Go Application Analysis


The Go coordinate based matching feature provides the ability to scan and evaluate Go module dependencies found in the project.

What is supported

Go modules by scanning one of the following files (file name must be preserved):

  • Gopkg.lock: generated and updated automatically by dep. To learn how, please refer to dep documentation.
  • go.sum: generated and updated automatically by Go. To learn how, please refer to the Go language documentation.
  • go.list: generated manually by listing the modules in a project using the command:
go list -m all > go.list

What do we parse from the files?

In Gopkg.lock

Only [[project]] stanzas containing both name and version fields will be evaluated. For example:

  digest = "1:a2682518d905d662d984ef9959984ef87cecb777d379bfa9d9fe40e78069b3e4"
  name = "github.com/gohouse/converter"
  revision = "44968752391892e1b0d0b821ee79e9a85fa13049"
  version = "v0.0.3"

In go.sum and go.list

The first two segments corresponding to name and version of the dependency are evaluated. For example:

github.com/gohouse/converter v0.0.3
github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf

The go.sum is not recommended.  The go.list is the preferred way to scan go modules.  If go.sum is to be used, it is recommended to run the go mod tidy command to remove unused dependencies.  

Steps to analyze using the Nexus IQ CLI

Run a scan

Invoke a CLI scan of a directory or subdirectories containing go.sum or go.list files.  Instructions on how to do this can be found here: Nexus IQ CLI.

Example go.sum File

github.com/gohouse/converter v0.0.3 h1:xyM0XyhRQUsf2Y0lEABbOHvLDVjiRkjTxi+dza87M80=
github.com/gohouse/converter v0.0.3/go.mod h1:Yb3eAs+8j4rYcnthK6iK9e/3HDZJ5C2PsYaugkeQR2I=
github.com/gohouse/gorose v1.0.5 h1:Iescp+mt88bkIXqmTF2ixM4nlLjo6D9CXX6hRWCz2lc=
github.com/gohouse/gorose v1.0.5/go.mod h1:eGB2F605oLiIpo14y0o1EvBWXQ6h0hgW3OMhGJtwk8Y=
github.com/golang/protobuf v1.2.0 h1:P3YflyNX/ehuJFLhxviNdFxQPkGK5cDcApsge1SqnvM=
github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
github.com/google/go-cmp v0.2.0 h1:+dTQ8DZQJz0Mb/HjFlkptS1FeQ4cWSnN941F8aEG4SQ=
github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
github.com/mattn/go-sqlite3 v1.9.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
github.com/rs/cors v1.4.0 h1:98SZukVonBOdXatRLa6GSAtp+IeOjY+nmdEZAxImXXc=
github.com/rs/cors v1.4.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
google.golang.org/appengine v1.4.0 h1:/wp5JvzpHIxhs/dumFmF7BXTf3Z+dd4uXta4kVyO508=
google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=

Output from Nexus IQ CLI

Nexus Lifecycle Dashboard Results

Report results

Steps to analyze using the Jenkins plugin

By default, the Jenkins plugin will not evaluate the Gopkg.lock, go.sum, and go.list files.  A custom Scan Target is needed.

nexusPolicyEvaluation iqApplication: 'SampApp', iqScanPatterns: [[scanPattern: '**/Gopkg.lock'], [scanPattern: '**/go.sum'], [scanPattern: '**/go.list']], iqStage: 'build'

To find more information on how to configure Jenkins please go to the Nexus Platform Plugin for Jenkins.

Steps to analyze using the Bamboo plugin

Bamboo Scan Targets control what files are examined.  To evaluate Go, add Gopkg.lock, go.sum, and go.list to the scan targets via a comma-separated list e.g.


To find more information on how to configure Bamboo please go to the Nexus IQ for Bamboo.