Go Integration

Overview

This page describes the Unified Agent’s integration with Go.

Configuration

For information on configuration parameters, refer to Configuration File & Parameters.

Examples

Go Modules Example

As a user, I want to scan a Go project using Go 1.11 or above without the need for any package manager, while still being able to obtain all relevant dependencies used in my project. The project contains a 'go.mod' or 'modules.txt' file as well as a 'vendor' folder. The following are the relevant 'Go' configuration settings: 

1 2 3 go.resolveDependencies=true go.collectDependenciesAtRuntime=false go.dependencyManager=modules

Godep Example

As user, I want to scan a Go project with the 'godep' package manager in order to obtain all relevant dependencies. The project already contains a 'Gopkg.lock' file. The following are the relevant 'Go' configuration settings: 

1 2 3 go.resolveDependencies=true go.collectDependenciesAtRuntime=false go.dependencyManager=godep

Glide Example

As a user, I want to scan a Go project with the 'glide' package manager in order to obtain all relevant dependencies. The project does not contain a 'Gopkg.lock' file, and the user would also like to scan test packages defined in the 'glide.yaml' file. The following are the relevant 'Go' configuration settings: 

1 2 3 go.resolveDependencies=true go.dependencyManager=glide go.glide.ignoreTestPackages=false

For Godep, VNDR, and Dep Package Managers: Enabling the go.collectDependenciesAtRuntime Parameter

When the following conditions (in the bulleted list) are true, the Unified Agent will perform the following procedures below:

  • go.collectDependenciesAtRuntime=true

  • the dependency file is available

  • the 'vendor' folder is missing

  1. For VNDR and Dep, the Unified Agent will rename the existing dependency file to <dependency_file>-<YYYY.MM.DD>T<HHmmss>+<UTC offset>.<extension> and run the pre-step command. For example, here is how the renamed file will look: "Gopkg-2019.06.04T150505+0200.lock".

  2. For Godep, the Unified Agent will rename the existing Godeps folder name to Godeps-<YYYY.MM.DD>T<HHmmss>+<UTC offset> and run the pre-step command. For example, here is how the renamed folder will look: "Godeps-2019.06.04T150505+0200".

  3. For all three noted package managers, the Unified Agent will create a 'vendor' folder containing relevant dependencies/files. It will also generate a new dependency file.

For Glide Package Manager: Enabling the go.collectDependenciesAtRuntime Parameter

The go.collectDependenciesAtRuntime parameter cannot be set to true for the Glide package manager.

For Govendor Package Manager: Enabling the go.collectDependenciesAtRuntime Parameter

The go.collectDependenciesAtRuntime parameter can be set to true assuming you previously ran the 'govendor fetch' command on the relevant project (in order to download the relevant dependencies).
If you did not run 'govendor fetch' prior to enabling the go.collectDependenciesAtRuntime parameter, the Unified Agent will return direct and transitive dependencies as a flat structure.

Go Modules

The Modules are controlled by a separate set of parameters than Go. Two separate settings are supported: parameters for controlling the Modules resolution, and the existing Go parameters for controlling Modules and the other Go package managers. The Modules resolver detects only the actively-used dependencies. For a list of parameters, refer to the Unified Agent Configuration Parameters.

Known Limitations

The Unified Agent provides support for a hierarchy tree for the following packages: glide, gopm, godep, dep, govendor, vndr and modules (Go Modules).
For the other package managers (gogradle,vgo), the Unified Agent will show both direct and transitive dependencies as a flat structure.

In general - for all package managers, both direct and transitive dependencies are retrieved as part of a scan. 
In order to support retrieval of a project's full hierarchy tree, one of the following requirements needs to be valid:

  • The dependency file and 'vendor' folder are available in the project

  • The go.collectDependenciesAtRuntime configuration parameter is set to 'true' and the relevant dependency manager is installed (except for Go Modules which doesn't require a dependency manager).