Skip to content

Draft: Add go.mod dependency resolver [gemnasium only]

Oscar Tovar requested to merge fix-go-module-resolution-false-positives into master

What does this MR do?

This MR adds a go builder that resolves a go projects dependencies that are imported. It leverages the golang.org/x/tools/go/packages functionality to run the Go build tool and load the list of packages required for the main module to be built. This list of packages is then utilized to build the list of modules in use i.e. every package's module is parsed and de-duplicated.

Since the actual build tool is run underneath, fixtures for tests now require a valid go program. If there is no go code then the underlying build tool will verify that there are now imports and thus no dependencies. Furthermore, the dependency on the build tool means that the analyzer images now must have a valid Go toolchain installed. A fully installed Go toolchain is around 400MB which would be a huge increase to the size of the images. To cut back on this, the packages are not installed during the image creation. Instead, they are installed at runtime and configured to do so via shell runtime configuration scripts e.g. ~/.bashrc. This technique saves cuts down the image addition to 100MB which is a lot smaller than the original 400MB.

To summarize, the following images were updated to utilize the new Go parser.

  • gemnasium:3
  • gemnasium:3-fips
  • sbomgen-golang
  • sbomgen-golang:3-fips

On my machine they increased the size of the images by around 110MB but this will most likely be even smaller once it has been built by the runner and stored in the container registry.

What are the relevant issue numbers?

See gitlab-org/gitlab#321081 (closed).

Does this MR meet the acceptance criteria?

Edited by Oscar Tovar

Merge request reports