Go
Go or Golang is a software development programming language widely used by developers. Endor Labs supports scanning and monitoring of Go projects.
Using Endor Labs, developers can:
- Test their software for potential issues and violations of organizational policy
- Prioritize vulnerabilities in the context of their applications
- Understand the relationships between software components in their applications
Scan Go projects
To successfully scan your repositories for Go:
Install software prerequisites
Make sure that you have Go 1.12 or higher versions.
Build Go projects
You must build your Go projects before running the scan. Additionally, ensure that the packages are downloaded into the local package caches and that go.mod file well formed and is available in the standard location.
To ensure that your go.mod file is well formed, run the following command:
go mod tidy
go get ./
This removes any dependencies that are not required by your project and ensures to resolve the dependencies without errors.
Run a scan
Use the following options to scan your repositories. Perform the endorctl scan after building the projects.
Option 1 - Quick scan
Perform a quick scan to get quick visibility into your software composition. This scan will not perform reachability analysis to help you prioritize vulnerabilities.
endorctl scan --quick-scan
You can perform the scan from within the root directory of the git project repository, and save the local results to a results.json file. The results and related analysis information are available on the Endor Labs user interface.
endorctl scan --quick-scan -o json | tee /path/to/results.json
You can sign into the Endor Labs user interface, click the Projects on the left sidebar, and find your project to review its results.
Option 2 - Deep scan
Use the deep scan to perform dependency resolution, reachability analysis, and generate call graphs. You can do this after you complete the quick scan successfully.
endorctl scan
Use the following flags to save the local results to a results.json file. The results and related analysis information are available on the Endor Labs user interface.
endorctl scan -o json | tee /path/to/results.json
You can sign into the Endor Labs user interface, click the Projects on the left sidebar, and find your project to review its results.
Understand the scan process
Endor Labs resolves your Golang-based dependencies by leveraging built-in Go commands to replicate the way a package manager would install your dependencies.
To discover package names for Go packages Endor Labs uses the command:
go list -e -mod readonly -json -m
To analyze the dependency graph of your package Endor Labs uses the command:
go list -e -deps -json -mod readonly all
To assess external dependencies, specifically third-party packages or libraries that your Go project relies on, Endor Labs uses the command:
go list -e -deps -json -mod vendor all
These commands allow us to assess packages’ unresolved dependencies, analyze the dependency tree, and resolve dependencies for your Go projects.
Known Limitations
Endor Labs creates go.mod files for you when projects do not have a go.mod file. This can lead to inconsistencies with the actual package created over time and across versions of the dependencies.
Troubleshoot errors
Here are a few error scenarios that you can check for and attempt to resolve them.
-
Host system check failure errors:
- Go is not installed or not present in the PATH environment variable. Install Go and try again.
- The installed version of Go is lower than 1.12. Install Go version 1.12 or higher and try again.
-
Resolved dependency errors:
- A version of a dependency does not exist or it cannot be found. It may have been removed from the repository.
- If the go.mod file is not well-formed then dependency resolution may return errors. Run
go mod tidyand try again.
-
Call graph errors:
These errors often mean the project will not build. Please ensure any generated code is in place and verify that
go build ./...runs successfully.
Feedback
Was this page helpful? Send your feedback to support@endor.ai