DEV Community

Cover image for Time to make some order with GoCenter
Batel Zohar for JFrog

Posted on

Time to make some order with GoCenter

Go is becoming one of the world’s fastest-growing software languages. To keep increasing my skill set as a developer I started learning Go a few months ago. Here is a snapshot of my journey and some insights I learned along the way.

Dependency Management

Learning a new language can be overwhelming so I decided to start with the basics - dependency management. So let’s start from the beginning the management of the dependencies, from version 1.11 Go supports modules, this feature makes dependency version information explicit and easier to maintain.

Go module

A module is a collection of Go packages stored in a file with a go.mod file at its root. The go.mod file defines the module’s module path, which is also the import path used for the root directory, and its dependency requirements, which are the other modules needed for a successful build. Each dependency requirement is written as a module path and a specific semantic version.

Let’s start with a simple example: hello world. In this example the go.mod file will look like the following:

module "rsc.io/hello"

require "rsc.io/quote" v1.5.1
Enter fullscreen mode Exit fullscreen mode

After completing a simple go run and go build we now have a hello world example which is basic, but let’s try to make it a bit more complicated by adding yaml support. To do this we will use the following commands (I found that version 2.2.7 is recommended) so let’s give it a go:

gopkg.in/yaml.v2 v2.2.7
Enter fullscreen mode Exit fullscreen mode

Then I figured that I used a vulnerable package and I found GoCenterthat provided me an amazing way to better understand Go packages. GoCenter has the following features:

Proxy my dependencies

First we can use GoCenter as a GOPROXY and we will redirect all module download requests to GoCenter which can be faster than directly from the VCS.

To change the GoProxy path just use the following commands:

For mac and linux:

export GOPROXY=https://gocenter.io

For Windows:

'''set GOPROXY=https://gocenter.io'''

For powershell:

'''$env:GOPROXY=https://gocenter.io'''

Protect your binaries

I’ve tried to learn a bit more about the yaml packages and this is how it looks on GoCenter:

Alt Text

First I found out that my version is vulnerable and contains CVE-2019-11254 like the following:

CVE-2019-11254 of yaml.v2 go module

Also I noticed the feature that scans the dependencies in a go.mod file held by GoCenter and identifies every vulnerability. Under the dependencies tab we will get the detailed information about vulnerable components at every level of the dependency tree, once we will click on the orange triangle we will forward to the package and we can check the vulnerability page like the following example of hashicorp/vault:

Alt Text

Learn more about your packages

So I clicked on the versions tab and saw that version 2.2.8 contains a fix and I upgraded to the latest version 2.4.0 now seems like they added some documentation and examples:

As you can see the package yaml and an overview

I love metrics. GoCenter’s metrics are colorful and provide a lot of information in a great visual way so I can easily see that there are a lot of downloads of the packages and 37 Contributors:

The number of open issues forks contributors and much more

Advanced mode private GOPROXY

Another advantage for developers is the ability to improve our resolution tie by integrating our JFrog Artifactory server and create our Go private repository. We want to create a private Go repository to make sure that we are pulling directly from a virtual repository that contains a remote repository that points to GoCenter and our local repository with our project. A benefit of this method is that we don’t need to manage Artifactory we can just use the SaaS version which is free and limited.

Conclusion

To sum it all up, as I learn to write in Go I will continue to use GoCenter as a proxy for my dependencies, vulnerability scanning of my binaries, version control of my packages, beautiful metrics to give me a great visualization of the data

Top comments (0)