Go - Go Modules, Go Dep, Bazel
This section provides a breakdown of the file formats and features supported in Go.
OpenText Core SCA supports tracking Go dependencies through:
Go Modules, using go.mod files
Go Dep, using gopkg.lok files
Bazel, using WORKSPACE files
Go Modules
OpenText Core SCA supports tracking Go dependencies using the Go Modules dependency management system and its associated go.mod file. To achieve the fastest and most accurate results, it is necessary to create a file containing the resolved dependency tree, .gomod.debricked.lock, before scanning.
This can be done using the High Performance Scans technology in OpenText Core SCA CLI. If you execute the resolve command, the CLI automatically identifies all manifest files that lack the recommended go.lock files and generates them as needed.
You can manually generate the recommended file(s) by running go mod graph followed by go list -m all, and storing the outputs separated by two new lines between the sections in the gomod.debricked.lock file.
printf "$(go mod graph)\n\n$(go list -mod=readonly -e -m all)" > gomod.debricked.lockEvery gomod.debricked.lock must be put in the same directory as the corresponding go.mod.
OpenText Core SCA recommends running go mod tidy to clean up unused modules before pushing the go.mod files, ensuring more accurate service results.
Bazel
OpenText Core SCA supports Go projects that utilize Bazel, scanning the WORKSPACE file format alongside any Go file formats in use. Although Bazel does not have native support for Go, support can be added using Gazelle.
Go Dep
Go Dep and its associated file Gopkg.lock is deprecated and will not get any improvements present in other formats, such as Go Modules.
Supported file formats and features
Bazel
WORKSPACE
-
Bazel
install.json
Yes*
Go Modules
go.mod
Yes
Go Dep
gopkg.lock
Yes*
*This is a native lock file format. Native lock file formats are the fastest formats to scan.
Last updated
Was this helpful?