Draft: Add go.mod dependency resolver [gemnasium only]
What does this MR do?
This MR adds a go builder that resolves a go projects dependencies that are imported. It leverages the golang.org/x/tools/go/packages functionality to run the Go build tool and load the list of packages required for the main module to be built. This list of packages is then utilized to build the list of modules in use i.e. every package's module is parsed and de-duplicated.
Since the actual build tool is run underneath, fixtures for tests now require a valid go program. If
there is no go code then the underlying build tool will verify that there are now imports and thus
no dependencies. Furthermore, the dependency on the build tool means that the analyzer images now must
have a valid Go toolchain installed. A fully installed Go toolchain is around 400MB which would be a huge
increase to the size of the images. To cut back on this, the packages are not installed during the
image creation. Instead, they are installed at runtime and configured to do so via shell runtime
configuration scripts e.g. ~/.bashrc
. This technique saves cuts down the image addition to 100MB which
is a lot smaller than the original 400MB.
To summarize, the following images were updated to utilize the new Go parser.
gemnasium:3
gemnasium:3-fips
sbomgen-golang
sbomgen-golang:3-fips
On my machine they increased the size of the images by around 110MB but this will most likely be even smaller once it has been built by the runner and stored in the container registry.
What are the relevant issue numbers?
See gitlab-org/gitlab#321081 (closed).
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer