fix: block indirect dependencies when directly imported

Previously, gomodguard would not block indirect dependencies if they were directly imported in the code without running `go mod tidy`. This fix ensures that all imports, including indirect dependencies, are checked against the allow and block lists.

Fixes: GH-59

Author: ryancurrah

_example/allOptions/blocked_example.go

@@ -1,4 +1,4 @@
-package gomodguard
+package example
 
 import (
 	"os"

_example/emptyAllowList/blocked_example_test.go

@@ -1,4 +1,4 @@
-package example2
+package example
 
 import (
 	"testing"

_example/emptyAllowList/go.mod

@@ -1,4 +1,4 @@
-module github.com/ryancurrah/example/example2
+module github.com/ryancurrah/example
 
 go 1.21
 

_example/indirectDep/.gomodguard.yaml

@@ -0,0 +1,22 @@
+allowed:
+  modules:                                                      # List of allowed modules
+    - gopkg.in/yaml.v3
+    - github.com/go-xmlfmt/xmlfmt
+    - github.com/Masterminds/semver
+    - github.com/ryancurrah/gomodguard
+  domains:                                                      # List of allowed module domains
+    - golang.org
+
+blocked:
+  modules:                                                      # List of blocked modules
+    - github.com/gofrs/uuid:
+        recommendations:
+          - github.com/ryancurrah/gomodguard
+        reason: "testing module is blocked when it is an indirect dependency."
+
+  versions:
+    - github.com/mitchellh/go-homedir:
+        version: "<= 1.1.0"
+        reason: "testing if blocked version constraint works."
+
+  local_replace_directives: true

_example/indirectDep/go.mod

@@ -0,0 +1,15 @@
+module github.com/ryancurrah/example
+
+go 1.15
+
+require (
+	github.com/mitchellh/go-homedir v1.1.0
+	github.com/ryancurrah/gomodguard v1.1.0
+)
+
+require (
+	github.com/gofrs/uuid v3.3.0+incompatible // indirect
+	github.com/uudashr/go-module v0.0.0-20200529023307-c90a4239ad70 // indirect
+)
+
+replace github.com/ryancurrah/gomodguard => ../

_example/indirectDep/go.sum

@@ -0,0 +1,30 @@
+github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww=
+github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
+github.com/go-xmlfmt/xmlfmt v0.0.0-20191208150333-d5b6f63a941b h1:khEcpUM4yFcxg4/FHQWkvVRmgijNXRfzkIDHh23ggEo=
+github.com/go-xmlfmt/xmlfmt v0.0.0-20191208150333-d5b6f63a941b/go.mod h1:aUCEOzzezBEjDBbFBoSiya/gduyIiWYRP6CnSFIV8AM=
+github.com/gofrs/uuid v3.3.0+incompatible h1:8K4tyRfvU1CYPgJsveYFQMhpFd/wXNM7iK6rR7UHz84=
+github.com/gofrs/uuid v3.3.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
+github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
+github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
+github.com/phayes/checkstyle v0.0.0-20170904204023-bfd46e6a821d h1:CdDQnGF8Nq9ocOS/xlSptM1N3BbrA6/kmaep5ggwaIA=
+github.com/phayes/checkstyle v0.0.0-20170904204023-bfd46e6a821d/go.mod h1:3OzsM7FXDQlpCiw2j81fOmAwQLnZnLGXVKUzeKQXIAw=
+github.com/uudashr/go-module v0.0.0-20200529023307-c90a4239ad70 h1:t/4GlAfaNAVbh8GqZmHl96pFwlaw7+DAwp2OjUMOxgw=
+github.com/uudashr/go-module v0.0.0-20200529023307-c90a4239ad70/go.mod h1:P6Nk1sQWL6jcdBIxnLVlqCsOl0arao7gg7sPoM6gx4A=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/mod v0.4.0 h1:8pl+sMODzuvGJkmj2W4kZihvVb5mKm8pB/X44PIQHv8=
+golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898 h1:/atklqdjdhuosWIl6AIbOeHJjicWYPqR9bpxqxYG2pA=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=

_example/indirectDep/indirect_example.go

@@ -0,0 +1,31 @@
+package gomodguard
+
+import (
+	"os"
+
+	"github.com/gofrs/uuid"
+	"github.com/mitchellh/go-homedir"
+	"github.com/ryancurrah/gomodguard"
+	module "github.com/uudashr/go-module"
+)
+
+func aBlockedImport() { //nolint: deadcode,unused
+	b, err := os.ReadFile("go.mod")
+	if err != nil {
+		panic(err)
+	}
+
+	mod, err := module.Parse(b)
+	if err != nil {
+		panic(err)
+	}
+
+	_ = mod
+
+	_ = uuid.Must(uuid.NewV4())
+
+	var blockedModule gomodguard.BlockedModule
+	blockedModule.Set("some.com/module/name")
+
+	_, _ = homedir.Expand("~/something")
+}

_example/invalidConstraint/blocked_example_test.go

@@ -1,4 +1,4 @@
-package example2
+package example
 
 import (
 	"errors"

_example/invalidConstraint/go.mod

@@ -1,4 +1,4 @@
-module github.com/ryancurrah/example/example3
+module github.com/ryancurrah/example
 
 go 1.21
 

go.mod

@@ -1,6 +1,6 @@
 module github.com/ryancurrah/gomodguard
 
-go 1.22.0
+go 1.24
 
 require (
 	github.com/Masterminds/semver/v3 v3.3.1

processor.go

@@ -146,10 +146,6 @@ func (p *Processor) SetBlockedModules() { //nolint:funlen
 	replacedModules := p.Modfile.Replace
 
 	for i := range lintedModules {
-		if lintedModules[i].Indirect {
-			continue // Do not lint indirect modules.
-		}
-
 		lintedModuleName := strings.TrimSpace(lintedModules[i].Mod.Path)
 		lintedModuleVersion := strings.TrimSpace(lintedModules[i].Mod.Version)
 

processor_internal_test.go

@@ -385,3 +385,123 @@ func TestProcessorSetBlockedModulesWithInvalidVersionConstraint(t *testing.T) {
 		processor.blockedModulesFromModFile["github.com/gin-gonic/gin"],
 	)
 }
+
+func TestProcessorSetBlockedModulesWithIndirectDependency(t *testing.T) {
+	tests := []struct {
+		name               string
+		config             *Configuration
+		modfile            *modfile.File
+		wantBlockedModules map[string][]string
+	}{
+		{
+			name: "module is specifically blocked",
+			config: &Configuration{
+				Allowed: Allowed{
+					Modules: []string{
+						"gopkg.in/yaml.v3",
+						"github.com/go-xmlfmt/xmlfmt",
+						"github.com/Masterminds/semver/v3",
+						"github.com/ryancurrah/gomodguard",
+					},
+					Domains: []string{
+						"golang.org",
+					},
+				},
+				Blocked: Blocked{
+					Modules: BlockedModules{
+						{
+							"github.com/indirect/dependency": BlockedModule{
+								Recommendations: []string{"github.com/recommended/module"},
+								Reason:          "Indirect dependencies should not be directly imported.",
+							},
+						},
+					},
+				},
+			},
+			modfile: &modfile.File{
+				Module: &modfile.Module{
+					Mod: module.Version{
+						Path:    "github.com/ryancurrah/gomodguard",
+						Version: "v1.0.0",
+					},
+				},
+				Require: []*modfile.Require{
+					{
+						Indirect: true, // Mark this dependency as indirect
+						Mod: module.Version{
+							Path:    "github.com/indirect/dependency",
+							Version: "v1.0.0",
+						},
+					},
+				},
+			},
+			wantBlockedModules: map[string][]string{
+				"github.com/indirect/dependency": {
+					"import of package `%s` is blocked because the module is in the blocked modules list. " +
+						"`github.com/recommended/module` is a recommended module. Indirect dependencies should not be directly imported.",
+				},
+			},
+		},
+		{
+			name: "module is implicitly blocked (not in allowed list)",
+			config: &Configuration{
+				Allowed: Allowed{
+					Modules: []string{
+						"gopkg.in/yaml.v3",
+						"github.com/go-xmlfmt/xmlfmt",
+						"github.com/Masterminds/semver/v3",
+						"github.com/ryancurrah/gomodguard",
+					},
+					Domains: []string{
+						"golang.org",
+					},
+				},
+				Blocked: Blocked{
+					Modules: BlockedModules{},
+				},
+			},
+			modfile: &modfile.File{
+				Module: &modfile.Module{
+					Mod: module.Version{
+						Path:    "github.com/ryancurrah/gomodguard",
+						Version: "v1.0.0",
+					},
+				},
+				Require: []*modfile.Require{
+					{
+						Indirect: true, // Mark this dependency as indirect
+						Mod: module.Version{
+							Path:    "github.com/indirect/dependency",
+							Version: "v1.0.0",
+						},
+					},
+				},
+			},
+			wantBlockedModules: map[string][]string{
+				"github.com/indirect/dependency": {
+					"import of package `%s` is blocked because the module is not in the allowed modules list.",
+				},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			processor := &Processor{
+				Config:  tt.config,
+				Modfile: tt.modfile,
+			}
+
+			processor.SetBlockedModules()
+
+			// Assert number of blocked modules
+			assert.Equal(t, len(tt.wantBlockedModules), len(processor.blockedModulesFromModFile))
+
+			// Assert blocked modules and reasons
+			for blockedModule, wantReasons := range tt.wantBlockedModules {
+				gotReasons := processor.blockedModulesFromModFile[blockedModule]
+				assert.Equal(t, wantReasons, gotReasons)
+			}
+		})
+	}
+}