Versions Compared

Old Version 45

changes.mady.by.user Tsur Rothfeld

Saved on

compared with

New Version 46

changes.mady.by.user Lena Kleyner

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents

Overview

This page describes the Unified Agent’s integration with Go.

Configuration

For information on configuration parameters, refer to Configuration File & ParametersThe Unified Agent detects Go dependencies via two different resolvers:

  • A specific resolver for detecting Go Modules dependencies.

  • A generic resolver for detecting dependencies defined by the other Go package managers: Dep, Godep, Vndr, Gogradle, Govendor, Gopm, Glide.

Configuration

The two Go resolvers expose different parameter sets to control them.
The configuration parameters for controlling the Go Modules resolver can be found here.
The configuration parameters for controlling the generic Go resolver can be found here.

Examples

Go Modules

...

As a user, I want to scan a Go project using Go 1.11 or above without the need for any package manager, while still being able to obtain all relevant dependencies used in my project. The project contains a 'go.mod' or 'modules.txt' file as well as a 'vendor' folder. The following are the relevant 'Go' configuration settingsGo Modules dependencies are detected using the designated resolver, which is based on the Modules manifest file go.mod and requires the Go binary.

The Go Modules resolver is enabled by default, using the following setting

Code Block
go.modules.resolveDependencies=true   
go.collectDependenciesAtRuntime=false
go.dependencyManager=modules

Godep

...

Godep dependencies are detected using the generic Go resolver, which is based on the Gopkg.lock file.

The following settings can be used for Godep

Code Block
go.resolveDependencies=true   
go.collectDependenciesAtRuntime=false
go.dependencyManager=godep

Glide

...

Glide dependencies are detected using the generic Go resolver, which is based on the glide.yaml file.

The following settings can be used for Glide

Code Block
go.resolveDependencies=true   
go.dependencyManager=glide
go.glide.ignoreTestPackages=false

...

Generic Go Resolver
Using the go.collectDependenciesAtRuntime parameter
Setting the go.collectDependenciesAtRuntime parameter to control the generic Go resolver will have a different effect, depending on the Go package manager in use.
Godep, Vndr, and Dep
When the following conditions (in the bulleted list) are true, the Unified Agent will perform the following procedures beloware met:
  • The go.collectDependenciesAtRuntime= is set to true 
  • the The dependency file is available
  • the 'The vendor' folder is missing
...
The Unified Agent will perform the following:
  1. For Vndr and Dep, the Unified Agent will rename the existing dependency file to will be renamed in the following format: <dependency_file>-<YYYY.MM.DD>T<HHmmss>+<UTC offset>.<extension> and run the pre-step command . For example, here is how the renamed file will look: "Gopkg-2019.06.04T150505+0200.lock"will be executed. 
  2. For Godep, the Unified Agent will rename the existing Godeps folder name to will be renamed in the following format: Godeps-<YYYY.MM.DD>T<HHmmss>+<UTC offset> and run the pre-step command . For example, here is how the renamed folder will look: "Godeps-2019.06.04T150505+0200".will be executed. 
  3. For all three noted package managers, the Unified Agent will create a 'vendor' the vendor folder containing all the relevant dependencies/files will be created. It will also generate a new dependency file.
For Glide Package Manager: Enabling the go.collectDependenciesAtRuntime Parameter
The go.collectDependenciesAtRuntime parameter cannot be set to true for the Glide package manager.
For Govendor Package Manager: Enabling the go.collectDependenciesAtRuntime Parameter
The go.collectDependenciesAtRuntime parameter can be set to true assuming you previously ran the 'govendor fetch' command on the relevant project (in order to download the relevant dependencies).
If you did not run 'govendor fetch' prior to enabling the go.collectDependenciesAtRuntime parameter, the Unified Agent will return direct and transitive dependencies as a flat structure.
Go Modules
...
Govendor 
When setting the go.collectDependenciesAtRuntime to true, if the govendor fetch command was executed prior to the scan on the relevant project, the dependencies will be downloaded and the scan results will include a full hierarchy tree. Otherwise, the scan will result in a flat dependencies list. 
Glide 
The go.collectDependenciesAtRuntime parameter is irrelevant for the Glide package manager.
Known Limitations
The Unified Agent provides support for a hierarchy tree for the following packages: glideGlide, gopmGopm, godepGodep, depDep, govendor, vndr and modules (Go Modules)Govendor and Vndr. 
For the other package managers (gogradle,vgo)Gogradle, the Unified Agent will show both direct and transitive dependencies as in a flat structure. 

In  general - for all package managers, both direct and transitive dependencies are retrieved as part of a scan. 
In  order to support the retrieval of a project's full hierarchy tree, one of the following requirements  needs to must be  validmet:
  • The dependency file and  'vendor'  folder are available in the project.
  • The go.collectDependenciesAtRuntime configuration  parameter is set to  ' true '  and the relevant dependency manager is installed (except for Go Modules which doesn't require a dependency manager).