Go command-line syntax
For the best results, your project must be compilable and you must have all required dependencies available.
The following entities are excluded from the translation (and the scan):
Vendor folder
All projects defined by any
go.modfiles in subfolders, except the project defined by thego.modfile under the %PROJECT_ROOT%All files with the
_test.gosuffix (unit tests)
The basic command-line syntax to translate Go code is:
sourceanalyzer -b <build_id> [-gopath <dir>] [-goroot <dir>] <files>
For best results, OpenText recommends that you use Go modules for all Go projects and translate the Go code one module at a time. Ensure that the values for the <files> parameter for the sourceanalyzer command are in the directory that contains the go.mod file. This is the same directory where you run the go build command to build the project. If the project consists of more than one module, you can run the sourceanalyzer command multiple times with the same <build_id> value to tie the translation results for all modules together.
Use of the GOPATH development mode for builds is still supported but be aware that this can cause problems if you are trying to compare two scans in tools such as Fortify Audit Workbench or Fortify Software Security Center. Without a go.mod file to define a fixed identifier path for the module, the Go language system identifies each module by its absolute path on the local file system. Therefore, two scans of the same module from different subdirectories or on different machines produce different module identifiers, which prevents matching issues from correlating properly across the two scans. The GOPATH development mode is deprecated for the Go compiler and SDK and will be removed in a future Go 1.xx release.