Skip to content
GitLab Next
  • Menu
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 44,173
    • Issues 44,173
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1,474
    • Merge requests 1,474
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
    • Test Cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages & Registries
    • Packages & Registries
    • Package Registry
    • Container Registry
    • Infrastructure Registry
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #330678
Closed
Open
Created May 11, 2021 by Samer Akkoub@samer.akkoubDeveloper

Technical Spike: For GoSec SAST make it possible to specify the pathGoPkg value

Problem to solve

Currently, the analyzer code copies the target GoProject (ex. Project1) into a preset GoPath directory (go/src/app/), and then runs go get to fetch all the dependencies, the challenge is when Project1 has dependencies on Project2 and Project3 which are under different paths (example: gitlab.com/XX/go/project2 and gitlab.com/XX/go/project3) it is giving "Use of internal package not allowed" error, which seems to be due to the path difference between the source and target projects as described here This happens especially when Go.mod is not used.

  // github.com/XX/go/project1 <- project1
        // github.com/XX/go/project2
        // github.com/XX/go/project3

Customer is using go1.15.11

User experience goal

Give the end-user the flexibility to specify the pathGoPkg value so that it matches the imported projects, so that the fetching dependencies step succeeds in fetching all the dependent projects.

Proposal

Implementation plan

A new issue will be opened with the implementation plan slated for%$14.2

Available Tier

All gosec users GitLab Free

What does success look like, and how can we measure that?

The outcome of this technical spike is to have a proposed solution to allow SAST scanning of Go projects with complex go dependencies.

  • Proposal 1: To give the user the ability to specify the GoPath value and not to always use a fixed one.
  • Proposal 2: Allow a pre-compliation setup for Go projects to allow arbitrary building of go projects.

Is this a cross-stage feature?

No

Links / references

  • Related https://stackoverflow.com/questions/59342373/use-of-internal-package-not-allowed
  • Related #327735 (closed)
  • https://github.com/securego/gosec#dependencies
  • There is an existing TO DO in the code if we can implement it, it should solve this issue
Edited May 25, 2021 by Taylor McCaslin
Assignee
Assign to
Time tracking