Indirect dependencies in go.mod are processed when transitory flag is not set

[BartBucknill]

Context: If Go dependencies do not list all of their dependencies in their own go.mod files, these transitive dependencies are included in the top level project go.mod file. They can be identified by the comment // indirect. See go modules reference.

Expected Behaviour: When running vet scan without passing the --transitive flag, I expect to scan only direct dependencies that I have explicitly imported. I should not see any dependencies from my go.mod which are commented with // indirect.

Actual Behaviour: The indirect dependencies are included in the scan.

[abhisek]

Thanks for the clear and concise bug report @BartBucknill Adding to backlog for investigation

[abhisek]

@OmkarPh Can you please do an analysis of this issue and share your findings? Since we use osv-scanner lockfile package for parsing go.mod files, I think we have to explore there if it differentiates between direct and transitive dependencies

[abhisek]

We are adding support for dependency usage analysis for Go. Once #370 is merged, we should have a possible workaround for this issue.