List all dependencies that appear in go.mod

* Update CHANGELOG and fix typo
* Render severity based on exit code
* Explicitly specify the default GOPROXY
* Default to -mod=readonly and allow override
* Do not modify `vendor` directory if it exists.
* Skip `go mod tidy` to prevent modifying projects files.
* Include dependencies that appear in go.mod but are not present in the
  vendor directory.
* Remove severity from log output
* Wipe golang module cache before each spec

```plaintext
The -mod build flag provides additional control over updating and use of
go.mod.

If invoked with -mod=readonly, the go command is disallowed from the
implicit automatic updating of go.mod described above. Instead, it fails
when any changes to go.mod are needed. This setting is most useful to
check that go.mod does not need updates, such as in a continuous
integration and testing system. The "go get" command remains permitted
to update go.mod even with -mod=readonly, and the "go mod" commands do
not take the -mod flag (or any other build flags).

If invoked with -mod=vendor, the go command loads packages from the main
module's vendor directory instead of downloading modules to and loading
packages from the module cache. The go command assumes the vendor
directory holds correct copies of dependencies, and it does not compute
the set of required module versions from go.mod files. However, the go
command does check that vendor/modules.txt (generated by 'go mod
vendor') contains metadata consistent with go.mod.

If invoked with -mod=mod, the go command loads modules from the module
cache even if there is a vendor directory present.

If the go command is not invoked with a -mod flag and the vendor
directory is present and the "go" version in go.mod is 1.14 or higher,
the go command will act as if it were invoked with -mod=vendor.
```

- https://golang.org/cmd/go/#hdr-Maintaining_module_requirements

4 files changed, 80 insertions, 25 deletions

diff --git a/lib/license/finder/ext/go_modules.rb b/lib/license/finder/ext/go_modules.rb
index e2f025f..d22c59c 100644
--- a/lib/license/finder/ext/go_modules.rb
+++ b/lib/license/finder/ext/go_modules.rb
@@ -2,42 +2,91 @@
 
 module LicenseFinder
   class GoModules
+    FORMAT = "'{{.Main}},{{.Path}},{{.Version}},{{.Dir}}'"
+    HEADER = [:main_module, :name, :version, :dir].freeze
+
     def prepare
-      shell.execute([:go, :env])
-      shell.execute([:go, :mod, :tidy, '-v', '&&', :go, :mod, :vendor, '-v'])
-    end
+      return if vendored?
 
-    def active?
-      sum_files.any?
+      shell.execute([:go, :mod, :download, '-json'])
     end
 
     def current_packages
-      stdout, _stderr, status = shell.execute(go_list_command)
+      modules = vendored? ? parse_go_sum : go_list_all
+      modules.map { |hash| map_from(hash) }.compact
+    end
+
+    private
+
+    def go_list_all
+      env = { 'GOFLAGS' => ENV.fetch('GOFLAGS', '-mod=readonly') }
+      command = [:go, :list, '-m', '-f', FORMAT, :all]
+      stdout, _stderr, status = shell.execute(command, env: env)
       return [] unless status.success?
 
-      stdout.each_line.map { |line| map_from(line) }.compact
+      stdout.each_line.map { |line| Hash[HEADER.zip(line.chomp.split(','))] }
     end
 
-    private
+    def parse_go_sum
+      go_sum_path
+        .each_line.map { |x| x.split(' ') }
+        .each_with_object({}) do |(name, version), memo|
+          next unless module_path?(name)
 
-    def sum_files
-      Pathname.glob(project_path.join('go.sum'))
+          memo["#{name}:#{version}"] = {
+            name: name,
+            version: version.split('/')[0],
+            dir: vendored_path_to(name)
+          }
+        end.values
     end
 
-    def go_list_command
-      [:go, :list, '-m', '-f', "'{{.Path}},{{.Version}},{{.Dir}}'", :all]
+    def map_from(hash)
+      return if hash[:main_module] == "true"
+
+      Dependency.new(
+        'Go',
+        hash[:name],
+        hash[:version],
+        install_path: install_dir_for(hash),
+        detection_path: go_sum_path
+      )
     end
 
-    def absolute_project_path
-      @absolute_project_path ||= Pathname(project_path).cleanpath
+    def go_sum_path
+      @go_sum_path ||= Pathname.glob(project_path.join('go.sum')).find(&:exist?)
     end
 
-    def map_from(line)
-      name, version, dir = line.chomp.split(',')
-      return if dir.nil?
-      return if Pathname(dir).cleanpath == absolute_project_path
+    def vendor_path
+      @vendor_path ||= go_sum_path.parent.join('vendor')
+    end
+
+    def vendored?
+      vendor_path.exist? && vendor_path.directory?
+    end
+
+    def vendored_path_to(module_name)
+      vendor_path.join(module_name)
+    end
+
+    def install_dir_for(hash)
+      dir = hash[:dir]
+      pathname = dir && !dir.empty? ? Pathname.new(dir) : vendored_path_to(hash[:name])
+      pathname.exist? ? pathname : nil
+    end
+
+    # https://golang.org/ref/mod#tmp_9
+    def module_path?(module_path)
+      !module_path.start_with?('/') &&
+        !module_path.end_with?('/') &&
+        module_path.split('/').all? { |x| element?(x) }
+    end
 
-      Dependency.new('Go', name, version, install_path: dir, detection_path: sum_files.find(&:exist?))
+    def element?(element)
+      !element.empty? &&
+        !element.start_with?('.') &&
+        !element.end_with?('.') &&
+        element.match?(/\A[A-Za-z0-9+-._~]+\Z/)
     end
   end
 end
diff --git a/lib/license/management.rb b/lib/license/management.rb
index 6306faf..3b8cb69 100644
--- a/lib/license/management.rb
+++ b/lib/license/management.rb
@@ -24,8 +24,8 @@ module License
 
     def self.logger
       @logger ||= Logger.new(STDOUT, level: ENV.fetch('LOG_LEVEL', Logger::WARN)).tap do |x|
-        x.formatter = proc do |severity, _datetime, _progname, message|
-          "#{severity} -- : #{message}\n"
+        x.formatter = proc do |_severity, _datetime, _progname, message|
+          "#{message}\n"
         end
       end
     end
diff --git a/lib/license/management/shell.rb b/lib/license/management/shell.rb
index 9ea66ca..9868f1e 100644
--- a/lib/license/management/shell.rb
+++ b/lib/license/management/shell.rb
@@ -18,7 +18,7 @@ module License
 
         stdout, stderr, status = Open3.capture3(env, expanded_command)
 
-        record(stdout, stderr)
+        record(stdout, stderr, status)
         [stdout, stderr, status]
       end
 
@@ -76,9 +76,15 @@ module License
         !item.nil? && !item.empty?
       end
 
-      def record(stdout, stderr)
+      def record(stdout, stderr, status)
         logger.debug(stdout) if present?(stdout)
-        logger.error(stderr) if present?(stderr)
+        return unless present?(stderr)
+
+        if status.success?
+          logger.debug(stderr)
+        else
+          logger.error(stderr)
+        end
       end
     end
   end
diff --git a/lib/license/management/version.rb b/lib/license/management/version.rb
index e53a751..bf992e9 100644
--- a/lib/license/management/version.rb
+++ b/lib/license/management/version.rb
@@ -2,6 +2,6 @@
 
 module License
   module Management
-    VERSION = '3.11.0'
+    VERSION = '3.11.1'
   end
 end