-
Notifications
You must be signed in to change notification settings - Fork 414
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
contrib: add go.mod to isolate contribs confluentinc/confluent-kafka-go/kafka*, emicklei/go-restful/v3, gin-gonic/gin & globalsign/mgo #2379
contrib: add go.mod to isolate contribs confluentinc/confluent-kafka-go/kafka*, emicklei/go-restful/v3, gin-gonic/gin & globalsign/mgo #2379
Conversation
BenchmarksBenchmark execution time: 2023-11-24 17:50:49 Comparing candidate commit 6650651 in PR branch Found 0 performance improvements and 0 performance regressions! Performance is the same for 39 metrics, 2 unstable metrics. |
@darccio: I am wondering now if we will still be able to import our dd-trace-go internal packages from those sub-modules? |
It is possible. I admit I was actually surprised when I checked it but the access rule to internal packages applies with submodules. |
9c2d469
to
b4b17ae
Compare
golang.org/x/time v0.3.0 // indirect | ||
golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846 // indirect | ||
golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect | ||
google.golang.org/genproto/googleapis/rpc v0.0.0-20231106174013-bbf56f31fb17 // indirect |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This has been updated according to this issue: googleapis/go-genproto#1015
CI is working flawlessly: system-tests and appsec-go-test-app branches updated too. |
What does this PR do?
Isolates the following contribs as independent modules:
confluentinc/confluent-kafka-go/kafka
confluentinc/confluent-kafka-go/kafka.v2
emicklei/go-restful/v3
gin-gonic/gin
globalsign/mgo
Also includes:
go get
tends to use the latest version available of a library and our contribs are not always pinned to the current one.v2
repository likegithub.com/DataDog/dd-trace-go/v2
they must be in a path starting withv2/
likev2/contrib/gin-gonic/gin
forgithub.com/DataDog/dd-trace-go/v2/contrib/gin-gonic/gin
.This will be done for each contrib, and this is a first PR to validate the approach. Next PRs will consist of multiple contribs.
Motivation
Security scanners yield false positives, informing vulnerable versions that are present in the go.mod but not compiled into the final binary.
Reviewer's Checklist
For Datadog employees:
@DataDog/security-design-and-guidance
.Unsure? Have a question? Request a review!