Configuring the Unified Agent for Go
The following article includes best practices and configuration recommendations when using the Unified Agent (UA) to scan Go projects.
Best Practices
Before scanning a Go project, ensure the following for the most accurate results:
You are using a supported Go package manager (see list below).
The project can be built successfully on the machine where you are running the scan.
One of the following is true:
The dependency file and 'vendor' folder are available in the project, OR
The
go.collectDependenciesAtRuntime
configuration parameter is set totrue
and the relevant dependency manager is installed.
Additionally, when using Go Modules, ensure that:
The environment variable
GO111MODULE
is set appropriately. When your project folder is under the GOPATH, make sure to setGO111MODULE=on
.You have a 'go.mod' or 'modules.txt' file as well as the source code for your project.
go.resolveDependencies=false
andgo.modules.resolveDependencies=true
in your UA config file.
Supported Package Managers
The Unified Agent provides support for a hierarchy tree for the following packages:
glide
gopm
godep
dep
govendor
vndr
modules (Go Modules)
For the other package managers (gogradle, vgo), the Unified Agent will show both direct and transitive dependencies as a flat structure.
Configuring Unified Agent Parameters
For all Go package managers other than Modules:
Set
go.resolveDependencies=true
Set
go.dependencyManager
to the package manager in use
Note: if your team uses more than one package manager for Go, you can leave go.dependencyManager
unmodified. In this case, the default behavior is to attempt dependency resolution with each supported Go package manager. To improve the efficiency of your scan, set this parameter to the specific package manager you are using for your Go projects.
Optional parameters:
go.collectDependenciesAtRuntime
- Set totrue
if your project does not already have a 'vendor' folder. Make sure to rungovendor fetch
on the relevant project to download its dependencies first, otherwise the Unified Agent will return direct and transitive dependencies as a flat structure.go.ignoreSourceFiles
- Set totrue
if you wish to only include package dependencies, not source files. When set to true go source files will be ignored in the scan.go.glide.ignoreTestPackages
- Set totrue
if you wish to ignore test packages defined in the 'testImport' section of the 'glide.yaml' file.go.gogradle.enableTaskAlias
- Set totrue
when using gogradle dependency manager and the gradle argument (in 'gradle.properties') includesgogradle.alias=true
.
Go Modules Specific Parameters
Go Modules has its own parameters for use with the Unified Agent. This version of resolution is required if you are using the Modules package manager.
go.modules.resolveDependencies
- Set totrue
if this project only uses the Go Modules package manager. In this case, you must also setgo.resolveDependencies=false
.go.modules.ignoreSourceFiles
- Set totrue
if you wish to exclude Go source files from your scans.go.modules.removeDuplicateDependencies
- Set totrue
if you wish to remove duplicate dependencies from your scans.go.modules.includeTestDependencies
- Set totrue
if you wish to include test dependencies in your scans.
Additional Resources:
You can find more information about scanning Go projects in the following documents:
Unified Agent - documentation on how to use the Unified Agent
Go Integration- examples of Go results