Technical Spike: For GoSec SAST make it possible to specify the pathGoPkg value
Problem to solve
Currently, the analyzer code copies the target GoProject (ex. Project1) into a preset GoPath directory (go/src/app/), and then runs go get
to fetch all the dependencies, the challenge is when Project1 has dependencies on Project2 and Project3 which are under different paths (example: gitlab.com/XX/go/project2 and gitlab.com/XX/go/project3) it is giving "Use of internal package not allowed" error, which seems to be due to the path difference between the source and target projects as described here
This happens especially when Go.mod is not used.
// github.com/XX/go/project1 <- project1
// github.com/XX/go/project2
// github.com/XX/go/project3
Customer is using go1.15.11
User experience goal
Give the end-user the flexibility to specify the pathGoPkg value so that it matches the imported projects, so that the fetching dependencies step succeeds in fetching all the dependent projects.
Proposal
Implementation plan
A new issue will be opened with the implementation plan slated for%$14.2
Available Tier
All gosec users GitLab Free
What does success look like, and how can we measure that?
The outcome of this technical spike is to have a proposed solution to allow SAST scanning of Go projects with complex go dependencies.
- Proposal 1: To give the user the ability to specify the GoPath value and not to always use a fixed one.
- Proposal 2: Allow a pre-compliation setup for Go projects to allow arbitrary building of go projects.
Is this a cross-stage feature?
No
Links / references
- Related https://stackoverflow.com/questions/59342373/use-of-internal-package-not-allowed
- Related #327735 (closed)
- https://github.com/securego/gosec#dependencies
- There is an existing TO DO in the code if we can implement it, it should solve this issue