Skip to content

deps: remove gosnmp via contrib/snmp2cpe submodule isolation#2468

Open
kotakanbe wants to merge 1 commit intomasterfrom
diet-gosnmp
Open

deps: remove gosnmp via contrib/snmp2cpe submodule isolation#2468
kotakanbe wants to merge 1 commit intomasterfrom
diet-gosnmp

Conversation

@kotakanbe
Copy link
Copy Markdown
Member

@kotakanbe kotakanbe commented Mar 17, 2026

Why (motivation for removing this dependency)

  • gosnmp/gosnmp is an SNMP protocol library used exclusively in contrib/snmp2cpe/ — a standalone CLI tool for converting SNMP device info to CPE format
  • gosnmp is not needed by the main vuls binary at all, but was pulled in because snmp2cpe shared the root go.mod
  • gosnmp generates ~8 Dependabot PRs/year against the main vuls module
  • By isolating snmp2cpe as a separate Go module, gosnmp and its transitive dependencies are completely removed from the main vuls binary's dependency tree

What (replacement details)

  • Created contrib/snmp2cpe/go.mod as a separate Go module (github.com/future-architect/vuls/contrib/snmp2cpe)
  • Replaced config.Version/config.Revision import in version.go with local variables settable via -ldflags at build time (breaks the only import from snmp2cpe into the main module)
  • Root go mod tidy automatically removed gosnmp and its transitive deps

Changed files

File Change
contrib/snmp2cpe/go.mod New: separate module declaration with gosnmp, cobra, go-cpe, go-version, pkg/errors deps
contrib/snmp2cpe/go.sum New: checksums for submodule dependencies
contrib/snmp2cpe/pkg/cmd/version/version.go Replaced config.Version/config.Revision import with local ldflags vars
go.mod gosnmp and related transitive deps removed
go.sum Corresponding checksum entries removed

Safety (why this is safe)

  • Risk level: medium (build system change, no code logic change)
  • The snmp2cpe tool is a standalone CLI that was never imported by any main vuls package
  • All snmp2cpe internal imports already use the full module path (github.com/future-architect/vuls/contrib/snmp2cpe/...), which naturally becomes the new module path
  • The only cross-module import (config.Version/Revision) is replaced with equivalent local variables
  • snmp2cpe's existing test (pkg/cpe/cpe_test.go) passes in the new module

Test plan

  • cd contrib/snmp2cpe && go build ./... — submodule builds
  • cd contrib/snmp2cpe && go test ./...cpe_test.go passes
  • go build ./cmd/... — root module builds (without gosnmp)
  • go test ./... — root module all tests pass
  • GOEXPERIMENT=jsonv2 golangci-lint run ./... — 0 issues
  • grep gosnmp go.mod — confirms gosnmp is not in root go.mod

Review hint (how to review efficiently)

  1. contrib/snmp2cpe/go.mod — verify the module path and dependencies look correct
  2. contrib/snmp2cpe/pkg/cmd/version/version.go — the only code change: local Version/Revision vars replacing the config import
  3. go.mod diff — confirm gosnmp and related deps are removed
  4. Note: CI currently runs go test ./... from root, which will skip snmp2cpe packages (they're in a separate module). A follow-up CI change may be needed to also test the submodule.

🤖 Generated with Claude Code

@kotakanbe @claude @shino
deps: remove gosnmp via contrib/snmp2cpe submodule isolation
d03ddd4 
Create contrib/snmp2cpe/go.mod as a separate Go module so gosnmp
is no longer a dependency of the main vuls binary.

Replace config.Version/Revision import in version.go with local
ldflags-settable variables to break circular dependency.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kotakanbe