Description
Our Black Duck scans for couchbase-fluent-bit are failing, and the reason after considerable investigation appears to be that Google screwed up:
- couchbase-fluent-bit depends on github.com/josephburnett/jd v1.5.1
- Google's proxy.golang.org serves up incorrect code for this module (the source code itself says it's "1.5.0" but it doesn't seem to correspond exactly to any version in Git history)
- Google's sumdb.golang.org serves up the checksum h1:QmLNUewdF2CAezYKe1f/UIP9M5D9GtC+N7/qIyj3Pi8= for that module, which corresponds to the bad source code
- Our Black Duck scan environment uses our internal Go proxy http://goproxy.build.couchbase.com/
- Our proxy downloads unknown modules directly from the source (GitHub in this case), but trusts sumdb.golang.org for the checksums, and for this module they don't match
- Hence, go module operations like "go mod why -m all" will fail for couchbase-fluent-bit if you have GOPROXY=http://goproxy.build.couchbase.com/ (or any proxy other than proxy.golang.org, likely)
- Black Duck scans attempt to run that command, and fail