Display errors from go command

[victorc-cylus]

First of all, thank you for this amazing project

Consider the following command:
cyclonedx-gomod mod -verbose=true -json=true -assert-licenses -licenses=true -output "/tmp/sbom/core.json" core

You can see thanks to -verbose=true the go commands that cyclonedx-gomod runs behind the scenes:

5:30PM DBG executing command cmd="/usr/local/go/bin/go mod why -m -vendor github.com/CycloneDX/cyclonedx-go" dir=core
5:30PM DBG loading vendored modules includeTest=false moduleDir=core
5:30PM DBG executing command cmd="/usr/local/go/bin/go mod vendor -v -e" dir=core
5:30PM DBG filtering modules includeTest=false moduleCount=207 moduleDir=core
...

I have a process that runs non-interactively to produce the SBOMs. When it failed, I accessed the machine it ran on, but the same behavior could not be reproduced. This is because when the shell is running interactively, it changes its behavior in several ways: https://www.gnu.org/software/bash/manual/html_node/Interactive-Shell-Behavior.html

My method to troubleshoot this issue was to run the cyclonedx-gomod command in the interactive session (which succeeds) with the -verbose option, to see which go commands it is running, and to add these go commands to my non-interactive workflow. By running go without cyclonedx, I could see the actual error I ran into, which was very simple and caused by the difference in environment variables present in the interactive vs. non-interactive session: go: github.com/google/[email protected]: neither GOPATH nor GOMODCACHE are set

Currently cyclonedx-gomod doesn't show the errors from the go commands it runs:

ERR error="failed to download modules: command `/usr/local/go/bin/go mod why -m -vendor github.com/CycloneDX/cyclonedx-go` failed: exit status 1"

I think it would be a great help to people who use this project if they could see what went wrong behind the scenes rather than just seeing "go exited with error code 1".

I looked at the -help files for cyclonedx and I didn't find anything like this, let me know if I missed it, and if it doesn't yet exist please consider adding it. Thanks

[mcombuechen]

hey @victorc-cylus did you mean to open this issue in https://github.com/CycloneDX/cyclonedx-gomod ?

[nscuro]

Not sure what could be missing here. We already forward stderr output to our logger for go mod why invocations:

cyclonedx-gomod/internal/gocmd/gocmd.go

Lines 118 to 127 in 5e81aff

	// ModWhy executes `go mod why -m -vendor` and writes the output to a given writer.
	// See https://golang.org/ref/mod#go-mod-why.
	func ModWhy(logger zerolog.Logger, moduleDir string, modules []string, writer io.Writer) error {
	return executeGoCommand(logger,
	append([]string{"mod", "why", "-m", "-vendor"}, modules...),
	withDir(moduleDir),
	withStdout(writer),
	withStderr(newLoggerWriter(logger)), // reports download status
	)
	}

Go should not be writing errors to stdout - if it does it is inconsistent with how it behaves in other commands.