Go
Analyze Go projects with FOSSA via Go Modules, Dep, Govendor, Gopkg, or Glide, through Quick Import or the FOSSA CLI.
Overview
FOSSA supports Go codebases through Go Modules, Dep, Govendor, Gopkg, and Glide. You can analyze a project two ways: Quick Import in the web app, or the FOSSA CLI.
Historically, the Go build-tool ecosystem has been very fragmented: tools like Dep, Glide, and Govendor each tried to address build reproducibility, versioning, and vendoring of dependencies. As of Go 1.11, Go has first-class support for modules, which solves the versioning and build-reproducibility problems so well that the other tooling has largely gone into maintenance mode, with the notable exception of Dep. As such, Go analysis primarily targets Go 1.11+ modules and Dep, with Glide support included because it is still commonly used.
Tool support
| Tool |
|---|
| Go modules |
| Dep |
| Govendor |
| Gopkg |
| Glide |
How Quick Import works
When Go code is imported through the web app, FOSSA inspects the supported manifest and lockfiles in your repository and resolves their dependencies for analysis.
Note
If a Go dependency refers to a Git repository, it may be displayed as a Git project in FOSSA. When that happens, FOSSA may show the commit hash as the version and the Git repository URL as the package name.
Analyzing with the CLI
Install the latest release of fossa-cli:
curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bashThen run fossa analyze from your repository's root directory to analyze your Go project.
The CLI selects a strategy per project. Most strategies (except gomod, where it would be redundant since golist supersedes it) use go list -json all to hydrate edges and transitive dependencies: package imports are recursively traversed, ignoring Standard (system) packages. go list behaves slightly differently depending on context, in a Go modules project, packages can carry a Module field with a pinned Version (otherwise the version is unspecified), and go list includes vendored packages in both modules and non-modules projects.
Analysis strategies
| Strategy | Direct Deps | Transitive Deps | Edges | Container Scanning |
|---|---|---|---|---|
| golist | ✅ | ✅ | ⚠️ | ❌ |
| gomod | ✅ | ❌ | ⚠️ | ❌ |
| gopkglock | ✅ | ✅ | ⚠️ | ❌ |
| gopkgtoml | ✅ | ⚠️ | ⚠️ | ❌ |
| glide | ✅ | ✅ | ❌ | ✅ |
- ✅, Supported
- ⚠️, Partially supported (see the linked strategy reference for details)
- ❌, Not supported
Authenticating to private registries
If you use a private Go module proxy, configure FOSSA so it can access your modules during analysis.
- 1
Open Go language settings
Go to Account Settings → Languages → Go (
https://app.fossa.com/account/settings/languages/go). - 2
Add your proxy
Under Private Proxies, add the proxy URL and, if required, the username and password FOSSA should use to reach it, then save.
Package data
FOSSA resolves Go dependencies from the supported manifest and lockfiles. If a Go dependency refers to a Git repository, it may be reported as a Git project, showing the commit hash as the version and the Git repository URL as the package name.