Skip to content

Commit

Permalink
Update go detection docs (#28)
Browse files Browse the repository at this point in the history 
* Update go.md

* Update docs/detectors/go.md

Co-authored-by: Greg Villicana <[email protected]>

Co-authored-by: Greg Villicana <[email protected]>
  • Loading branch information
@tevoinea @grvillic
tevoinea and grvillic authored Dec 21, 2021
1 parent 70c149c commit c13e1d1
Showing 1 changed file with 15 additions and 11 deletions.
26 changes: 15 additions & 11 deletions docs/detectors/go.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,31 +4,35 @@

Go detection depends on the following to successfully run:

- Go v1.11+.
- `go.mod` or `go.sum` files

## Detection strategy

Go detection is performed by parsing output from executing `go mod graph`.
Full dependency graph generation is supported if Go v1.11+ is present on the build agent.
If no Go v1.11+ is present, a fallback detection strategy is performed, dependent on:

- One or more `go.mod` or `go.sum` files.

For the fallback strategy:

Go detection is performed by parsing any `go.mod` or `go.sum` found under the scan directory.

Only root dependency information is generated instead of full graph.
I.e. tags the top level component or explicit dependency a given transitive dependency was brought by.
Given a dependency tree A -> B -> C, C's root dependency is A.

### Improved detection accuracy via opt-in

**To enable improved detection accuracy, create an environment variable named `EnableGoCliScan` with any value.**

Improved go detection depends on the following to successfully run:

- Go v1.11+.

Go detection is performed by parsing output from executing `go mod graph`.
Full dependency graph generation is supported if Go v1.11+ is present on the build agent.
If no Go v1.11+ is present, fallback detection strategy is performed.

As we validate this opt-in behavior, we will eventually graduate it to the default detection strategy.

## Known limitations

Dev dependency tagging is not supported.

Go detection will fallback if no Go v1.11+ is present.
If executing `go mod graph` takes too long (currently if it takes more than 10 seconds), go detection will fall back.
This can happen if modules are not restored before the scan.

Due to the nature of `go.sum` containing references for all dependencies, including historical, no-longer-needed dependencies; the fallback strategy can result in over detection.
Executing `go mod tidy` before detection via fallback is encouraged.

0 comments on commit c13e1d1

Please sign in to comment.