Convert extracted go module versions to KB compatible versions (#1578)

* use kb compatible versions with go mod file

* Updated docs for go mod file detector

Author: sig-abyreddy

detectable/src/main/java/com/blackduck/integration/detectable/detectables/go/gomodfile/parse/GoModFileParser.java

@@ -7,6 +7,7 @@
 import com.blackduck.integration.detectable.detectables.go.gomodfile.parse.model.GoModFileContent;
 import com.blackduck.integration.detectable.detectables.go.gomodfile.parse.model.GoModuleInfo;
 import com.blackduck.integration.detectable.detectables.go.gomodfile.parse.model.GoReplaceDirective;
+import com.blackduck.integration.detectable.util.KBComponentHelpers;
 
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -28,6 +29,7 @@
  */
 public class GoModFileParser {
     private final Logger logger = LoggerFactory.getLogger(this.getClass());
+    private final KBComponentHelpers kbComponentHelpers = new KBComponentHelpers();
 
     // Regular expressions for parsing different sections
     private static final Pattern MODULE_PATTERN = Pattern.compile("^module\\s+(.+)$");
@@ -252,6 +254,7 @@ private GoModuleInfo parseDependencyLine(String line) {
 
             // Clean up version (remove +incompatible, %2Bincompatible suffixes)
             version = cleanVersion(version);
+            version = kbComponentHelpers.getKbCompatibleVersion(version);
 
             // Check if it's an indirect dependency
             boolean isIndirect = comment != null && comment.contains("indirect");
@@ -264,6 +267,7 @@ private GoModuleInfo parseDependencyLine(String line) {
         if (parts.length >= 1) {
             String moduleName = parts[0];
             String version = parts.length > 1 ? cleanVersion(parts[1]) : "";
+            version = kbComponentHelpers.getKbCompatibleVersion(version);
             boolean isIndirect = line.contains("// indirect");
             return new GoModuleInfo(moduleName, version, isIndirect);
         }

detectable/src/main/java/com/blackduck/integration/detectable/util/KBComponentHelpers.java

@@ -0,0 +1,51 @@
+package com.blackduck.integration.detectable.util;
+
+import java.util.Optional;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import org.apache.commons.lang3.StringUtils;
+
+public class KBComponentHelpers {
+
+    private static final String INCOMPATIBLE_SUFFIX = "+incompatible";
+    private static final String SHA1_REGEX = "[a-fA-F0-9]{40}";
+    private static final String SHORT_SHA1_REGEX = "[a-fA-F0-9]{12}";
+    private static final String GIT_VERSION_FORMAT = ".*(%s).*";
+    private static final Pattern SHA1_VERSION_PATTERN = Pattern.compile(String.format(GIT_VERSION_FORMAT, SHA1_REGEX));
+    private static final Pattern SHORT_SHA1_VERSION_PATTERN = Pattern.compile(String.format(GIT_VERSION_FORMAT, SHORT_SHA1_REGEX));
+
+    public String getKbCompatibleVersion(String version) {
+        String kbCompatibleVersion;
+        kbCompatibleVersion = handleGitHash(version);
+        kbCompatibleVersion = removeIncompatibleSuffix(kbCompatibleVersion);
+        return kbCompatibleVersion;
+    }
+
+    // When a version contains a commit hash, the KB only accepts the git hash, so we must strip out the rest.
+    private String handleGitHash(String version) {
+        return getVersionFromPattern(version, SHA1_VERSION_PATTERN)
+            .orElseGet(() ->
+                getVersionFromPattern(version, SHORT_SHA1_VERSION_PATTERN)
+                    .orElse(version)
+            );
+    }
+
+    private Optional<String> getVersionFromPattern(String version, Pattern versionPattern) {
+        Matcher matcher = versionPattern.matcher(version);
+        if (matcher.matches()) {
+            return Optional.ofNullable(StringUtils.trim(matcher.group(1)));
+        }
+        return Optional.empty();
+    }
+
+    // https://golang.org/ref/mod#incompatible-versions
+    private String removeIncompatibleSuffix(String version) {
+        if (version.endsWith(INCOMPATIBLE_SUFFIX)) {
+            // Trim incompatible suffix so that KB can match component
+            version = version.substring(0, version.length() - INCOMPATIBLE_SUFFIX.length());
+        }
+        return version;
+    }
+    
+}

documentation/src/main/markdown/currentreleasenotes.md

@@ -29,6 +29,7 @@
 	* Added a new property [detect.go.forge](properties/detectors/go.md#go-forge-url) to customize the Go registry URL used for fetching dependency information. Defaults to `https://proxy.golang.org`.
 	* Added a new property [detect.go.forge.connection.timeout](properties/detectors/go.md#go-forge-connection-timeout) to customize the connection timeout limit while connecting to the Go registry. Defaults to 30 seconds.
 	* Added a new property [detect.go.forge.read.timeout](properties/detectors/go.md#go-forge-read-timeout) to customize the read timeout limit while fetching go.mod file of a dependency from Go registry. Defaults to 60 seconds.
+  * Dependency exclusions (via [detect.go.mod.dependency.types.excluded](properties/detectors/go.md#go-mod-dependency-types-excluded) property) are not supported by this detector.
 
 ### Changed features
 

documentation/src/main/markdown/packagemgrs/golang.md

@@ -44,7 +44,7 @@ the [go mod why documentation](https://go.dev/ref/mod#go-mod-why) for additional
 * Attempts to run on your project if a go.mod file is found in your source directory.
 * Parses go.mod file to gather dependency information.
 * Computes transitive dependency graph by fetching go.mod files of direct dependencies from proxy.golang.org or custom Go proxy supplied via [detect.go.forge](../properties/detectors/go.md#go-forge) property. If the proxy is not reachable, the transitive dependencies are listed as additional components under the root module.
-* Dependency exclusions (unused, vendored) are supported in this detector.
+* Dependency exclusions (via [detect.go.mod.dependency.types.excluded](../properties/detectors/go.md#go-mod-dependency-types-excluded) property) are not supported by this detector.
 
 ## Go Lock (GO_DEP) detector