Go Application Analysis
The Go coordinate based matching feature provides the ability to scan and evaluate Go module dependencies found in the project.
What is supported
Go modules by scanning one of the following files (file name must be preserved):
- Gopkg.lock: generated and updated automatically by dep. To learn how, please refer to dep documentation.
- go.sum: generated and updated automatically by Go. To learn how, please refer to the Go language documentation.
- go.list: generated manually by listing the modules in a project using the command:
go list -m all > go.list
What do we parse from the files?
Only [[project]] stanzas containing both name and version fields will be evaluated. For example:
In go.sum and go.list
The first two segments corresponding to name and version of the dependency are evaluated. For example:
The go.sum is not recommended. The go.list is the preferred way to scan go modules. If go.sum is to be used, it is recommended to run the go mod tidy command to remove unused dependencies.
Steps to analyze using the Nexus IQ CLI
Run a scan
Invoke a CLI scan of a directory or subdirectories containing go.sum or go.list files. Instructions on how to do this can be found here: Nexus IQ CLI.
Example go.sum File
Output from Nexus IQ CLI
Nexus Lifecycle Dashboard Results
Steps to analyze using the Jenkins plugin
By default, the Jenkins plugin will not evaluate the Gopkg.lock, go.sum, and go.list files. A custom Scan Target is needed.
nexusPolicyEvaluation iqApplication: 'SampApp', iqScanPatterns: [[scanPattern: '**/Gopkg.lock'], [scanPattern: '**/go.sum'], [scanPattern: '**/go.list']], iqStage: 'build'
To find more information on how to configure Jenkins please go to the Nexus Platform Plugin for Jenkins.
Steps to analyze using the Bamboo plugin
Bamboo Scan Targets control what files are examined. To evaluate Go, add Gopkg.lock, go.sum, and go.list to the scan targets via a comma-separated list e.g.
To find more information on how to configure Bamboo please go to the Nexus IQ for Bamboo.