Support go in Dependency Scanning (alpha* because the scanner viable but limited results/findings)
Problem to solve
Users of Go, including ourselves, would like to monitor our dependencies (specific libraries) for vulnerabilities.
Now that we have started ingesting go vulnerabilities mr and issue we can do an MVC and test this out.
Note: this implementation will be only for projects that support go modules. Detection of whether project is supported will be contingent on a go.sum
file being present.
Intended users
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
- Sam (Security Analyst)
Personas are described at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/
Further details
Proposal
Add MVC Dependency Scanning support for Go language, get feedback (dogfooding, and customers) as we work to ingest more go findings).
To be clear - NO feature flag, and should be available to all dot-com and self hosted users - this is only alpha due to the volume of findable results not due to the scanner and we should get people using the scanner (but in our docs indicate it has a low amount of vulns in the db behind it and we're working to increase that and recommend people start running it as soon as possible and will automatically get more findings with each release).
Implementation plan
-
add go.sum parser to gemnasium
gitlab-org/security-products/analyzers/gemnasium!57 (merged) -
update go-modules
test project with DS support gitlab-org/security-products/tests/go-modules!9 (merged) -
update ci template for dependency-scanning
to scan go projects !22712 (merged) -
update docs to document go support (note: alpha) !22806 (merged)
Permissions and Security
no changes, same as current dependency scanning
Documentation
BE CLEAR ITS ALPHA & WE NEED FEEDBACK
Testing
- Create test project
- Dogfood
What does success look like, and how can we measure that?
Users will enable dependency scanning for Go projects.
What is the type of buyer?
Links / references
Product
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.