Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Blocked modules appears to be ignored in some cases #39

Closed
oschwald opened this issue Sep 29, 2023 · 8 comments
Closed

Blocked modules appears to be ignored in some cases #39

oschwald opened this issue Sep 29, 2023 · 8 comments
Assignees
@ryancurrah
Labels
bug Something isn't working

Comments

@oschwald
Copy link

I haven't figured out an exact pattern, but it appears that blocked modules are not flagged in some instances:

$ cat .gomodguard.yaml
blocked:
  modules:
    - gotest.tools/v3/assert:
        recommendations:
          - github.com/stretchr/testify/assert
        reason: "We have standardized on `github.com/stretchr/testify/assert`."

$ git grep gotest.tools/v3/assert
build_test.go:  "gotest.tools/v3/assert"

$ gomodguard build_test.go
info: allowed modules, []
info: allowed module domains, []
info: blocked modules, [gotest.tools/v3/assert]
info: blocked modules with version constraints, []

If I change gotest.tools/v3/assert to another module used in the same file, it seems to work.
@ryancurrah ryancurrah self-assigned this Sep 29, 2023
@ryancurrah ryancurrah added the bug Something isn't working label Sep 29, 2023
@Jeeyuen-Rick
Copy link

Hi, I tried to block github.com/gin-gonic/gin version 1.9.16 (last 2 lines) and seems to be ignored as well. Below is my config file. May you take a look. Thanks.

linters-settings:
gomodguard:
allowed:
# List of allowed modules.
# Default: []
modules:
- github.com/pborman/uuid
# List of allowed module domains.
# Default: []
domains:
- golang.org
blocked:
# List of blocked modules.
# Default: []
modules:
# Blocked module.
- github.com/uudashr/go-module:
# List of blocked module version constraints.
# Default: []
versions:
- github.com/mitchellh/go-homedir:
version: "<= 1.1.0" # Version constraint.
reason: "testing if blocked version constraint works." # Reason why the version constraint exists.
- cloud.google.com/go/compute:
version: "!= 1.7.0"
- sigs.k8s.io/kustomize/kyaml: # kustomize/kyaml
version: "< 0.13.6"
- sigs.k8s.io/kustomize/kyaml: # kustomize/kyaml
version: "> 0.13.9"
- sigs.k8s.io/structured-merge-diff/v4:
version: "!= 4.2.1"
- sigs.k8s.io/structured-merge-diff/v4:
version: "!= 4.2.3"
- sigs.k8s.io/yaml:
version: "!= 1.3.0"
- github.com/gin-gonic/gin:
version: "== 1.9.16"
domains:

@ryancurrah
Copy link
Owner

Thanks for the report and example config. I will look at this soon

@ryancurrah
Copy link
Owner

ryancurrah commented Apr 3, 2024
edited
Loading

Ok so for @oschwald issue, they put the package name gotest.tools/v3/assert when they should be using the module name gotest.tools/v3. As per https://github.com/gotestyourself/gotest.tools/blob/main/go.mod#L1. When I use the module name it works.

╰─ gomodguard ./...
info: allowed modules, []
info: allowed module domains, []
info: blocked modules, [gotest.tools/v3]
info: blocked modules with version constraints, []
blocked_example_test.go:6:1 import of package `gotest.tools/v3/assert` is blocked because the module is in the blocked modules list. `github.com/stretchr/testify/assert` is a recommended module. We have standardized on `github.com/stretchr/testify/assert`.

@Jeeyuen-Rick I'll look at your issue next.

@ryancurrah
Copy link
Owner

ryancurrah commented Apr 3, 2024
edited
Loading

@Jeeyuen-Rick gomodguard ignores constraint errors, and you have a constraint error, so that's why the gin one is failing. I will have a fix to bubble up constraint errors.

In the meantime, you can fix your issue by changing the constraint to = 1.9.1, dropping the additional =. Also, note there is no release 1.9.16 of gin. The latest release is 1.9.1.

For all the valid constraints see: https://github.com/Masterminds/semver?tab=readme-ov-file#basic-comparisons

@Jeeyuen-Rick
Copy link

Thank you Ryan.

@ryancurrah
Copy link
Owner

ryancurrah commented Apr 3, 2024
edited
Loading

I think what I am going to do is raise it as a lint error when the constraint is invalid.

╰─ gomodguard ./...
info: allowed modules, [github.com/pborman/uuid]
info: allowed module domains, [golang.org]
info: blocked modules, [github.com/uudashr/go-module]
info: blocked modules with version constraints, [github.com/mitchellh/go-homedir cloud.google.com/go/compute sigs.k8s.io/kustomize/kyaml sigs.k8s.io/kustomize/kyaml sigs.k8s.io/structured-merge-diff/v4 sigs.k8s.io/structured-merge-diff/v4 sigs.k8s.io/yaml github.com/gin-gonic/gin]
blocked_example_test.go:7:1 import of package `github.com/gin-gonic/gin` is blocked because the version constraint is invalid. improper constraint: == 1.9.1

@Jeeyuen-Rick
Copy link

I believe this is reasonable. Since I didn’t read the document carefully and assumed ‘==’ instead of ‘=’. Thank you again for catching my mistake.

ryancurrah added a commit that referenced this issue Apr 3, 2024
@ryancurrah
fix(blocked): bubble up errors when checking version contraints
8bdb2ac 
As reported in #39, if a version constraint is invalid gomodguard ignores it. This changes ensures errors with semver contraints are bubbled up as lint errors. Added test coverage for this.
@ryancurrah ryancurrah mentioned this issue Apr 3, 2024
Merged
ryancurrah added a commit that referenced this issue Apr 3, 2024
@ryancurrah
fix(blocked): bubble up errors when checking version constraints
4e3abca 
As reported in #39, if a version constraint is invalid gomodguard ignores it. This changes ensures errors with semver contraints are bubbled up as lint errors. Added test coverage for this.
ryancurrah added a commit that referenced this issue Apr 3, 2024
@ryancurrah
fix(blocked): bubble up errors when checking version constraints
aa7f420 
As reported in #39, if a version constraint is invalid gomodguard ignores it. This changes ensures errors with semver contraints are bubbled up as lint errors. Added test coverage for this.
@ryancurrah
Copy link
Owner

ryancurrah commented Apr 3, 2024
edited
Loading

Resolved via #43

Release https://github.com/ryancurrah/gomodguard/releases/tag/v1.3.2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ryancurrah ryancurrah

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@oschwald @ryancurrah @Jeeyuen-Rick