Cant use syft with go mod vendor because invalid case of microsoft module

[barnuri]

What happened:
in code you used github.com/microsoft/go-rustaudit instead of github.com/Microsoft/go-rustaudit

What you expected to happen:
to use github.com/Microsoft/go-rustaudit

Steps to reproduce the issue:
install syft as dependency of another go project
run
go mod tidy
go mod vendor
go build -mod vendor

Anything else we need to know?:

Environment:

• Output of syft version:
• OS (e.g: cat /etc/os-release or similar):

[spiffcs]

👋 Barnuri where do you see github.com/Microsoft/go-rustaudit as the correct case?

I just checked the libraries go.mod file and found:
https://github.com/microsoft/go-rustaudit/blob/204dfee52032963d1c64725a41f7fd88feaf1503/go.mod#L1C3-L10

Is there another place this could be pulled from that's causing the uppercase to matter?

[wagoodman]

I don't think I understand the nature of the failure. That is, when I run the given steps:

❯ go mod tidy
❯ go mod vendor                 
❯ go build -mod vendor -o /tmp/grype ./cmd/grype

I have a grype build that works:

❯ /tmp/grype alpine:latest
 ✔ Vulnerability DB                [no update available]  
 ✔ Loaded image                                                                                                                                                                                                      alpine:latest
 ✔ Parsed image                                                                                                                                            sha256:7e01a0d0a1dcd9e539f8e9bbd80106d59efbdf97293b3d38f5d7a34501526cdb
 ✔ Cataloged packages              [16 packages]  
 ✔ Scanned for vulnerabilities     [0 vulnerabilities]  
   ├── 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── 0 fixed
No vulnerabilities found

@barnuri what's the failure you expected here?

[barnuri]

its happening when trying to do go mod vendor inside docker

 => ERROR [builder 4/7] RUN go build -mod vendor -o syft                                                                                              8.3s
------
 > [builder 4/7] RUN go build -mod vendor -o syft:
6.096 go: finding module for package github.com/microsoft/go-rustaudit
7.070 vendor/github.com/anchore/syft/syft/pkg/cataloger/rust/package.go:4:2: cannot query module due to -mod=vendor 

[wagoodman]

Even in docker we were still not able to reproduce the issue.

FROM golang:1.20

WORKDIR /app

COPY . .

RUN go mod tidy
RUN go mod vendor
RUN go build -mod vendor -o /tmp/grype ./cmd/grype

$ docker build -t localhost/grype:latest -f Dockerfile .
[+] Building 185.7s (11/11) FINISHED
 => [internal] load build definition from Dockerfile.test                              0.0s
 => => transferring dockerfile: 226B                                                   0.0s
 => [internal] load .dockerignore                                                      0.0s
 => => transferring context: 83B                                                       0.0s
 => [internal] load metadata for docker.io/library/golang:1.20                         0.0s
 => CACHED [1/6] FROM docker.io/library/golang:1.20                                    0.0s
 => [internal] load build context                                                      0.4s
 => => transferring context: 446.73kB                                                  0.4s
 => [2/6] WORKDIR /app                                                                 0.0s
 => [3/6] COPY . .                                                                     1.8s
 => [4/6] RUN go mod tidy                                                             59.8s
 => [5/6] RUN go mod vendor                                                           11.3s
 => [6/6] RUN go build -mod vendor -o /tmp/grype ./cmd/grype                          84.3s
 => exporting to image                                                                27.9s
 => => exporting layers                                                               27.9s
 => => writing image sha256:a78fe18e8a1972e6e8703418a7f09f31d054ddec7e8ba751c0ebbb8d0  0.0s
 => => naming to localhost/grype:latest                                                0.0s

I tried this in grype, but take note of the go mod why output:

$ go mod why github.com/microsoft/go-rustaudit
# github.com/microsoft/go-rustaudit
github.com/anchore/grype/grype
github.com/anchore/syft/syft/pkg/cataloger
github.com/anchore/syft/syft/pkg/cataloger/rust
github.com/microsoft/go-rustaudit

$ go mod why github.com/Microsoft/go-rustaudit
# github.com/Microsoft/go-rustaudit
(main module does not need package github.com/Microsoft/go-rustaudit)

Note that the only consumer of this go-rustaudit module is syft, which we know references this module via the lowercase variant. Do you have multiple dependencies that use this module in your application? If so I would check the import statements for these dependent libs as they might be using the uppercase variant.

Also, are you blocked by this PR not making it in? If so you can put the replace line in you application's go.mod to unblock your work.

We don't want to merge this fix since we don't have a good understanding as to why Microsoft is more correct over microsoft given that the upstream go.mod in the go-rustaudit repo references the lowercase variant.

[spiffcs]

Closing this as will not fix for now - if there is more to add after the above please let us know and we can reconsider opening with any additional comments - thanks!

[nycnewman]

Seeing the same issue for buildkit-syft-scanner that depends on several Microsoft libraries. GoLang appears to treat mods as case-insensitive and syft causes issues due to use of lowercase "microsoft"

docker/buildkit-syft-scanner#111