From 667f6be716504a53ccc2824daae08af085566546 Mon Sep 17 00:00:00 2001
From: Mark Severson <mark@kasten.io>
Date: Thu, 2 Jul 2020 14:49:22 -0600
Subject: [PATCH] Fix Go modules to key off of go.mod

The go.mod file contains all of the dependency information necessary to
reproduce a build.

There is a misconception that the go.sum file has similar utility to a
lock file in other dependency management systems. However, this is
incorrect. The go.sum file contributes nothing to dependency resolution.

Instead, the go.sum file provides cryptographic hashes to ensure new
files downloaded match files downloaded previously. So, while it is
useful, it isn't at all necessary for Go modules.

To summarize: a Go modules project may or may not have a go.sum file,
but will always have a go.mod file.
---
 README.md                                              |  2 +-
 lib/license_finder/package_managers/go_modules.rb      | 10 +++++-----
 spec/fixtures/all_pms/{go.sum => go.mod}               |  0
 spec/fixtures/config/go.mod                            |  6 ++++++
 spec/fixtures/config/go.sum                            |  4 ----
 .../license_finder/package_managers/go_modules_spec.rb | 10 +++++-----
 6 files changed, 17 insertions(+), 15 deletions(-)
 rename spec/fixtures/all_pms/{go.sum => go.mod} (100%)
 create mode 100644 spec/fixtures/config/go.mod
 delete mode 100644 spec/fixtures/config/go.sum

diff --git a/README.md b/README.md
index d06e7201c..8209bad6c 100644
--- a/README.md
+++ b/README.md
@@ -183,7 +183,7 @@ languages, as long as that language has a package definition in the project dire
 * `glide.lock` file (for `glide`)
 * `vendor/vendor.json` file (for `govendor`)
 * `Gopkg.lock` file (for `dep`)
-* `go.sum` file (for `go mod`)
+* `go.mod` file (for `go mod`)
 * `vendor.conf` file (for `trash`)
 * `yarn.lock` file (for `yarn`)
 * `conanfile.txt` file (for `conan`)
diff --git a/lib/license_finder/package_managers/go_modules.rb b/lib/license_finder/package_managers/go_modules.rb
index 5cbdf5189..4798911d3 100644
--- a/lib/license_finder/package_managers/go_modules.rb
+++ b/lib/license_finder/package_managers/go_modules.rb
@@ -4,7 +4,7 @@
 
 module LicenseFinder
   class GoModules < PackageManager
-    PACKAGES_FILE = 'go.sum'
+    PACKAGES_FILE = 'go.mod'
 
     class << self
       def takes_priority_over
@@ -17,7 +17,7 @@ def prepare_command
     end
 
     def active?
-      sum_files?
+      mod_files?
     end
 
     def current_packages
@@ -41,11 +41,11 @@ def packages_info
       info_output.split("\n")
     end
 
-    def sum_files?
-      sum_file_paths.any?
+    def mod_files?
+      mod_file_paths.any?
     end
 
-    def sum_file_paths
+    def mod_file_paths
       Dir[project_path.join(PACKAGES_FILE)]
     end
 
diff --git a/spec/fixtures/all_pms/go.sum b/spec/fixtures/all_pms/go.mod
similarity index 100%
rename from spec/fixtures/all_pms/go.sum
rename to spec/fixtures/all_pms/go.mod
diff --git a/spec/fixtures/config/go.mod b/spec/fixtures/config/go.mod
new file mode 100644
index 000000000..fd88a8373
--- /dev/null
+++ b/spec/fixtures/config/go.mod
@@ -0,0 +1,6 @@
+module foo
+
+require (
+	gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405
+	gopkg.in/yaml.v2 v2.2.1
+)
diff --git a/spec/fixtures/config/go.sum b/spec/fixtures/config/go.sum
deleted file mode 100644
index 774a9a13b..000000000
--- a/spec/fixtures/config/go.sum
+++ /dev/null
@@ -1,4 +0,0 @@
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/yaml.v2 v2.2.1 h1:mUhvW9EsL+naU5Q3cakzfE91YhliOondGd6ZrsDBHQE=
-gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
diff --git a/spec/lib/license_finder/package_managers/go_modules_spec.rb b/spec/lib/license_finder/package_managers/go_modules_spec.rb
index 6a564542e..0885a8184 100644
--- a/spec/lib/license_finder/package_managers/go_modules_spec.rb
+++ b/spec/lib/license_finder/package_managers/go_modules_spec.rb
@@ -8,7 +8,7 @@ module LicenseFinder
     it_behaves_like 'a PackageManager'
 
     let(:src_path) { '/workspace/code' }
-    let(:sum_path) { "#{src_path}/go.sum" }
+    let(:mod_path) { "#{src_path}/go.mod" }
     let(:vendor_path) { "#{src_path}/vendor" }
     let(:go_list_string) do
       "foo,,/workspace/code/\ngopkg.in/check.v1,v0.0.0-20161208181325-20d25e280405,"\
@@ -22,7 +22,7 @@ module LicenseFinder
         FakeFS.activate!
 
         FileUtils.mkdir_p(vendor_path)
-        File.write(sum_path, content)
+        File.write(mod_path, content)
 
         allow(SharedHelpers::Cmd).to receive(:run).with("GO111MODULE=on go list -m -f '{{.Path}},{{.Version}},{{.Dir}}' all").and_return(go_list_string)
       end
@@ -33,11 +33,11 @@ module LicenseFinder
 
       let(:content) do
         FakeFS.without do
-          fixture_from('go.sum')
+          fixture_from('go.mod')
         end
       end
 
-      it 'finds all the packages all go.sum files' do
+      it 'finds all the packages all go.mod files' do
         packages = subject.current_packages
 
         expect(packages.length).to eq 2
@@ -65,7 +65,7 @@ module LicenseFinder
             .and_return(go_list_string)
         end
 
-        it 'finds all the packages all go.sum files' do
+        it 'finds all the packages all go.mod files' do
           packages = subject.current_packages
 
           expect(packages.length).to eq 2