This PR introduces support for a new ecosystem in guarddog: Golang.
To limit the dependency on external toolchains, I chose not to use the go binary to perform go get or go list operations. This came with a couple of caveats I left as TODOs in the code:
no current support for private repos: I found this reasonable anyway as guarddog focuses on preventing supply chain attacks from publicly accessible packages
no real dependency resolution: I implemented a basic algorithm which parses a go.mod file to extract all require statements and inspect those modules. We should implement the actual MVS algorithm to actually resolve the build list correctly.
In order to test this new addition, I simply extended the shady-links semgrep rule to Golang. We can then later think of additional heuristics specific to Go.
Testing
I added tests for the two new scanners added in this PR.
One can test the new feature with:
$ guarddog --log-level debug go scan github.com/aws/aws-sdk-go-v2
$ guarddog --log-level debug go scan github.com/aws/aws-sdk-go-v2 --version v1.30.3
$ guarddog --log-level debug go verify ~/dd/KubeHound/go.mod # you first wanna make sure you cloned thehttps://github.com/DataDog/KubeHound repo
Purpose
This PR introduces support for a new ecosystem in guarddog: Golang.
To limit the dependency on external toolchains, I chose not to use the
go
binary to performgo get
orgo list
operations. This came with a couple of caveats I left as TODOs in the code:require
statements and inspect those modules. We should implement the actual MVS algorithm to actually resolve the build list correctly.In order to test this new addition, I simply extended the shady-links semgrep rule to Golang. We can then later think of additional heuristics specific to Go.
Testing
I added tests for the two new scanners added in this PR.
One can test the new feature with: