Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SINT-2119] Support Go ecosystem #413

Merged
merged 10 commits into from
Jul 17, 2024
Merged

[SINT-2119] Support Go ecosystem #413

merged 10 commits into from
Jul 17, 2024

Conversation

juliendoutre
Copy link
Contributor

@juliendoutre juliendoutre commented Jul 10, 2024
edited
Loading

Purpose

This PR introduces support for a new ecosystem in guarddog: Golang.

To limit the dependency on external toolchains, I chose not to use the go binary to perform go get or go list operations. This came with a couple of caveats I left as TODOs in the code:

  • no current support for private repos: I found this reasonable anyway as guarddog focuses on preventing supply chain attacks from publicly accessible packages
  • no real dependency resolution: I implemented a basic algorithm which parses a go.mod file to extract all require statements and inspect those modules. We should implement the actual MVS algorithm to actually resolve the build list correctly.

In order to test this new addition, I simply extended the shady-links semgrep rule to Golang. We can then later think of additional heuristics specific to Go.

Testing

I added tests for the two new scanners added in this PR.

One can test the new feature with:

$ guarddog --log-level debug go scan github.com/aws/aws-sdk-go-v2
$ guarddog --log-level debug go scan github.com/aws/aws-sdk-go-v2 --version v1.30.3
$ guarddog --log-level debug go verify ~/dd/KubeHound/go.mod # you first wanna make sure you cloned thehttps://github.com/DataDog/KubeHound repo

@juliendoutre juliendoutre force-pushed the julien.doutre/go-support branch from 8db1e5b to 0a3ec93 Compare July 11, 2024 15:18
@juliendoutre juliendoutre marked this pull request as ready for review July 11, 2024 15:21
@juliendoutre juliendoutre requested a review from sobregosodd July 17, 2024 10:55
sobregosodd
sobregosodd requested changes Jul 17, 2024
View reviewed changes
Copy link
Contributor

@sobregosodd sobregosodd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

left out some comments

@juliendoutre juliendoutre requested a review from sobregosodd July 17, 2024 14:47
sobregosodd
sobregosodd requested changes Jul 17, 2024
View reviewed changes
Copy link
Contributor

@sobregosodd sobregosodd left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there are a couple nits

@juliendoutre juliendoutre requested a review from sobregosodd July 17, 2024 15:11
@juliendoutre juliendoutre merged commit 404f3e6 into DataDog:main Jul 17, 2024
10 checks passed
@juliendoutre juliendoutre deleted the julien.doutre/go-support branch July 17, 2024 15:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sobregosodd sobregosodd sobregosodd approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@juliendoutre @sobregosodd