Configuring the Unified Agent for Go

The following article includes best practices and configuration recommendations for using the Unified Agent to scan Go projects.

Best Practices

Before scanning a Go project, ensure the following for the most accurate results:

  1. You are using a supported Go package manager. The Unified Agent provides support for a hierarchy tree for the following packages: glide, gopm, godep, dep, govendor, vndr and modules (Go Modules). For the other package managers (gogradle, vgo), the Unified Agent will show both direct and transitive dependencies as a flat structure.

  2. The project can be built successfully on the machine where you are running the scan.

  3. The dependency file and 'vendor' folder are available in the project OR the go.collectDependenciesAtRuntime configuration parameter is set to true and the relevant dependency manager is installed.

  4. When using Go Modules, the environment variable 'GO111MODULE ' is set appropriately. When your project folder is under the GOPATH, make sure to set GO111MODULE=on.

  5. When using Go Modules, you have a 'go.mod' or 'modules.txt' file as well as the source code for your project.

  6. When using Go Modules you set go.resolveDependencies to false and go.modules.resolveDependencies to true

Configuring Unified Agent Parameters

If you are using any Go package manager other than Modules:

Set go.resolveDependencies to true
Set go.dependencyManager to the package manager in use

If your team uses more than one package manager for Go, you can leave go.dependencyManager unmodified. If you wish to improve efficiency of your scan, however, you should set this parameter to the package manager you are using for your Go projects. When left unmodified, the default behavior is to attempt to resolve the dependencies with each supported Go package manager.

The following parameters are optional:

go.collectDependenciesAtRuntime - Set to true if your project does not already have a 'vendor' folder. Make sure to run the 'govendor fetch' command on the relevant project (in order to download the relevant dependencies). If you do not run 'govendor fetch' prior to enabling the go.collectDependenciesAtRuntime parameter, the Unified Agent will return direct and transitive dependencies as a flat structure.

go.ignoreSourceFiles - Set to true if you wish to only include package dependencies, not source files. When set to true go source files will be ignored in the scan.

go.glide.ignoreTestPackages - Set to true if you wish to ignore test packages defined in the 'testImport' section of the 'glide.yaml' file.

go.gogradle.enableTaskAlias  - Set to true when using gogradle dependency manager and the gradle argument (in 'gradle.properties') includes 'gograld.alias=true'. 

 

Go Modules Specific Parameters

Go Modules has its own parameters for use with the Unified Agent. This version of resolution is required if you are using the Modules package manager.

go.modules.resolveDependencies - Set to true if you only use Go Modules package manager for Go projects. To enable this, you must also set go.resolveDependencies to false.

go.modules.ignoreSourceFiles - Set to true if you wish to exclude Go source files from your scans.

go.modules.removeDuplicateDependencies - Set to true if you wish to remove duplicate dependencies from your scans.

go.modules.includeTestDependencies - Set to true if you wish to include test dependencies in your scans.

Additional Resources:

You can find more information about scanning Go projects in the following documents:

Unified Agent - documentation on how to use the Unified Agent

Go Integration - examples of Go results