Hi,

I’m trying to scan a Go project, but the report is empty when I use the Jenkins plugin. It works when I send the go.sum via CLI (Example below).

I tried to compress the go.sum to zip/tar/gz, send the $WORKSPACE directory and just the go.sum file. Haven’t worked with Jenkins plugin, just via CLI.

The project that I’m trying to scan is:

Jenkins plugin version: 3.5.20190425-152158.c63841b
IQ Server version: 65
Go version: 1.11+

CLI example

go mod init ; go generate
java -jar /opt/nexus-iq-cli-1.64.0-02.jar -i mosquitto-exporter -a user:pass -r result.json -s http://my_iqa_server -t build go.sum

The stage on Jenkinsfile

  stage('Nexus Policy Evaluation') {
    steps {
      script {
              sh 'apk add --no-cache git'
              sh 'go mod init ; go generate'
              policyEvaluationResult = nexusPolicyEvaluation advancedProperties: '', failBuildOnNetworkError: false, iqScanPatterns: [[scanPattern: 'go.sum']], iqApplication: selectedApplication('${JOB_NAME}'), iqStage: 'build', jobCredentialsId: ''
      }
    }
  }

go.sum content

github.com/beorn7/perks v0.0.0-20160804104726-4c0e84591b9a h1:BtpsbiV638WQZwhA98cEZw2BsbnQJrbd0BI7tsy0W1c=
github.com/beorn7/perks v0.0.0-20160804104726-4c0e84591b9a/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
github.com/codegangsta/cli v0.0.0-20170813145949-f017f86fccc5 h1:LpAoi9GIG1M0jq6UxZcEmq8oa1CYDAFQRVgCoQM1n/U=
github.com/codegangsta/cli v0.0.0-20170813145949-f017f86fccc5/go.mod h1:/qJNoX69yVSKu5o4jLyXAENLRyk1uhi7zkbQ3slBdOA=
github.com/eclipse/paho.mqtt.golang v0.0.0-20161224122424-d4f545eb108a h1:ttXLGATxgHU7O/h8YvrNH9Sn85Uho+LYFesOf3ImstQ=
github.com/eclipse/paho.mqtt.golang v0.0.0-20161224122424-d4f545eb108a/go.mod h1:H9keYFcgq3Qr5OUJm/JZI/i6U7joQ8SYLhZwfeOo6Ts=
github.com/golang/protobuf v0.0.0-20161117033126-8ee79997227b h1:fE/yi9pibxGEc0gSJuEShcsBXE2d5FW3OudsjE9tKzQ=
github.com/golang/protobuf v0.0.0-20161117033126-8ee79997227b/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU=
github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
github.com/prometheus/client_golang v0.0.0-20170215133833-9c2f7254672d h1:o9cIWJbnycHLMqWxqnuW5c8leDT/zZ5zU6/FbSeYUdA=
github.com/prometheus/client_golang v0.0.0-20170215133833-9c2f7254672d/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
github.com/prometheus/client_model v0.0.0-20150212101744-fa8ad6fec335 h1:0E/5GnGmzoDCtmzTycjGDWW33H0UBmAhR0h+FC8hWLs=
github.com/prometheus/client_model v0.0.0-20150212101744-fa8ad6fec335/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
github.com/prometheus/common v0.0.0-20170108231212-dd2f054febf4 h1:bZG2YNnM/Fjd3kiqaVt13Apkhzz24wBKlxQ+URiggXk=
github.com/prometheus/common v0.0.0-20170108231212-dd2f054febf4/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
github.com/prometheus/procfs v0.0.0-20170214153519-a59ae619c824 h1:nP0sicy3rqHugXF1JJl741OgSrRv9hvcWWI9+En30Cs=
github.com/prometheus/procfs v0.0.0-20170214153519-a59ae619c824/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
golang.org/x/net v0.0.0-20170215215908-b4690f45fa1c h1:DuTCdWTd8H8O5/OqPagh8oJ+SsSKysj5xB6N0vtFfgQ=
golang.org/x/net v0.0.0-20170215215908-b4690f45fa1c/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=

Thanks,

Matheus Lozano

I don’t think the jenkins plugin has been merged by the integration team. Insight made the changes and they just need to be released by integrations. https://issues.sonatype.org/browse/CLM-12331

Has anything changed in regards to scanning golang (go.mod) with the jenkins plugin?

I tried to to scan a golang application in a pipeline but it just found a number of tar files as unknown components.

For the latest information on scanning go please go to Go Application Analysis. The doc contains a jenkins section Go Application Analysis