fix(go): merge children on MVS version key collision instead of overwriting (#421)

## Summary

- Fix `HashMap.put()` collision in `getFinalPackagesVersionsForModule()`
that dropped transitive dependencies when multiple parent module
versions remapped to the same MVS-selected version
- Replace `put()` with `merge()` using `LinkedHashSet` to combine
children lists while deduplicating
- Add reproducer test confirming 138 components (matching JS client), up
from 134

Implements [TC-4127](https://redhat.atlassian.net/browse/TC-4127)

## Test plan

- [x] Reproducer test
`Test_Golang_MvS_Enabled_Preserves_All_Transitive_Dependencies` passes
(138 components)
- [x] Existing `Test_Golang_MvS_Logic_Disabled` passes (5 opencensus
versions disabled, 1 enabled)
- [x] All 6 parameterized `test_the_provideStack` +
`test_the_provideComponent` tests pass
- [x] All Go module tests pass (12/12 in surefire)
- [x] Spotless formatting clean

🤖 Generated with [Claude Code](https://claude.com/claude-code)

[TC-4127]:
https://redhat.atlassian.net/browse/TC-4127?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ

Author: ruromero

src/main/java/io/github/guacsec/trustifyda/providers/GoModulesProvider.java

@@ -354,7 +354,14 @@ private Map<String, List<String>> getFinalPackagesVersionsForModule(
           }
           List<String> packagesWithFinalVersions =
               getListOfPackagesWithFinalVersions(finalModulesVersions, value);
-          listWithModifiedVersions.put(packageWithSelectedVersion, packagesWithFinalVersions);
+          listWithModifiedVersions.merge(
+              packageWithSelectedVersion,
+              packagesWithFinalVersions,
+              (existing, incoming) -> {
+                var combined = new java.util.LinkedHashSet<>(existing);
+                combined.addAll(incoming);
+                return new ArrayList<>(combined);
+              });
         });
 
     return listWithModifiedVersions;

src/test/java/io/github/guacsec/trustifyda/providers/Golang_Modules_Provider_Test.java

@@ -198,6 +198,37 @@ void Test_Golang_MvS_Logic_Disabled() throws IOException {
             == 1);
   }
 
+  /**
+   * Verifies that MVS-enabled mode preserves all transitive dependencies (TC-3818).
+   *
+   * <p>When MVS is enabled (the default), {@code getFinalPackagesVersionsForModule()} uses {@code
+   * HashMap.put()} which overwrites children when two original parent versions remap to the same
+   * MVS-selected version. This causes the Java client to produce fewer components than the JS
+   * client.
+   */
+  @Test
+  void Test_Golang_MvS_Enabled_Preserves_All_Transitive_Dependencies() throws IOException {
+    // Given the MVS test fixture with MVS enabled (the default — no property override)
+    String goModPath = getFileFromResource("go.mod", "msc/golang/mvs_logic/go.mod");
+    Path manifest = Path.of(goModPath);
+    GoModulesProvider goModulesProvider = new GoModulesProvider(manifest);
+
+    // When generating the SBOM with stack analysis
+    String resultSbom =
+        dropIgnoredKeepFormat(
+            goModulesProvider.getDependenciesSbom(manifest, true).getAsJsonString());
+
+    // Then the SBOM should contain exactly 138 components (matching JS client output)
+    JsonNode sbomTree = JSON_MAPPER.readTree(resultSbom);
+    int componentCount = sbomTree.path("components").size();
+    assertEquals(
+        138,
+        componentCount,
+        "MVS-enabled SBOM should contain 138 components (matching JS client). "
+            + "A lower count indicates the HashMap.put() collision bug in "
+            + "getFinalPackagesVersionsForModule() is losing transitive dependencies.");
+  }
+
   @Test
   void test_isGoToolchainEntry_filters_go_and_toolchain() {
     // go@* entries should be filtered

src/test/resources/tst_manifests/golang/go_mod_light_no_ignore/expected_sbom_stack_analysis.json

@@ -189,6 +189,22 @@
       "version": "v0.0.0-20201021035429-f5854403a974",
       "purl": "pkg:golang/golang.org/x/net@v0.0.0-20201021035429-f5854403a974"
     },
+    {
+      "type": "library",
+      "bom-ref": "pkg:golang/github.com/davecgh/go-spew@v1.1.1",
+      "group": "github.com/davecgh",
+      "name": "go-spew",
+      "version": "v1.1.1",
+      "purl": "pkg:golang/github.com/davecgh/go-spew@v1.1.1"
+    },
+    {
+      "type": "library",
+      "bom-ref": "pkg:golang/github.com/pmezard/go-difflib@v1.0.0",
+      "group": "github.com/pmezard",
+      "name": "go-difflib",
+      "version": "v1.0.0",
+      "purl": "pkg:golang/github.com/pmezard/go-difflib@v1.0.0"
+    },
     {
       "type": "library",
       "bom-ref": "pkg:golang/github.com/spf13/cobra@v0.0.5",
@@ -229,22 +245,6 @@
       "version": "v1.1.0",
       "purl": "pkg:golang/github.com/mitchellh/go-homedir@v1.1.0"
     },
-    {
-      "type": "library",
-      "bom-ref": "pkg:golang/github.com/davecgh/go-spew@v1.1.1",
-      "group": "github.com/davecgh",
-      "name": "go-spew",
-      "version": "v1.1.1",
-      "purl": "pkg:golang/github.com/davecgh/go-spew@v1.1.1"
-    },
-    {
-      "type": "library",
-      "bom-ref": "pkg:golang/github.com/pmezard/go-difflib@v1.0.0",
-      "group": "github.com/pmezard",
-      "name": "go-difflib",
-      "version": "v1.0.0",
-      "purl": "pkg:golang/github.com/pmezard/go-difflib@v1.0.0"
-    },
     {
       "type": "library",
       "bom-ref": "pkg:golang/golang.org/x/tools@v0.0.0-20210112183307-1e6ecd4bf1b0",
@@ -253,14 +253,6 @@
       "version": "v0.0.0-20210112183307-1e6ecd4bf1b0",
       "purl": "pkg:golang/golang.org/x/tools@v0.0.0-20210112183307-1e6ecd4bf1b0"
     },
-    {
-      "type": "library",
-      "bom-ref": "pkg:golang/gopkg.in/yaml.v3@v3.0.1",
-      "group": "gopkg.in",
-      "name": "yaml.v3",
-      "version": "v3.0.1",
-      "purl": "pkg:golang/gopkg.in/yaml.v3@v3.0.1"
-    },
     {
       "type": "library",
       "bom-ref": "pkg:golang/gopkg.in/check.v1@v0.0.0-20161208181325-20d25e280405",
@@ -271,19 +263,11 @@
     },
     {
       "type": "library",
-      "bom-ref": "pkg:golang/github.com/yuin/goldmark@v1.2.1",
-      "group": "github.com/yuin",
-      "name": "goldmark",
-      "version": "v1.2.1",
-      "purl": "pkg:golang/github.com/yuin/goldmark@v1.2.1"
-    },
-    {
-      "type": "library",
-      "bom-ref": "pkg:golang/golang.org/x/mod@v0.3.0",
-      "group": "golang.org/x",
-      "name": "mod",
-      "version": "v0.3.0",
-      "purl": "pkg:golang/golang.org/x/mod@v0.3.0"
+      "bom-ref": "pkg:golang/gopkg.in/yaml.v3@v3.0.1",
+      "group": "gopkg.in",
+      "name": "yaml.v3",
+      "version": "v3.0.1",
+      "purl": "pkg:golang/gopkg.in/yaml.v3@v3.0.1"
     },
     {
       "type": "library",
@@ -301,6 +285,22 @@
       "version": "v0.0.0-20200804184101-5ec99f83aff1",
       "purl": "pkg:golang/golang.org/x/xerrors@v0.0.0-20200804184101-5ec99f83aff1"
     },
+    {
+      "type": "library",
+      "bom-ref": "pkg:golang/github.com/yuin/goldmark@v1.2.1",
+      "group": "github.com/yuin",
+      "name": "goldmark",
+      "version": "v1.2.1",
+      "purl": "pkg:golang/github.com/yuin/goldmark@v1.2.1"
+    },
+    {
+      "type": "library",
+      "bom-ref": "pkg:golang/golang.org/x/mod@v0.3.0",
+      "group": "golang.org/x",
+      "name": "mod",
+      "version": "v0.3.0",
+      "purl": "pkg:golang/golang.org/x/mod@v0.3.0"
+    },
     {
       "type": "library",
       "bom-ref": "pkg:golang/github.com/russross/blackfriday@v1.5.2",
@@ -417,8 +417,8 @@
     {
       "ref": "pkg:golang/golang.org/x/crypto@v0.0.0-20200622213623-75b288015ac9",
       "dependsOn": [
-        "pkg:golang/golang.org/x/net@v0.0.0-20201021035429-f5854403a974",
-        "pkg:golang/golang.org/x/sys@v0.0.0-20200930185726-fdedc70b468f"
+        "pkg:golang/golang.org/x/sys@v0.0.0-20200930185726-fdedc70b468f",
+        "pkg:golang/golang.org/x/net@v0.0.0-20201021035429-f5854403a974"
       ]
     },
     {
@@ -441,10 +441,18 @@
       "ref": "pkg:golang/golang.org/x/net@v0.0.0-20201021035429-f5854403a974",
       "dependsOn": [
         "pkg:golang/golang.org/x/crypto@v0.0.0-20200622213623-75b288015ac9",
-        "pkg:golang/golang.org/x/sys@v0.0.0-20200930185726-fdedc70b468f",
-        "pkg:golang/golang.org/x/text@v0.3.3"
+        "pkg:golang/golang.org/x/text@v0.3.3",
+        "pkg:golang/golang.org/x/sys@v0.0.0-20200930185726-fdedc70b468f"
       ]
     },
+    {
+      "ref": "pkg:golang/github.com/davecgh/go-spew@v1.1.1",
+      "dependsOn": []
+    },
+    {
+      "ref": "pkg:golang/github.com/pmezard/go-difflib@v1.0.0",
+      "dependsOn": []
+    },
     {
       "ref": "pkg:golang/github.com/spf13/cobra@v0.0.5",
       "dependsOn": [
@@ -475,32 +483,32 @@
       "ref": "pkg:golang/github.com/mitchellh/go-homedir@v1.1.0",
       "dependsOn": []
     },
-    {
-      "ref": "pkg:golang/github.com/davecgh/go-spew@v1.1.1",
-      "dependsOn": []
-    },
-    {
-      "ref": "pkg:golang/github.com/pmezard/go-difflib@v1.0.0",
-      "dependsOn": []
-    },
     {
       "ref": "pkg:golang/golang.org/x/tools@v0.0.0-20210112183307-1e6ecd4bf1b0",
       "dependsOn": [
-        "pkg:golang/github.com/yuin/goldmark@v1.2.1",
-        "pkg:golang/golang.org/x/mod@v0.3.0",
         "pkg:golang/golang.org/x/net@v0.0.0-20201021035429-f5854403a974",
         "pkg:golang/golang.org/x/sync@v0.0.0-20201020160332-67f06af15bc9",
-        "pkg:golang/golang.org/x/xerrors@v0.0.0-20200804184101-5ec99f83aff1"
+        "pkg:golang/golang.org/x/xerrors@v0.0.0-20200804184101-5ec99f83aff1",
+        "pkg:golang/github.com/yuin/goldmark@v1.2.1",
+        "pkg:golang/golang.org/x/mod@v0.3.0"
       ]
     },
+    {
+      "ref": "pkg:golang/gopkg.in/check.v1@v0.0.0-20161208181325-20d25e280405",
+      "dependsOn": []
+    },
     {
       "ref": "pkg:golang/gopkg.in/yaml.v3@v3.0.1",
       "dependsOn": [
         "pkg:golang/gopkg.in/check.v1@v0.0.0-20161208181325-20d25e280405"
       ]
     },
     {
-      "ref": "pkg:golang/gopkg.in/check.v1@v0.0.0-20161208181325-20d25e280405",
+      "ref": "pkg:golang/golang.org/x/sync@v0.0.0-20201020160332-67f06af15bc9",
+      "dependsOn": []
+    },
+    {
+      "ref": "pkg:golang/golang.org/x/xerrors@v0.0.0-20200804184101-5ec99f83aff1",
       "dependsOn": []
     },
     {
@@ -515,17 +523,9 @@
         "pkg:golang/golang.org/x/xerrors@v0.0.0-20200804184101-5ec99f83aff1"
       ]
     },
-    {
-      "ref": "pkg:golang/golang.org/x/sync@v0.0.0-20201020160332-67f06af15bc9",
-      "dependsOn": []
-    },
-    {
-      "ref": "pkg:golang/golang.org/x/xerrors@v0.0.0-20200804184101-5ec99f83aff1",
-      "dependsOn": []
-    },
     {
       "ref": "pkg:golang/github.com/russross/blackfriday@v1.5.2",
       "dependsOn": []
     }
   ]
-}
+}