Suppose you have a Snyk vulnerability on github.com/hashicorp/golang-lru/v2, but it’s not imported in any of your modules. One reason could be that one of the external modules you imported depends on that module. To find it, display the module graph.
package main
import (
"database/sql"
_ "modernc.org/sqlite"
)
func main() {
db, err := sql.Open("sqlite", "::")
if err != nil {
panic(err)
}
_ = db.Close()
}
Here, we see that modernc.org./libc depends on the offending package with vulnerability.
go mod graph | rg golang-lru
modernc.org/libc@v1.67.6 github.com/hashicorp/golang-lru/v2@v2.0.7