go mod verify should consider the vendor directory instead of only the modules cache

[omadawn]

What version of Go are you using (go version)?

$ go version
go version go1.17 darwin/amd64

Does this issue reproduce with the latest release?

What operating system and processor architecture are you using (go env)?

go env Output

$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/x4e5/Library/Caches/go-build"
GOENV="/Users/x4e5/Library/Application Support/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOINSECURE=""
GOMODCACHE="/Users/x4e5/go/pkg/mod"
GONOPROXY="gitlab.com/theuberlab/common-go"
GONOSUMDB="gitlab.com/theuberlab/common-go"
GOOS="darwin"
GOPATH="/Users/x4e5/go"
GOPRIVATE="gitlab.com/theuberlab/common-go"
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/Cellar/go/1.17/libexec"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/Cellar/go/1.17/libexec/pkg/tool/darwin_amd64"
GOVCS=""
GOVERSION="go1.17"
GCCGO="gccgo"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/Users/x4e5/go/src/gitlab.nordstrom.com/devx/chef/ramsay-ci-utils/ramrun/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -arch x86_64 -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/z3/9z_2ck8j75v140khy_ycq455wd7x89/T/go-build1758182581=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

wrote some go code with third party dependencies.
initialized go module
performed go mod download
hand edited a go file under the vendor directory and added a new function
ran go mod verify

What did you expect to see?

An error that the contents of my dependency didn't match it's hash

What did you see instead?

$ go mod verify
all modules verified

[seankhliao]

Duplicate of #27348

[omadawn]

Ah, missed that one when I searched issues. Apologies for the noise.