Go is becoming one of the world’s fastest-growing software languages. To keep increasing my skill set as a developer I started learning Go a few months ago. Here is a snapshot of my journey and some insights I learned along the way.
Dependency Management
Learning a new language can be overwhelming so I decided to start with the basics - dependency management. So let’s start from the beginning the management of the dependencies, from version 1.11 Go supports modules, this feature makes dependency version information explicit and easier to maintain.
Go module
A module is a collection of Go packages stored in a file with a go.mod file at its root. The go.mod file defines the module’s module path, which is also the import path used for the root directory, and its dependency requirements, which are the other modules needed for a successful build. Each dependency requirement is written as a module path and a specific semantic version.
Let’s start with a simple example: hello world. In this example the go.mod file will look like the following:
module "rsc.io/hello"
require "rsc.io/quote" v1.5.1
After completing a simple go run and go build we now have a hello world example which is basic, but let’s try to make it a bit more complicated by adding yaml support. To do this we will use the following commands (I found that version 2.2.7 is recommended) so let’s give it a go:
gopkg.in/yaml.v2 v2.2.7
Then I figured that I used a vulnerable package and I found GoCenterthat provided me an amazing way to better understand Go packages. GoCenter has the following features:
Proxy my dependencies
First we can use GoCenter as a GOPROXY and we will redirect all module download requests to GoCenter which can be faster than directly from the VCS.
To change the GoProxy path just use the following commands:
For mac and linux:
export GOPROXY=https://gocenter.io
For Windows:
'''set GOPROXY=https://gocenter.io'''
For powershell:
'''$env:GOPROXY=https://gocenter.io'''
Protect your binaries
I’ve tried to learn a bit more about the yaml packages and this is how it looks on GoCenter:
First I found out that my version is vulnerable and contains CVE-2019-11254 like the following:
Also I noticed the feature that scans the dependencies in a go.mod file held by GoCenter and identifies every vulnerability. Under the dependencies tab we will get the detailed information about vulnerable components at every level of the dependency tree, once we will click on the orange triangle we will forward to the package and we can check the vulnerability page like the following example of
Learn more about your packages
So I clicked on the versions tab and saw that version 2.2.8 contains a fix and I upgraded to the latest version 2.4.0 now seems like they added some documentation and examples:
I love metrics. GoCenter’s metrics are colorful and provide a lot of information in a great visual way so I can easily see that there are a lot of downloads of the packages and 37 Contributors:
Advanced mode private GOPROXY
Another advantage for developers is the ability to improve our resolution tie by integrating our JFrog Artifactory server and create our Go private repository. We want to create a private Go repository to make sure that we are pulling directly from a virtual repository that contains a remote repository that points to GoCenter and our local repository with our project. A benefit of this method is that we don’t need to manage Artifactory we can just use the SaaS version which is free and limited.
Conclusion
To sum it all up, as I learn to write in Go I will continue to use GoCenter as a proxy for my dependencies, vulnerability scanning of my binaries, version control of my packages, beautiful metrics to give me a great visualization of the data