approach to addressing and managing the aftermath of a security breach or attack § The 1990s was the era of protection § Then came detection decade § This decade is one of response
did not support vendoring § Solution – third party libs: § Godep : https://github.com/tools/godep § basically exploit the implementation details of $GOPATH
folder and the "vendor.json" file. § List : List and filter existing dependencies and packages. § Add : Add packages from $GOPATH. § Update : Update packages from $GOPATH. § Fetch : Add new or update vendor folder packages from remote repository. § Sync : Pull packages into vendor folder from remote repository with revisions from vendor.json file.
tooling does not give “special” treatment to vendor folder. − If you run “./…” it will use the vendor folder too !! − Issue in testing with coverage , or running “go fmt” commands… − https://github.com/golang/go/issues/11659 − WDYT? § Impact on us: − Doing nasty bash stuff to exclude vendor folder from coverage § FOLDER_FOR_COVERAGE=$(go list ./... | grep -v /vendor/ | xargs echo -n | tr ' ' ',') § go list -f '{{if gt (len .TestGoFiles) 0}}"go test -tags integration -timeout 30m -covermode set -coverprofile {{.Name}}.coverprofile - coverpkg xxx {{.ImportPath}}"{{end}}' ./web/... ./services/... | awk -v targets=$FOLDER_FOR_COVERAGE '{ gsub("xxx", targets ); print;}' | sed 's/\"//g' − Also for golint: § golint ./... 2>&1 | grep -v ^vendor | wc -l
Single source of truth § Each build we are doing: − Govendor sync − Caching vendor folder (except the vendor.json file!!) § Watch out: − In CircleCI $GOPATH is complex (an array of folders by default) − Causes some weird issues when using with govendor − Solution (more nasty bash scripts …) : − IMPORT_PATH: "github.com/$CIRCLE_PROJECT_USERNAME/$CIRCLE_PROJECT_REPONAME"