Epic Goal

• Clair v4 can detect Golang applications and their imported modules
• Clair v4 can leverage Golang security vulnerability feeds in order to match known vulnerabilities in Golang modules to a given application in a container images

Why is this important?

• Golang is a dominant programming language in the domain of networked applications and in the cloud-native / Kubernetes space

Scenarios

1. Golang-based applications in container images and their imports can be detected
2. Known CVEs are matched against detected imports and define vulnerabilities associated with the container image

Acceptance Criteria

• Capability is enabled by default
• Capability can be disabled
• CI - MUST be running successfully with tests automated
• Release Technical Enablement - Provide necessary release enablement details and documents.
• Downstream documentation

Dependencies (internal and external)

1. CRDA feed data for Golang dependencies

Previous Work (Optional):

1. Python package manager enablement

Done Checklist

• CI - CI is running, tests are automated and merged.
• Release Enablement <link to Feature Enablement Presentation>
• DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
• DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
• DEV - Downstream build attached to advisory: <link to errata>
• QE - Test plans in Polarion: <link or reference to Polarion>
• QE - Automated tests merged: <link or reference to automated tests>
• DOC - Downstream documentation merged: <link to meaningful PR>