User/aamaini/2281511

[AMaini503]

Existing implementation of Go117 detector parses go.sum when go version in go.mod < 1.17. This leads to overreporting.

• The change wires the detector to use go cli's go list command if available/enabled
• If go list fails, detector falls back to parsing go.sum file.
• At UTs to test that detectors doesn't parse go.sum if cli scan succeeded.

This will reduce the divergence between reports from Go117 and Go detector since Go detector used Go CLI if available.

Tests:

• All unit tests pass
• Comparison of detectors on a couple test repos with over-reporting shows that the new behavior doesn't over-report:

Repo (Found from Go117 experiment)	Go	Go117 (at main)	Go117 (at feature)
Repo-1	280 components	863 components	280 components
Repo-2	49 components	60 components	49 components
Repo-3	21 components	47 components	21 components

So, Go, Go117 (in feature) branch are in parity w.r.t #components reported.

[codecov]

Codecov Report

Attention: Patch coverage is 92.30769% with 3 lines in your changes missing coverage. Please review.

Project coverage is 89.7%. Comparing base (f7af5db) to head (4690c4f).
Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
...ion.Detectors.Tests/Go117ComponentDetectorTests.cs	88.2%	0 Missing and 2 partials ⚠️
...ntDetection.Detectors/go/Go117ComponentDetector.cs	95.2%	1 Missing ⚠️

Additional details and impacted files

@@          Coverage Diff          @@
##            main   #1409   +/-   ##
=====================================
  Coverage   89.7%   89.7%           
=====================================
  Files        407     407           
  Lines      32269   32294   +25     
  Branches    1986    1990    +4     
=====================================
+ Hits       28966   28990   +24     
  Misses      2879    2879           
- Partials     424     425    +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[AMaini503]

@AMaini503 please read the following Contributor License Agreement(CLA). If you agree with the CLA, please reply with the following information.

@microsoft-github-policy-service agree [company="{your company}"]

Options:

• (default - no company specified) I have sole ownership of intellectual property rights to my Submissions and I am not making Submissions in the course of work for my employer.

@microsoft-github-policy-service agree

• (when company given) I am making Submissions in the course of work for my employer (or my employer has intellectual property rights in my Submissions by contract or applicable law). I have permission from my employer to make Submissions and enter into this Agreement on behalf of my employer. By signing below, the defined term “You” includes me and my employer.

@microsoft-github-policy-service agree company="Microsoft"

Contributor License Agreement

@microsoft-github-policy-service agree company="Microsoft"

[github-actions]

👋 Hi! It looks like you modified some files in the Detectors folder.
You may need to bump the detector versions if any of the following scenarios apply:

• The detector detects more or fewer components than before
• The detector generates different parent/child graph relationships than before
• The detector generates different devDependencies values than before

If none of the above scenarios apply, feel free to ignore this comment 🙂

[AMaini503]

You may need to bump the detector versions if any of the following scenarios apply:

Bumped to 2.