Go Application Analysis
The Go coordinate based matching feature provides the ability to scan and evaluate Go module dependencies found in the project.
What is supported
Go modules by scanning one of the following files (file name must be preserved):
- Gopkg.lock: generated and updated automatically by dep. To learn how, please refer to dep documentation.
- go.sum: generated and updated automatically by Go. To learn how, please refer to the Go language documentation.
- go.list: generated manually by listing the modules in a project using the command:
go list -m all > go.list
What do we parse from the files?
In Gopkg.lock
Only [[project]] stanzas containing both name and version fields will be evaluated. For example:
[[projects]] digest = "1:a2682518d905d662d984ef9959984ef87cecb777d379bfa9d9fe40e78069b3e4" name = "github.com/gohouse/converter" revision = "44968752391892e1b0d0b821ee79e9a85fa13049" version = "v0.0.3"
In go.sum and go.list
The first two segments corresponding to name and version of the dependency are evaluated. For example:
github.com/gohouse/converter v0.0.3 github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf
The go.sum is not recommended. The go.list is the preferred way to scan go modules. If go.sum is to be used, it is recommended to run the go mod tidy command to remove unused dependencies.
Integrations with Go scanning support
For go.sum files
- CLI from version 69
- Jenkins from version 3.6.20190722-122200.83d1447
- Bamboo from version 1.12.1
For go.list files
- CLI from version 95
- Jenkins from version 3.9.20200716-164408.7b4a45f
- Bamboo from version 1.16.1
For Gopkg.lock files
- CLI from version 98
- Jenkins from version TBA
- Bamboo from version TBA
Steps to analyze using the CLI
Run a scan
Invoke a CLI scan of a directory or subdirectories containing go.sum or go.list files. Instructions on how to do this can be found here: Nexus IQ CLI.
Example go.sum File
github.com/gohouse/converter v0.0.3 h1:xyM0XyhRQUsf2Y0lEABbOHvLDVjiRkjTxi+dza87M80= github.com/gohouse/converter v0.0.3/go.mod h1:Yb3eAs+8j4rYcnthK6iK9e/3HDZJ5C2PsYaugkeQR2I= github.com/gohouse/gorose v1.0.5 h1:Iescp+mt88bkIXqmTF2ixM4nlLjo6D9CXX6hRWCz2lc= github.com/gohouse/gorose v1.0.5/go.mod h1:eGB2F605oLiIpo14y0o1EvBWXQ6h0hgW3OMhGJtwk8Y= github.com/golang/protobuf v1.2.0 h1:P3YflyNX/ehuJFLhxviNdFxQPkGK5cDcApsge1SqnvM= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/google/go-cmp v0.2.0 h1:+dTQ8DZQJz0Mb/HjFlkptS1FeQ4cWSnN941F8aEG4SQ= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/mattn/go-sqlite3 v1.9.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc= github.com/rs/cors v1.4.0 h1:98SZukVonBOdXatRLa6GSAtp+IeOjY+nmdEZAxImXXc= github.com/rs/cors v1.4.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.4.0 h1:/wp5JvzpHIxhs/dumFmF7BXTf3Z+dd4uXta4kVyO508= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
Output from cli
Dashboard results
Report results
Steps to analyze using the Jenkins plugin
By default, the Jenkins plugin will not evaluate the Gopkg.lock, go.sum, and go.list files. A custom Scan Target is needed.
nexusPolicyEvaluation iqApplication: 'SampApp', iqScanPatterns: [[scanPattern: '**/Gopkg.lock'], [scanPattern: '**/go.sum'], [scanPattern: '**/go.list']], iqStage: 'build'
To find more information on how to configure Jenkins please go to the Nexus Platform Plugin for Jenkins.
Steps to analyze using the Bamboo plugin
Bamboo Scan Targets control what files are examined. To evaluate Go, add Gopkg.lock, go.sum, and go.list to the scan targets via a comma-separated list e.g.
**/Gopkg.lock,**/go.sum,**/go.list
To find more information on how to configure Bamboo please go to the Nexus IQ for Bamboo.