contrib: add go.mod to isolate contribs confluentinc/confluent-kafka-go/kafka*, emicklei/go-restful/v3, gin-gonic/gin & globalsign/mgo

[darccio]

What does this PR do?

Isolates the following contribs as independent modules:

• confluentinc/confluent-kafka-go/kafka
• confluentinc/confluent-kafka-go/kafka.v2
• emicklei/go-restful/v3
• gin-gonic/gin
• globalsign/mgo

Also includes:

• A script to automate the isolation of contribs, as it can be prone to human error. Mainly because go get tends to use the latest version available of a library and our contribs are not always pinned to the current one.
• A new setup for contribs to be accessible as nested modules in a non-v1 major version because how nested modules work in monorepos:
  • Any nested module must be found in a subdirectory that matches the part of the module's path after the repository root path. Source: Go Modules Reference.
  • This means that for releasing nested modules in a v2 repository like github.com/DataDog/dd-trace-go/v2 they must be in a path starting with v2/ like v2/contrib/gin-gonic/gin for github.com/DataDog/dd-trace-go/v2/contrib/gin-gonic/gin.
  • This doesn't affect anything else that isn't a nested module.

This will be done for each contrib, and this is a first PR to validate the approach. Next PRs will consist of multiple contribs.

Motivation

Security scanners yield false positives, informing vulnerable versions that are present in the go.mod but not compiled into the final binary.

Reviewer's Checklist

• Changed code has unit tests for its functionality at or near 100% coverage.
• System-Tests covering this feature have been added and enabled with the va.b.c-dev version tag.
• There is a benchmark for any new code, or changes to existing code.
• If this interacts with the agent in a new way, a system test has been added.
• Add an appropriate team label so this PR gets put in the right place for the release notes.

For Datadog employees:

• If this PR touches code that handles credentials of any kind, such as Datadog API keys, I've requested a review from @DataDog/security-design-and-guidance.
• This PR doesn't touch any of that.

Unsure? Have a question? Request a review!

[pr-commenter]

Benchmarks

Benchmark execution time: 2023-11-24 17:50:49

Comparing candidate commit 6650651 in PR branch dario.castane/AIT-8717/isolate-contribs-batch-2 with baseline commit 9d363fb in branch v2-dev.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 39 metrics, 2 unstable metrics.

[Julio-Guerra]

@darccio: I am wondering now if we will still be able to import our dd-trace-go internal packages from those sub-modules?

[darccio]

@darccio: I am wondering now if we will still be able to import our dd-trace-go internal packages from those sub-modules?

It is possible. I admit I was actually surprised when I checked it but the access rule to internal packages applies with submodules.

[darccio]

This has been updated according to this issue: googleapis/go-genproto#1015

[darccio]

CI is working flawlessly:

system-tests and appsec-go-test-app branches updated too.