Report vulnerable dependency paths for Go modules

Problem to solve

Dependency Scanning should report the dependency paths for vulnerable dependencies found in Go projects using Go modules, so that these paths can be shown in the UI, including in the dependency list. See #227620 (closed)

Proposal A 👈 Selected

Run go mod graph and parse its output to build the dependency graph.

Proposal B

Use goda graph command of goda, and parse the Graphviz DOT output using gonum/formats/doc.

See How it differs from go list or go mod

go list and go mod are tightly integrated with Go and can answer simple queries with compatibility. They also serves as good building blocks for other tools.

goda is intended for more complicated queries and analysis. Some of the features can be reproduced by format flags and scripts. However, this library aims to make even complicated analysis fast.

Also, goda can be used together with go list and go mod.

Implementation plan

Proposal A was selected to minimize dependencies on tooling not bundled with Go.

  • Implement go mod graph parser
    • The output contains a list of dependencies using the <DEPENDENT_MODULE> <DEPENDENCY_MODULE> format.
    • Modules have a pattern like so [MODULE_NAME]@[MODULE_VERSION] with the exception of the main module
    • The main module does not have a version
    • The output contains dependencies that were not included in the final build. To get an accurate depiction of the dependency graph, we'll have to filter out dependencies that are not reachable by the main module. These dependencies are already accounted for in go.mod, so we'll need to consider more than one input - see #477024 (closed).
  • Add **/go.graph pattern to CI/CD component
  • Document how to create the go.graph export and pass it as an artifact to the dependency-scanning analyzer

Documentation

Dependency Path support for this particular package manager should be documented in Dependency Scanning documentation

  • Feature is only supported using the newest dependency-scanning component
  • Feature is only supported for Go versions that have stabilized support for Go modules. The earliest version of go mod graph found is in Go 1.12 when we exclude the experimental mention in Go 1.11.

Availability & Testing

To be tested doing automatically when doing QA for the analyzer project and checking the generated report.

What does success look like, and how can we measure that?

The analyzer reports the dependency paths of the vulnerable dependencies for projects using this package manager.

What is the type of buyer?

GitLab Ultimate

Links / references

N/A

Edited by Oscar Tovar