internal/worker: run "go mod download" even in insecure mode
In sandbox mode, we ran "go mod download" on a downloaded module
before starting the sandbox, since the sandbox cannot use the network.
This CL does it in insecure mode too, to make the two paths more similar.
Although it isn't necessary, it can't hurt.
Change-Id: I8d513bcd0925af4d3d8d70dee9fe4762d052c48f
Reviewed-on: https://go-review.googlesource.com/c/pkgsite-metrics/+/476201
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Jonathan Amsterdam <jba@google.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
diff --git a/internal/worker/govulncheck_scan.go b/internal/worker/govulncheck_scan.go
index 027606a..b9b00d8 100644
--- a/internal/worker/govulncheck_scan.go
+++ b/internal/worker/govulncheck_scan.go
@@ -287,8 +287,6 @@
// Inside the sandbox, the user is root and their $HOME directory is /root.
const (
- // The Go module cache resides in its default location, $HOME/go/pkg/mod.
- sandboxGoModCache = "root/go/pkg/mod"
// The Go cache resides in its default location, $HOME/.cache/go-build.
sandboxGoCache = "root/.cache/go-build"
// Where the govulncheck binary lives.
diff --git a/internal/worker/scan.go b/internal/worker/scan.go
index e7ae2fe..d8087f0 100644
--- a/internal/worker/scan.go
+++ b/internal/worker/scan.go
@@ -31,6 +31,8 @@
const (
// The root of the sandbox, relative to the docker container.
sandboxRoot = "/bundle/rootfs"
+ // The Go module cache resides in its default location, $HOME/go/pkg/mod.
+ sandboxGoModCache = "root/go/pkg/mod"
// The directories where binaries and modules live.
// The sandbox mounts this directory to the same path internally, so this
@@ -218,27 +220,27 @@
// takes other actions that increase the chance that
// packages.Load will succeed.
func prepareModule(ctx context.Context, modulePath, version, dir string, proxyClient *proxy.Client, insecure bool) error {
- log.Debugf(ctx, "%s@%s: downloading to %s", modulePath, version, dir)
+ log.Debugf(ctx, "downloading %s@%s to %s", modulePath, version, dir)
if err := modules.Download(ctx, modulePath, version, dir, proxyClient, true); err != nil {
log.Debugf(ctx, "download error: %v (%[1]T)", err)
return err
}
+
+ // Download all dependencies, using the given directory for the Go module cache
+ // if it is non-empty.
+ log.Debugf(ctx, "running go mod download on %s@%s", modulePath, version)
+ cmd := exec.Command("go", "mod", "download")
+ cmd.Dir = dir
+ cmd.Env = append(cmd.Environ(), "GOPROXY=https://proxy.golang.org")
if !insecure {
- // Download all dependencies outside of the sandbox, but use the Go build
- // cache ("/bundle/rootfs/" + sandboxGoCache) inside the bundle.
- log.Debugf(ctx, "%s@%s: running go mod download", modulePath, version)
- cmd := exec.Command("go", "mod", "download")
- cmd.Dir = dir
- cmd.Env = append(cmd.Environ(),
- "GOPROXY=https://proxy.golang.org",
- "GOMODCACHE=/bundle/rootfs/"+sandboxGoModCache)
- _, err := cmd.Output()
- if err != nil {
- return fmt.Errorf("%w: 'go mod download' for %s@%s returned %s",
- derrors.BadModule, modulePath, version, derrors.IncludeStderr(err))
- }
- log.Debugf(ctx, "go mod download succeeded")
+ // Use sandbox mod cache.
+ cmd.Env = append(cmd.Env, "GOMODCACHE="+filepath.Join(sandboxRoot, sandboxGoModCache))
}
+ if _, err := cmd.Output(); err != nil {
+ return fmt.Errorf("%w: 'go mod download' for %s@%s returned %s",
+ derrors.BadModule, modulePath, version, derrors.IncludeStderr(err))
+ }
+ log.Debugf(ctx, "go mod download succeeded")
return nil
}
