Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

hitting error (invalid package name: "") on repo have multiple go.mod #501

Closed
WLun001 opened this issue Jul 4, 2020 · 5 comments
Closed

hitting error (invalid package name: "") on repo have multiple go.mod #501

WLun001 opened this issue Jul 4, 2020 · 5 comments

Comments

@WLun001
Copy link

WLun001 commented Jul 4, 2020

Summary

Hitting error invalid package name: "" on repo with multiple go.mod

Steps to reproduce the behavior

Repo strucutre

.root
  |- cli 
  |   | - cli-name 
  |       |- go.mod
  | - go.mod

Run gosec on root

gosec ./...

after awhile

Golang errors in file: [some-path/cmd/generate.go]:

  > [line 21 : column 2] - could not import github.com/spf13/cobra (invalid package name: "")

gosec version

Not sure what is the version, it prints nothing

gosec -version

Version:
Git tag:
Build date:

Go version (output of 'go version')

go version go1.14.3 darwin/amd64

Operating system / Environment

MacOS 10.15.4

Expected behavior

Should able to resolve packages

Actual behavior

Unable to resolve packages on repo with multiple go.mod
@ccojocar
Copy link
Member

ccojocar commented Jul 4, 2020

Hi @WLun001, This is not an idiomatic go project layout. You need to have one module per repository. See this docs for more details https://github.com/golang-standards/project-layout.

Also note that gosec relies on go standard library packages to load the modules. So if it fails, it means that your project doesn't follow the standards.

I am going to close this because gosec is not going to support this project structure. Thanks!

@ccojocar ccojocar closed this as completed Jul 4, 2020
@WLun001
Copy link
Author

WLun001 commented Jul 4, 2020
edited
Loading

@ccojocar thanks for the suggestion, I have refactored my project layout and it worked

@nitinvalake
Copy link

nitinvalake commented Nov 4, 2020
edited
Loading

@ccojocar Facing issues with private repos.

In my project we have used private repositories and while running gosec command it is giving "unknown revision" error for those private repos.

and when use GO111MODULE=off then it is giving same error as mentioned by @WLun001

@c-mcallister c-mcallister mentioned this issue Aug 12, 2021
Closed
@lootek
Copy link

lootek commented Sep 28, 2021
edited
Loading

Hi @WLun001, This is not an idiomatic go project layout. You need to have one module per repository. See this docs for more details https://github.com/golang-standards/project-layout.

Also note that gosec relies on go standard library packages to load the modules. So if it fails, it means that your project doesn't follow the standards.

I am going to close this because gosec is not going to support this project structure. Thanks!

The repo you're referring to is NOT an official Go project structure - see golang-standards/project-layout#117

Also, it's perfectly valid to have one git repo with many Go modules - see the OFFICIAL docs https://golang.org/doc/modules/managing-source#tools

lootek added a commit to solarwinds/snap-plugin-lib that referenced this issue Sep 28, 2021
@lootek
skip go sec for now since it doesn't support many go modules in one g…
6e200b8 
…it repo

see securego/gosec#501
lootek added a commit to solarwinds/snap-plugin-lib that referenced this issue Sep 29, 2021
@lootek
Change email to technicalsupport@solarwinds.com (AO-19577) (#130)
a05716e 
Co-authored-by: dominik.maslyk <d.@d.com>
* Change email to technicalsupport@solarwinds.com (AO-19577)

Troubleshooting CI:
* added tools.go
* go get @latest
* updating circleCI, travis and scripts/
* make fmt sanity check fail only on go1.16
* add goversioninfo to tools
* gosec in a loop over directories (see securego/gosec#501)
* don't run staticcheck twice
* bump go versions for tests
* skip goimports on go 1.17 as well
* freeze google/licenseclassifier (fails on older go versions on //go:embed)

JIRA: AO-19577
@JacobGros JacobGros mentioned this issue Apr 11, 2022
Merged
10 tasks
@kirbyquerby kirbyquerby mentioned this issue Jun 8, 2022
Merged
BinaryFissionGames added a commit to observIQ/bindplane-otel-collector that referenced this issue Jun 28, 2022
@BinaryFissionGames
Workaround for securego/gosec#501
84854b3
BinaryFissionGames added a commit to observIQ/bindplane-otel-collector that referenced this issue Jun 28, 2022
@BinaryFissionGames
feat: Create Updater artifact (#529)
fe4ce02 
* add new binary to everything but windows

* add to windows msi

* add version flag to updater

* build using combined target

* fix manual build

* add license header

* break updater into separate module

* add new module to dependabot

* copy version pkg to new updater internal pkg

To not have a dependency on the root module

* Workaround for securego/gosec#501
cpheps pushed a commit to observIQ/bindplane-otel-collector that referenced this issue Jul 27, 2022
@BinaryFissionGames
feat: Create Updater artifact (#529)
7613d7a 
* add new binary to everything but windows

* add to windows msi

* add version flag to updater

* build using combined target

* fix manual build

* add license header

* break updater into separate module

* add new module to dependabot

* copy version pkg to new updater internal pkg

To not have a dependency on the root module

* Workaround for securego/gosec#501
cpheps pushed a commit to observIQ/bindplane-otel-collector that referenced this issue Jul 29, 2022
@BinaryFissionGames
feat: Create Updater artifact (#529)
43b5ebc 
* add new binary to everything but windows

* add to windows msi

* add version flag to updater

* build using combined target

* fix manual build

* add license header

* break updater into separate module

* add new module to dependabot

* copy version pkg to new updater internal pkg

To not have a dependency on the root module

* Workaround for securego/gosec#501
cpheps pushed a commit to observIQ/bindplane-otel-collector that referenced this issue Jul 29, 2022
@BinaryFissionGames
feat: Create Updater artifact (#529)
e62d0f8 
* add new binary to everything but windows

* add to windows msi

* add version flag to updater

* build using combined target

* fix manual build

* add license header

* break updater into separate module

* add new module to dependabot

* copy version pkg to new updater internal pkg

To not have a dependency on the root module

* Workaround for securego/gosec#501
cpheps pushed a commit to observIQ/bindplane-otel-collector that referenced this issue Aug 1, 2022
@BinaryFissionGames
feat: Create Updater artifact (#529)
129ef67 
* add new binary to everything but windows

* add to windows msi

* add version flag to updater

* build using combined target

* fix manual build

* add license header

* break updater into separate module

* add new module to dependabot

* copy version pkg to new updater internal pkg

To not have a dependency on the root module

* Workaround for securego/gosec#501
StefanKurek pushed a commit to observIQ/bindplane-otel-collector that referenced this issue Aug 4, 2022
@BinaryFissionGames @StefanKurek
feat: Create Updater artifact (#529)
87a9b6a 
* add new binary to everything but windows

* add to windows msi

* add version flag to updater

* build using combined target

* fix manual build

* add license header

* break updater into separate module

* add new module to dependabot

* copy version pkg to new updater internal pkg

To not have a dependency on the root module

* Workaround for securego/gosec#501
BinaryFissionGames added a commit to observIQ/bindplane-otel-collector that referenced this issue Aug 4, 2022
@BinaryFissionGames
feat: Create Updater artifact (#529)
2638f9d 
* add new binary to everything but windows

* add to windows msi

* add version flag to updater

* build using combined target

* fix manual build

* add license header

* break updater into separate module

* add new module to dependabot

* copy version pkg to new updater internal pkg

To not have a dependency on the root module

* Workaround for securego/gosec#501
cpheps pushed a commit to observIQ/bindplane-otel-collector that referenced this issue Aug 5, 2022
@StefanKurek @BinaryFissionGames
feat: OpAMP Package Update functionality (#616)
f592fd9 
* feat: Add windows service definition to archive (#515)

* feat: Create Updater artifact (#529)

* add new binary to everything but windows

* add to windows msi

* add version flag to updater

* build using combined target

* fix manual build

* add license header

* break updater into separate module

* add new module to dependabot

* copy version pkg to new updater internal pkg

To not have a dependency on the root module

* Workaround for securego/gosec#501

* feat: Add tarball download + unarchiving to updater (#538)

* Add download and content-hash verification to updater

* add a couple more tests for some edge cases

* lint

* gosec errors

* fix defer f.close properly

* fix tests on windows

* more windows specific testing

* fix final test failure on windows

* more line-ending test fixes

* feat: Added OpAMP PackageStatuses functionality & basic response to PackagesAvailable (#550)

* Added OpAMP PackageStatuses functionality & basic response to PackagesAvailable

* Add new data model for marshal/unmarshaling OpAMP package statuses.

* feat: Add ability to install unpacked artifacts in updater (#562)

* start artifact install logic

* fix uninstall service step

* add tests for windows service manager

* remove kardiano/service dependency

* check filepath with spaces

* more tests, hook up to main

* naming

* add licenses

* gosec fixes

* linux gosec + some lint issues

* linter

* fix formatting of windows service test

* actually fix formatting

* guard linux/win service tests behind tag

* run tests as sudo on linux

* fix inverted conditional

* split updater integration tests into separate target

* refactor package for better encapsulation

* update darwin service to load/unload for start/stop

* fix installDir for windows after rename

* test replaceInstallDir

* add license to service_test.go

* fix make target phony

* add some comments

* add start of readme

* add a (very basic) readme

* use switch instead of multiple ifs

* Add comments to moveFiles

* fix failing darwin test

* Moved code to download, verify, and extract OpAMP package file from updater to collector (#565)

* OpAmp Package Update Glue (#567)

Switched PackageStatuses yaml to a JSON file to prevent partial reads by Updater.
Removed excess fields for package status. We should be able to communicate with available status and error message.
If just started an install, will prevent another PackagesAvailable message from starting another install.
If OpAMP client errors out at any point, sets the status to failed with an error message (if possible) in the JSON file.
This will allow the updater to quickly shut down the collector and start up the rollback one (which will then send the message to BindPlane).
On BindPlane connect, will check if the status is installing. If so, will check if Server version matches current version. Based on this will either set status to success or fail and write to JSON file for BindPlane to notice. It should only try to send a message immediately to BindPlane if it was a success.

* Moved package install function to goroutine

* Add mutex for updatingClient flag in client (#570)

* Created packagestate module (#579)

* Broke package status objects into their own file

Signed-off-by: Corbin Phelps <corbin.phelps@bluemedora.com>

* Updated main module to reference packagestate module

Signed-off-by: Corbin Phelps <corbin.phelps@bluemedora.com>

* Fixed licsense check for new module

Signed-off-by: Corbin Phelps <corbin.phelps@bluemedora.com>

* Created interface and mocks for package state manager

Signed-off-by: Corbin Phelps <corbin.phelps@bluemedora.com>

* Changed PackageStateProvider to use interface of StateManager

Signed-off-by: Corbin Phelps <corbin.phelps@bluemedora.com>

* Fixed up linux test for package state manager

Signed-off-by: Corbin Phelps <corbin.phelps@bluemedora.com>

* feat: Updater rollback (#584)

* start rollback

* more wip

* more tests

* add licenses, more testing

* split out action stuff to separate package, more testing

Needed to do this due to circular deps in mocks

* move service test data

* fix up darwin tests

* Fix linux service to fit new service interface

* fix windows service (todo: tests)

* add windows backup test

* fix service action pointin to wrong file

* Logic for Updater to monitor Collector Status (#581)

* Added default file name into package state to be accessed by updater

Signed-off-by: Corbin Phelps <corbin.phelps@bluemedora.com>

* Added logic to monitor status of collector from updater

Signed-off-by: Corbin Phelps <corbin.phelps@bluemedora.com>

* Added tests and fixuped some ci-checks issues

Signed-off-by: Corbin Phelps <corbin.phelps@bluemedora.com>

* Ran make add-license

Signed-off-by: Corbin Phelps <corbin.phelps@bluemedora.com>

* Added mocks for updater state monitor

Signed-off-by: Corbin Phelps <corbin.phelps@bluemedora.com>

* Pre-PR fixups

Signed-off-by: Corbin Phelps <corbin.phelps@bluemedora.com>

* Modified monitor state logic to be more flexible on errors

Signed-off-by: Corbin Phelps <corbin.phelps@bluemedora.com>

* fix revive linting errors

* fix windows gosec error

* update gosec to ignore test program

* refactor CopyFile to allow failure on overwrite

* refactor file action to take relative dir

* add interface enforcement to actions

* add nosec to open func

* split windows service backup function into a few functions

Co-authored-by: Corbin Phelps <corbin.phelps@bluemedora.com>

* feat: Updater logging (#589)

* add zap logging

* add log level flag

* add license headers

* lint fixes

* remove unimplemented comment

* skip NewLogger test on windows

* remove ability to specify level

* remove rotation

* remove copyFiles receiver

* remove stringer implementation

* remove previous log file on logger creation

* tidy go mod

* re-add stringer for copy file action

* feat: Collector starts up Updater (#590)

* Adds ability to start Updater and monitor it for failure

* Fixes new collector erroring on execution after it is copied

* Added KillMode=process to the linux service file in order to orphan the updater

* Added disconnection flag to avoid failure messages in graceful shutdown

* Added linux service file to tarball

Co-authored-by: Corbin Phelps <corbin.phelps@bluemedora.com>

* Fixed go.sum

Signed-off-by: Corbin Phelps <corbin.phelps@bluemedora.com>

* feat: Remove tmpdir from updater (#591)

* starting on changing installDir

* fix and add tests

* fix gosec issues

* add license

* fix formatting

* remove command line option from collector

* remove redundant parameters, rename copyFiles functions

* Fixed name of package updater looks at (#592)

Signed-off-by: Corbin Phelps <corbin.phelps@bluemedora.com>

* feat: Copy updater executable to CWD of collector before executing (#594)

* move updater to CWD before running

* fix darwin, add test

* fix windows + windows tests

* make tests parallel for updater manager

* gosec

* fix: Windows updater log fix (#595)

* Added os specific log path

Signed-off-by: Corbin Phelps <corbin.phelps@bluemedora.com>

* make tests run on windows

* make fmt, fix function redefinitions

* reduce diff

* add license

Co-authored-by: Corbin Phelps <corbin.phelps@bluemedora.com>

* feat: Updater cleans up temporary directory (#596)

* remove tmpdir on rollback or update success

* remove temp directory in failure scenarios

* comment why we use a noop logger for failure

* move installer creation to where it's actually used

* fix redundant calls to removeTmpDir

* fix: Pass install dir into service (#598)

* pass install dir into service

* pass install dir to service update action service

* Updater properly installs and rollbacks JMX Jar. (#600)

Also making sure that we use the backed up file permissions when
rolling back a file that no longer exists in the install directory

* feat: Harden collector shutdown while updating (#597)

* change service timeouts

* update non-windows with new timeout

* fix windows test

* stop the service before rollback

* fix install tests

* fix: If the collector detects an error updating, clean temporary directory (#601)

* Have the collector clean artifacts if update fails early

* fix client tests

* Updated Makefile & GitHub Action workflow so Updater binary has license scans (#604)

* Fixes tmp dir for update to have 0700 permissions (#609)

* fix(updater): Do Update in place for windows service (#605)

* do Update in place for windows service

* add a few comments

* feat: Refactor updater main (#608)

* refactor main; tests WIP

* add tests for Updater

* fix lint

* add license

* rename installer and rollbacker to avoid confusion w/ interface

* final debug log to info log

* empty commit for testing

* fix(updater): Enable debug logs (#613)

* feat: Refactor Updater's file package (#611)

* break CopyFile into separate functions

* break overwrite flag into two functions

* fix comment for CopyFileOverwrite

* small tweaks

* tests for file package

* fix linux build

* remove todo

* explain why we continue even on error.

* empty commit for testing

* Added better logging/messaging around collector package updating (#614)

Co-authored-by: Brandon Johnson <brandon.johnson@bluemedora.com>
Co-authored-by: Brandon Johnson <binaryfissiongames@gmail.com>
Co-authored-by: Corbin Phelps <corbin.phelps@bluemedora.com>
@TekWizely TekWizely mentioned this issue Feb 13, 2023
Closed
mozillazg added a commit to AliyunContainerService/ack-ram-tool that referenced this issue Feb 20, 2023
@mozillazg
workaround for securego/gosec#501
f0de5ab
mozillazg added a commit to AliyunContainerService/ack-ram-tool that referenced this issue Feb 20, 2023
@mozillazg
workaround for securego/gosec#501
c79b16a
@gaby gaby mentioned this issue Jun 17, 2023
Merged
@boyamurthy boyamurthy mentioned this issue Dec 6, 2023
Closed
8 tasks
@Emptyless Emptyless mentioned this issue Feb 9, 2024
Closed
@Emptyless
Copy link

for anyone facing this issue, #1100 fixes the aforementioned issue, the PR is closed but I'll keep the branch open and will try to keep it in sync

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@ccojocar @Emptyless @lootek @WLun001 @nitinvalake