Technical Spike: For GoSec SAST make it possible to specify the pathGoPkg value

Problem to solve

Currently, the analyzer code copies the target GoProject (ex. Project1) into a preset GoPath directory (go/src/app/), and then runs go get to fetch all the dependencies, the challenge is when Project1 has dependencies on Project2 and Project3 which are under different paths (example: gitlab.com/XX/go/project2 and gitlab.com/XX/go/project3) it is giving "Use of internal package not allowed" error, which seems to be due to the path difference between the source and target projects as described here This happens especially when Go.mod is not used.

  // github.com/XX/go/project1 <- project1
        // github.com/XX/go/project2
        // github.com/XX/go/project3

Customer is using go1.15.11

User experience goal

Give the end-user the flexibility to specify the pathGoPkg value so that it matches the imported projects, so that the fetching dependencies step succeeds in fetching all the dependent projects.

Proposal

Implementation plan

A new issue will be opened with the implementation plan slated for%$14.2

Available Tier

All gosec users GitLab Free

What does success look like, and how can we measure that?

The outcome of this technical spike is to have a proposed solution to allow SAST scanning of Go projects with complex go dependencies.

Proposal 1: To give the user the ability to specify the GoPath value and not to always use a fixed one.
Proposal 2: Allow a pre-compliation setup for Go projects to allow arbitrary building of go projects.

Is this a cross-stage feature?

Links / references

Related https://stackoverflow.com/questions/59342373/use-of-internal-package-not-allowed
Related #327735 (closed)
https://github.com/securego/gosec#dependencies
There is an existing TO DO in the code if we can implement it, it should solve this issue

Edited May 25, 2021 by Taylor McCaslin