Merge pull request #12837 from dependabot/phillmv/attach-dependencies-to-dep-file-in-go

brrygrdn · web-flow · commit 5fc328eca9ca · 2025-08-15T12:04:27.000+01:00
Attach `dependencies` to the `DependencyFile` in `go_modules`'s `FileParser`
diff --git a/go_modules/lib/dependabot/go_modules/file_parser.rb b/go_modules/lib/dependabot/go_modules/file_parser.rb
@@ -24,8 +24,14 @@ class FileParser < Dependabot::FileParsers::Base
       def parse
         dependency_set = Dependabot::FileParsers::Base::DependencySet.new
 
-        required_packages.each do |dep|
-          dependency_set << dependency_from_details(dep) unless skip_dependency?(dep)
+        required_packages.each do |hsh|
+          unless skip_dependency?(hsh) # rubocop:disable Style/Next
+
+            dep = dependency_from_details(hsh)
+
+            T.must(go_mod).dependencies << dep
+            dependency_set << dep
+          end
         end
 
         dependency_set.dependencies
@@ -96,11 +102,14 @@ def dependency_from_details(details)
           groups: []
         }]
 
+        is_indirect = details["Indirect"]
+
         Dependency.new(
           name: details["Path"],
           version: version,
-          requirements: details["Indirect"] ? [] : reqs,
-          package_manager: "go_modules"
+          requirements: is_indirect ? [] : reqs,
+          package_manager: "go_modules",
+          direct_relationship: !is_indirect
         )
       end
 
diff --git a/go_modules/spec/dependabot/go_modules/file_parser_spec.rb b/go_modules/spec/dependabot/go_modules/file_parser_spec.rb
@@ -305,6 +305,31 @@
       its(:length) { is_expected.to eq(0) }
     end
 
+    context "with features needed to support DependencySubmission" do
+      it "attaches the list of dependencies to the go_mod DependencyFile" do
+        expect(parser.dependency_files.count).to eq(1)
+        dep_file = parser.dependency_files.first
+        expect(dep_file).to equal(go_mod)
+
+        # assert that the dependencies got correctly attached to the dep file
+        dep_set = dependencies.to_set
+        expect(dep_file.dependencies).to eq(dep_set)
+      end
+
+      it "marks indirect dependencies accordingly" do
+        # there are only 2 top-level dependencies
+        expect(dependencies.count(&:direct?)).to eq(2)
+
+        # and 2 indirect dependencies
+        indirect_deps = dependencies.reject(&:direct?)
+        expect(indirect_deps.count).to eq(2)
+
+        indirect_deps_names = indirect_deps.map(&:name)
+        expect(indirect_deps_names).to include("github.com/mattn/go-isatty")
+        expect(indirect_deps_names).to include("github.com/mattn/go-colorable")
+      end
+    end
+
     context "when using a monorepo" do
       let(:project_name) { "monorepo" }
       let(:repo_contents_path) { build_tmp_repo(project_name) }
