org/json5/-/json5-2.2.3.tgz",
+          "integrity": "sha512-XmOWe7eyHYH14cLdVPoyg+GOH3rYX++KpzrylJwSW98t3Nk+U8XOl8FWKOgwtzdb8lXGf6zYwDUzeHMWfxasyg==",
           "dev": true
         },
         "yargs-parser": {
@@ -10105,9 +10161,12 @@
       }
     },
     "undici": {
-      "version": "5.2.0",
-      "resolved": "https://registry.npmjs.org/undici/-/undici-5.2.0.tgz",
-      "integrity": "sha512-XY6+NS3WH9b3TKOHeNz2CjR+qrVz/k4fO9g3etPpLozRvULoQmZ1+dk9JbIz40ehn27xzFk4jYVU2MU3Nle62A=="
+      "version": "5.19.1",
+      "resolved": "https://registry.npmjs.org/undici/-/undici-5.19.1.tgz",
+      "integrity": "sha512-YiZ61LPIgY73E7syxCDxxa3LV2yl3sN8spnIuTct60boiiRaE1J8mNWHO8Im2Zi/sFrPusjLlmRPrsyraSqX6A==",
+      "requires": {
+        "busboy": "^1.6.0"
+      }
     },
     "universal-user-agent": {
       "version": "6.0.0",
@@ -10123,6 +10182,11 @@
         "punycode": "^2.1.0"
       }
     },
+    "uuid": {
+      "version": "8.3.2",
+      "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz",
+      "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg=="
+    },
     "v8-compile-cache": {
       "version": "2.3.0",
       "resolved": "https://registry.npmjs.org/v8-compile-cache/-/v8-compile-cache-2.3.0.tgz",

package.json

@@ -40,10 +40,10 @@
     "typescript": "^4.6.4"
   },
   "dependencies": {
-    "@actions/core": "^1.6.0",
+    "@actions/core": "^1.9.1",
     "@actions/exec": "^1.1.1",
     "@actions/github": "^5.0.3",
-    "@github/dependency-submission-toolkit": "^1.1.2",
+    "@github/dependency-submission-toolkit": "^1.2.10",
     "packageurl-js": "^0.0.6"
   }
 }

src/index.ts

@@ -1,16 +1,25 @@
 import path from 'path'
 import fs from 'fs'
-
 import * as core from '@actions/core'
 import * as github from '@actions/github'
-import { Snapshot, submitSnapshot } from '@github/dependency-submission-toolkit'
+import {
+  Snapshot,
+  Manifest,
+  submitSnapshot
+} from '@github/dependency-submission-toolkit'
 
-import { processGoGraph, processGoBuildTarget } from './process'
+import {
+  processGoGraph,
+  processGoDirectDependencies,
+  processGoIndirectDependencies
+} from './process'
 
 async function main () {
-  const goModPath = path.normalize(core.getInput('go-mod-path'))
+  const goModPath = path.normalize(
+    core.getInput('go-mod-path', { required: true })
+  )
 
-  if (path.basename(goModPath) !== 'go.mod' && fs.existsSync(goModPath)) {
+  if (path.basename(goModPath) !== 'go.mod' || !fs.existsSync(goModPath)) {
     throw new Error(`${goModPath} is not a go.mod file or does not exist!`)
   }
   const goModDir = path.dirname(goModPath)
@@ -35,16 +44,43 @@ async function main () {
     }
   }
 
-  const packageCache = await processGoGraph(goModDir)
-  const manifest = await processGoBuildTarget(
+  const directDeps = await processGoDirectDependencies(goModDir, goBuildTarget)
+  const indirectDeps = await processGoIndirectDependencies(
     goModDir,
-    goBuildTarget,
-    packageCache
+    goBuildTarget
   )
+  const packageCache = await processGoGraph(goModDir, directDeps, indirectDeps)
+  // if using the pseudotargets "all" or "./...", use the path to go.mod as filepath
+  const filepath =
+    goBuildTarget === 'all' || goBuildTarget === './...'
+      ? goModPath
+      : path.join(goModDir, goBuildTarget)
+  const manifest = new Manifest(goBuildTarget, filepath)
+
+  directDeps.forEach((pkgUrl) => {
+    const dep = packageCache.lookupPackage(pkgUrl)
+    if (!dep) {
+      throw new Error(
+        'assertion failed: expected all direct dependencies to have entries in PackageCache'
+      )
+    }
+    manifest.addDirectDependency(dep)
+  })
+
+  indirectDeps.forEach((pkgUrl) => {
+    const dep = packageCache.lookupPackage(pkgUrl)
+    if (!dep) {
+      throw new Error(
+        'assertion failed: expected all indirect dependencies to have entries in PackageCache'
+      )
+    }
+    manifest.addIndirectDependency(dep)
+  })
+
   const snapshot = new Snapshot(
     {
-      name: 'github-go-dependency-detector',
-      url: 'https://github.com/github/github-go-dependency-detector',
+      name: 'actions/go-dependency-submission',
+      url: 'https://github.com/actions/go-dependency-submission',
       version: '0.0.1'
     },
     github.context,

src/parse.test.ts

@@ -1,4 +1,4 @@
-import { parseGoList, parseGoModGraph } from './parse'
+import { parseGoPackage, parseGoList, parseGoModGraph } from './parse'
 
 const GO_DEPENDENCIES = `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@v1.7.0
 golang.org/x/sys@v0.0.0-20220317061510-51cd9980dadf
@@ -6,7 +6,25 @@ golang.org/x/text@v0.3.7
 golang.org/x/text@v0.3.7
 golang.org/x/text@v0.3.7`
 
-describe('test dependenciesProcessorFunc', () => {
+describe('parseGoPackage', () => {
+  it('parses a package with a namespace', () => {
+    expect(parseGoPackage('foo/bar@0.1.2').toString()).toEqual(
+      'pkg:golang/foo/bar@0.1.2'
+    )
+  })
+  it('parses a package with a namespace with slashes', () => {
+    expect(parseGoPackage('github.com/foo/bar@0.1.2').toString()).toEqual(
+      'pkg:golang/github.com/foo/bar@0.1.2'
+    )
+  })
+  it('parses a package without a namespace', () => {
+    expect(parseGoPackage('foo.io@0.1.2').toString()).toEqual(
+      'pkg:golang/foo.io@0.1.2'
+    )
+  })
+})
+
+describe('parseGoList', () => {
   test('parses output of go list command into dependencies', () => {
     const dependencies = parseGoList(GO_DEPENDENCIES)
 
@@ -15,7 +33,7 @@ describe('test dependenciesProcessorFunc', () => {
       {
         type: 'golang',
         name: 'otlptracehttp',
-        namespace: 'go.opentelemetry.io%2Fotel%2Fexporters%2Fotlp%2Fotlptrace',
+        namespace: 'go.opentelemetry.io/otel/exporters/otlp/otlptrace',
         version: 'v1.7.0',
         qualifiers: null,
         subpath: null
@@ -23,7 +41,7 @@ describe('test dependenciesProcessorFunc', () => {
       {
         type: 'golang',
         name: 'sys',
-        namespace: 'golang.org%2Fx',
+        namespace: 'golang.org/x',
         version: 'v0.0.0-20220317061510-51cd9980dadf',
         qualifiers: null,
         subpath: null
@@ -31,7 +49,7 @@ describe('test dependenciesProcessorFunc', () => {
       {
         type: 'golang',
         name: 'text',
-        namespace: 'golang.org%2Fx',
+        namespace: 'golang.org/x',
         version: 'v0.3.7',
         qualifiers: null,
         subpath: null
@@ -49,7 +67,7 @@ describe('parseGoModGraph', () => {
     expect(assocList[0][0]).toEqual({
       type: 'golang',
       name: 'go-example',
-      namespace: '.', // we expect the namespace for the root package to process to dot
+      namespace: null,
       version: null,
       qualifiers: null,
       subpath: null
@@ -67,7 +85,7 @@ github.com/mattn/go-colorable@v1.1.9 github.com/mattn/go-isatty@v0.0.12`)
         {
           type: 'golang',
           name: 'color',
-          namespace: 'github.com%2Ffatih',
+          namespace: 'github.com/fatih',
           version: 'v1.13.0',
           qualifiers: null,
           subpath: null
@@ -75,7 +93,7 @@ github.com/mattn/go-colorable@v1.1.9 github.com/mattn/go-isatty@v0.0.12`)
         {
           type: 'golang',
           name: 'go-isatty',
-          namespace: 'github.com%2Fmattn',
+          namespace: 'github.com/mattn',
           version: 'v0.0.14',
           qualifiers: null,
           subpath: null
@@ -85,7 +103,7 @@ github.com/mattn/go-colorable@v1.1.9 github.com/mattn/go-isatty@v0.0.12`)
         {
           type: 'golang',
           name: 'go-colorable',
-          namespace: 'github.com%2Fmattn',
+          namespace: 'github.com/mattn',
           version: 'v1.1.9',
           qualifiers: null,
           subpath: null
@@ -93,7 +111,7 @@ github.com/mattn/go-colorable@v1.1.9 github.com/mattn/go-isatty@v0.0.12`)
         {
           type: 'golang',
           name: 'go-isatty',
-          namespace: 'github.com%2Fmattn',
+          namespace: 'github.com/mattn',
           version: 'v0.0.12',
           qualifiers: null,
           subpath: null

src/parse.ts

@@ -1,10 +1,16 @@
 import path from 'path'
 import { PackageURL } from 'packageurl-js'
 
-function parseGoPackage (pkg: string): PackageURL {
+export function parseGoPackage (pkg: string): PackageURL {
   const [qualifiedPackage, version] = pkg.split('@')
-  const namespace = encodeURIComponent(path.dirname(qualifiedPackage))
-  const name = path.basename(qualifiedPackage)
+  let namespace: string | null = null
+  let name: string
+  if (qualifiedPackage.indexOf('/') !== -1) {
+    namespace = path.dirname(qualifiedPackage)
+    name = path.basename(qualifiedPackage)
+  } else {
+    name = qualifiedPackage
+  }
   return new PackageURL('golang', namespace, name, version ?? null, null, null)
 }
 

src/process.test.ts

@@ -1,17 +1,86 @@
-import { processGoGraph, processGoBuildTarget } from './process'
+import {
+  processGoGraph,
+  processGoDirectDependencies,
+  processGoIndirectDependencies
+} from './process'
 
 // NOTE: these tests all require "go" to be installed and available on the PATH!
 //
-describe('processGoGraph', () => {
+describe('processGoDirectDependencies', () => {
   test('run in go-example', async () => {
-    const cache = await processGoGraph('go-example')
-    expect(cache.countPackages()).toEqual(8)
-    const manifest = await processGoBuildTarget(
+    const purls = await processGoDirectDependencies(
       'go-example',
-      'cmd/octocat.go',
-      cache
+      'cmd/octocat.go'
     )
-    expect(manifest.directDependencies()).toHaveLength(4)
-    expect(manifest.indirectDependencies()).toHaveLength(2)
+    expect(purls).toHaveLength(1)
+    expect(purls).toEqual([
+      {
+        type: 'golang',
+        name: 'color',
+        namespace: 'github.com/fatih',
+        version: 'v1.13.0',
+        qualifiers: null,
+        subpath: null
+      }
+    ])
+  })
+})
+
+describe('processGoIndirectDependencies', () => {
+  test('run in go-example', async () => {
+    const purls = await processGoIndirectDependencies(
+      'go-example',
+      'cmd/octocat.go'
+    )
+    expect(purls).toHaveLength(3)
+    expect(purls).toEqual([
+      {
+        type: 'golang',
+        name: 'sys',
+        namespace: 'golang.org/x',
+        version: 'v0.0.0-20210630005230-0f9fa26af87c',
+        qualifiers: null,
+        subpath: null
+      },
+      {
+        type: 'golang',
+        name: 'go-isatty',
+        namespace: 'github.com/mattn',
+        version: 'v0.0.14',
+        qualifiers: null,
+        subpath: null
+      },
+      {
+        type: 'golang',
+        name: 'go-colorable',
+        namespace: 'github.com/mattn',
+        version: 'v0.1.9',
+        qualifiers: null,
+        subpath: null
+      }
+    ])
+  })
+})
+
+describe('processGoGraph', () => {
+  test.only('run in go-example', async () => {
+    const directDeps = await processGoDirectDependencies(
+      'go-example',
+      'cmd/octocat.go'
+    )
+    const indirectDeps = await processGoIndirectDependencies(
+      'go-example',
+      'cmd/octocat.go'
+    )
+    const cache = await processGoGraph('go-example', directDeps, indirectDeps)
+
+    // we expect the number of direct dependencies + indirect
+    expect(cache.countPackages()).toEqual(4)
+
+    const colorDep = cache.lookupPackage(
+      'pkg:golang/github.com/fatih/color@v1.13.0'
+    )
+    expect(colorDep).not.toBeUndefined()
+    if (colorDep) expect(colorDep.dependencies).toHaveLength(2)
   })
 })

src/process.ts

@@ -1,16 +1,16 @@
-import path from 'path'
+import { PackageURL } from 'packageurl-js'
 
 import * as exec from '@actions/exec'
 import * as core from '@actions/core'
-import {
-  Manifest,
-  BuildTarget,
-  PackageCache
-} from '@github/dependency-submission-toolkit'
+import { PackageCache } from '@github/dependency-submission-toolkit'
 
 import { parseGoModGraph, parseGoList } from './parse'
 
-export async function processGoGraph (goModDir: string): Promise<PackageCache> {
+export async function processGoGraph (
+  goModDir: string,
+  directDependencies: Array<PackageURL>,
+  indirectDependencies: Array<PackageURL>
+): Promise<PackageCache> {
   console.log(`Running 'go mod graph' in ${goModDir}`)
   const goModGraph = await exec.getExecOutput('go', ['mod', 'graph'], {
     cwd: goModDir
@@ -21,35 +21,94 @@ export async function processGoGraph (goModDir: string): Promise<PackageCache> {
     throw new Error("Failed to execute 'go mod graph'")
   }
 
+  /* add all direct and indirect packages to a new PackageCache */
   const cache = new PackageCache()
+  directDependencies.forEach((pkg) => {
+    cache.package(pkg)
+  })
+  indirectDependencies.forEach((pkg) => {
+    cache.package(pkg)
+  })
+
   const packageAssocList = parseGoModGraph(goModGraph.stdout)
   packageAssocList.forEach(([parentPkg, childPkg]) => {
-    cache.package(parentPkg).dependsOn(cache.package(childPkg))
+    /* Look up the parent package in the cache. go mod graph will return
+     * multiple versions of packages with the same namespace and name. We
+     * select only package versions used in the Go build target. */
+    const targetPackage = cache.lookupPackage(parentPkg)
+    if (!targetPackage) return
+
+    /* Build a matcher to select on the namespace+name of the child package in
+     * the cache. The child package version specified by go mod graph is not
+     * the one guaranteed to be selected when building Go build targets. */
+    const matcher: { name: string; namespace?: string } = {
+      name: childPkg.name
+    }
+    if (childPkg.namespace) matcher.namespace = childPkg.namespace
+
+    /* There should only ever be a single package with a namespace+name in the
+     * build target list. Go does not support multiple versions of the same
+     * package */
+    const matches = cache.packagesMatching(matcher)
+
+    if (matches.length === 0) return
+
+    if (matches.length !== 1) {
+      throw new Error(
+        'assertion failed: expected no more than one package in cache with namespace+name. ' +
+          'Found: ' +
+          JSON.stringify(matches) +
+          'for ' +
+          JSON.stringify(matcher)
+      )
+    }
+    // create the dependency relationship
+    targetPackage.dependsOn(matches[0])
   })
 
   return cache
 }
 
-// For a specific Go _build target_, this template lists all dependencies used
-// to build the build target It does not provide association between the
+// For a specific Go _build target_, these templates list dependencies used to
+// in the build target. It does not provide association between the
 // dependencies (i.e. which dependencies depend on which)
 // eslint-disable-next-line quotes
 // eslint-disable-next-line no-useless-escape
-const GO_LIST_DEP_TEMPLATE =
-  '{{define "M"}}{{.Path}}@{{.Version}}{{end}}{{with .Module}}{{if not .Main}}{{if .Replace}}{{template "M" .Replace}}{{else}}{{template "M" .}}{{end}}{{end}}{{end}}'
+const GO_DIRECT_DEPS_TEMPLATE =
+  '{{define "M"}}{{if not .Indirect}}{{.Path}}@{{.Version}}{{end}}{{end}}{{with .Module}}{{if not .Main}}{{if .Replace}}{{template "M" .Replace}}{{else}}{{template "M" .}}{{end}}{{end}}{{end}}'
+// eslint-disable-next-line quotes
+// eslint-disable-next-line no-useless-escape
+const GO_INDIRECT_DEPS_TEMPLATE =
+  '{{define "M"}}{{if .Indirect}}{{.Path}}@{{.Version}}{{end}}{{end}}{{with .Module}}{{if not .Main}}{{if .Replace}}{{template "M" .Replace}}{{else}}{{template "M" .}}{{end}}{{end}}{{end}}'
 
-export async function processGoBuildTarget (
+export async function processGoDirectDependencies (
+  goModDir: string,
+  goBuildTarget: string
+): Promise<Array<PackageURL>> {
+  console.log(
+    `go direct package detection in ${goModDir} on build target ${goBuildTarget}`
+  )
+  return processGoList(goModDir, goBuildTarget, GO_DIRECT_DEPS_TEMPLATE)
+}
+
+export async function processGoIndirectDependencies (
+  goModDir: string,
+  goBuildTarget: string
+): Promise<Array<PackageURL>> {
+  console.log(
+    `go indirect package detection in ${goModDir} on build target ${goBuildTarget}`
+  )
+  return processGoList(goModDir, goBuildTarget, GO_INDIRECT_DEPS_TEMPLATE)
+}
+
+async function processGoList (
   goModDir: string,
   goBuildTarget: string,
-  cache: PackageCache
-): Promise<Manifest> {
-  console.log(
-    `Running go package detection in ${goModDir} on build target ${goBuildTarget}`
-  )
-
+  goListTemplate: string
+): Promise<Array<PackageURL>> {
   const goList = await exec.getExecOutput(
     'go',
-    ['list', '-deps', '-f', GO_LIST_DEP_TEMPLATE, goBuildTarget],
+    ['list', '-deps', '-f', goListTemplate, goBuildTarget],
     { cwd: goModDir }
   )
   if (goList.exitCode !== 0) {
@@ -58,14 +117,5 @@ export async function processGoBuildTarget (
     throw new Error("Failed to execute 'go list'")
   }
 
-  const dependencies = parseGoList(goList.stdout)
-  const manifest = new BuildTarget(
-    goBuildTarget,
-    path.join(goModDir, goBuildTarget)
-  )
-  dependencies.forEach((dep) => {
-    manifest.addBuildDependency(cache.package(dep))
-  })
-
-  return manifest
+  return parseGoList(goList.stdout)
 }