Go Application Analysis

Evaluation: Source code and manifest analysis

The Go coordinate-based matching feature provides the ability to scan and evaluate Go module dependencies referenced in projects that use dep or go mod.  Support includes Security, License, Identity data for Go modules found on golang.org public repository.

  • Nancy: is a go native open-source scanning tool that scans Golang projects for vulnerable third-party dependencies. The tool includes a number of features that make it ideal for running in either the developer's environment or during your CI build.  Nancy is fully supported by Sonatype.  Review the documentation for details.

Go Modules

Go modules is the dependency management added to Go using go.mod file for managing modules in the project. The go.sum file generated and updated automatically can be used for analysis by Lifecycle scanners however, this is not recommended as it may include module versions not currently used or included in the application. If the go.sum file is to be used, we recommend running the go mod tidy command to remove unused dependencies before the analysis. 

The more preferred option is to generate a go.list file using the go list command from the project.  This file should be the target for the Lifecycle scan.

go list -m all > go.list

The output of the command will result in the first two segments corresponding to the name and version of the dependency being evaluated.

github.com/gohouse/converter v0.0.3
github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf

Gopkg.lock (dep)

The dep dependency manager generates the Gopkg.lock file.  See the documentation for details.

Only [[project]] stanzas containing both name and version fields will be evaluated.

[[projects]]
  digest = "1:a2682518d905d662d984ef9959984ef87cecb777d379bfa9d9fe40e78069b3e4"
  name = "github.com/gohouse/converter"
  revision = "44968752391892e1b0d0b821ee79e9a85fa13049"
  version = "v0.0.3"

Steps to analyze using the Nexus IQ CLI

Run a scan

Invoke a CLI scan of a directory or subdirectories containing go.sum or go.list files.  Instructions on how to do this can be found here: Nexus IQ CLI.

Example go.sum File

github.com/gohouse/converter v0.0.3 h1:xyM0XyhRQUsf2Y0lEABbOHvLDVjiRkjTxi+dza87M80=
github.com/gohouse/converter v0.0.3/go.mod h1:Yb3eAs+8j4rYcnthK6iK9e/3HDZJ5C2PsYaugkeQR2I=
github.com/gohouse/gorose v1.0.5 h1:Iescp+mt88bkIXqmTF2ixM4nlLjo6D9CXX6hRWCz2lc=
github.com/gohouse/gorose v1.0.5/go.mod h1:eGB2F605oLiIpo14y0o1EvBWXQ6h0hgW3OMhGJtwk8Y=
github.com/golang/protobuf v1.2.0 h1:P3YflyNX/ehuJFLhxviNdFxQPkGK5cDcApsge1SqnvM=
github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
github.com/google/go-cmp v0.2.0 h1:+dTQ8DZQJz0Mb/HjFlkptS1FeQ4cWSnN941F8aEG4SQ=
github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
github.com/mattn/go-sqlite3 v1.9.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
github.com/rs/cors v1.4.0 h1:98SZukVonBOdXatRLa6GSAtp+IeOjY+nmdEZAxImXXc=
github.com/rs/cors v1.4.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
google.golang.org/appengine v1.4.0 h1:/wp5JvzpHIxhs/dumFmF7BXTf3Z+dd4uXta4kVyO508=
google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=

Steps to analyze using the Jenkins plugin

By default, the Jenkins plugin will not evaluate the Gopkg.lock, go.sum, and go.list files.  A custom Scan Target is needed.

nexusPolicyEvaluation iqApplication: 'SampApp', iqScanPatterns: [[scanPattern: '**/Gopkg.lock'], [scanPattern: '**/go.sum'], [scanPattern: '**/go.list']], iqStage: 'build'

To find more information on how to configure Jenkins please go to the Nexus Platform Plugin for Jenkins.

Steps to analyze using the Bamboo plugin

Bamboo Scan Targets control what files are examined.  To evaluate Go, add Gopkg.lock, go.sum, and go.list to the scan targets via a comma-separated list e.g.

**/Gopkg.lock,**/go.sum,**/go.list

To find more information on how to configure Bamboo please go to the Nexus IQ for Bamboo.