Add validation for all go.sum files in workspace

Signed-off-by: ejegrova <[email protected]>

cachi2/core/package_managers/gomod.py

@@ -734,7 +734,6 @@ def _resolve_gomod(
     :raises PackageManagerError: if fetching dependencies fails
     """
     _protect_against_symlinks(app_dir)
-    modules_in_go_sum = _parse_go_sum(app_dir)
 
     config = get_config()
 
@@ -813,6 +812,8 @@ def _resolve_gomod(
 
     go_list_modules = go([*go_list, "-m", "-json"], run_params).rstrip()
     module_list = list(load_json_stream(go_list_modules))
+    module_list_paths = [RootedPath(module["Dir"]) for module in module_list]
+    modules_in_go_sum = _parse_go_sum_files(app_dir, module_list_paths)
     raw_main_module = module_list.pop(0)
     main_module_name = raw_main_module["Path"]
 
@@ -873,20 +874,33 @@ def go_list_deps(pattern: Literal["./...", "all"]) -> Iterator[ParsedPackage]:
     return ResolvedGoModule(main_module, all_modules, all_packages, modules_in_go_sum)
 
 
-def _parse_go_sum(module_dir: RootedPath) -> frozenset[ModuleID]:
+def _parse_go_sum_files(
+    app_dir: RootedPath, module_dir_list: list[RootedPath]
+) -> frozenset[ModuleID]:
+
+    go_sum_files_list = [RootedPath(app_dir.root).join_within_root("go.work.sum")]
+    go_sum_files_list.extend(
+        [module_dir.join_within_root("go.sum") for module_dir in module_dir_list]
+    )
+
+    modules: list[ModuleID] = []
+    for go_sum_file in go_sum_files_list:
+        if not go_sum_file.path.exists():
+            continue
+        modules.extend(_parse_go_sum(go_sum_file))
+
+    return frozenset(modules)
+
+
+def _parse_go_sum(go_sum_file: RootedPath) -> list[tuple[str, str]]:
     """Return the set of modules present in the go.sum file in the specified directory.
 
     A module is considered present if the checksum for its .zip file is present. The go.mod file
     checksums are not relevant for our purposes.
     """
-    go_sum = module_dir.join_within_root("go.sum")
-    if not go_sum.path.exists():
-        return frozenset()
-
     modules: list[ModuleID] = []
-
     # https://github.com/golang/go/blob/d5c5808534f0ad97333b1fd5fff81998f44986fe/src/cmd/go/internal/modfetch/fetch.go#L507-L534
-    lines = go_sum.path.read_text().splitlines()
+    lines = go_sum_file.path.read_text().splitlines()
     for i, go_sum_line in enumerate(lines):
         parts = go_sum_line.split()
         if not parts:
@@ -897,7 +911,7 @@ def _parse_go_sum(module_dir: RootedPath) -> frozenset[ModuleID]:
             #   of go.sum for checksum verification
             log.warning(
                 "%s:%d: malformed line, skipping the rest of the file: %r",
-                go_sum.subpath_from_root,
+                go_sum_file.subpath_from_root,
                 i + 1,
                 go_sum_line,
             )
@@ -909,7 +923,7 @@ def _parse_go_sum(module_dir: RootedPath) -> frozenset[ModuleID]:
 
         modules.append((name, version))
 
-    return frozenset(modules)
+    return modules
 
 
 def _deduplicate_resolved_modules(