Resolving dependencies

OpenText SAST supports two dependency management systems built into Go:

• Modules

  To translate a Go project that uses modules, the project must include a go.mod file that specifies the required dependencies, and a corresponding go.sum file for verifying downloaded dependencies. Specify the directory that contains the go.mod file as the project root in the sourceanalyzer command.

  OpenText SAST downloads all required dependencies using the native Go toolchain. If access to the internet is restricted on the machine where you run OpenText SAST, then do one of the following:

  • If you are using an artifact management system such as Artifactory, set the GOPROXY environment variable or use the -goproxy option described in Go Command-Line Options.

  • Download all required dependencies using modules and vendoring.

    If you use manual vendoring, set the GOFLAGS environment variable to -mod=vendor before you start the translation.

• GOPATH dependency resolution

  If you are using a third-party dependency management system such as dep, you must download all dependencies before you start the translation.

  The GOPATH development mode identifies dependencies using the absolute path on the local file system, which can cause problems when correlating scans from different subdirectories or on different machines.

See Also

Go command-line syntax