Support go in Dependency Scanning (alpha* because the scanner viable but limited results/findings)

Problem to solve

Users of Go, including ourselves, would like to monitor our dependencies (specific libraries) for vulnerabilities.

Now that we have started ingesting go vulnerabilities mr and issue we can do an MVC and test this out.

Note: this implementation will be only for projects that support go modules. Detection of whether project is supported will be contingent on a go.sum file being present.

Intended users

• Sasha (Software Developer)
• Devon (DevOps Engineer)
• Sidney (Systems Administrator)
• Sam (Security Analyst)

Personas are described at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/

Further details

Proposal

Add MVC Dependency Scanning support for Go language, get feedback (dogfooding, and customers) as we work to ingest more go findings).

To be clear - NO feature flag, and should be available to all dot-com and self hosted users - this is only alpha due to the volume of findable results not due to the scanner and we should get people using the scanner (but in our docs indicate it has a low amount of vulns in the db behind it and we're working to increase that and recommend people start running it as soon as possible and will automatically get more findings with each release).

Implementation plan

• add go.sum parser to gemnasium gitlab-org/security-products/analyzers/gemnasium!57 (merged)
• update go-modules test project with DS support gitlab-org/security-products/tests/go-modules!9 (merged)
• update ci template for dependency-scanning to scan go projects !22712 (merged)
• update docs to document go support (note: alpha) !22806 (merged)

Permissions and Security

no changes, same as current dependency scanning

Documentation

Update https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#supported-languages-and-package-managers

BE CLEAR ITS ALPHA & WE NEED FEEDBACK

Testing

• Create test project
• Dogfood

What does success look like, and how can we measure that?

Users will enable dependency scanning for Go projects.

What is the type of buyer?

Links / references

Product

• Release Post

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.