Go: Support private registries via GOPROXY
#19248
Conversation
go/extractor/util/registryproxy.go
Outdated
| } else { | ||
| // We only care about private registry configurations that are relevant to Go and | ||
| // filter others out at this point. | ||
| proxy_configs = make([]RegistryConfig, 0) |
There was a problem hiding this comment.
You could use the length of val as a third argument to make, which specifies the capacity of the underlying array. Or maybe it isn't worth it if you only ever expect very few.
There was a problem hiding this comment.
We only expect a few (indeed, the UI only supports configuring one at the moment). That said, I have noticed since that calling make to initialise the array isn't necessary since append will apparently do this if it is nil anyway.
mbg
force-pushed
the
mbg/go/private-registries
branch
from
425ea73 to
e805d1e
Compare
| // The address of the proxy including protocol and port (e.g. http://localhost:1234) | ||
| var proxy_address string | ||
|
|
||
| // The path to the temporary file that stores the proxy certificate, if any. | ||
| var proxy_cert_file string | ||
|
|
||
| // An array of registry configurations that are relevant to Go. | ||
| // This excludes other registry configurations that may be available, but are not relevant to Go. | ||
| var proxy_configs []RegistryConfig |
There was a problem hiding this comment.
These no longer need to be global variables. I think it would be clearer if they were just local variables.
There was a problem hiding this comment.
I somewhat intentionally left these as global variables so that we can access their values elsewhere if needed going forward.
I don't feel strongly about this though, so if you would prefer it to be locals for now while they don't have to be globals, then I can make that change.
This PR is part of work to enable private package registries to be used in Default Setup. See prior work for C#: #18029 and #18850
The existing Default Setup workflow will initialise the Dependabot package proxy, if a private package registry configuration is set. The host, port, certificate, and configurations used by the proxy are then passed to CodeQL in the
analyzestep. For Go, we will likely need to modify this to make these environment variables available to theautobuildstep as well.The changes in this PR modify the Go extractor to recognise when the corresponding environment variables are set. If so, we use the data from those environment variables to:
govia theHTTP_PROXYandHTTPS_PROXYenvironment variables.goviaSSL_CERT_FILE.goproxy_serverconfigurations and use them to set an appropriate value for theGOPROXYenvironment variable.This has the effect that
gowill attempt to make requests to obtain packages to theGOPROXYservers. These will go via the Dependabot proxy configured byHTTP_PROXYandHTTPS_PROXY, which handles the needed authentication for theGOPROXYservers.