Two months ago, we launched the analyzer for the Go programming language in a public beta. Since then, prominent open-source projects like Dgraph, Gauge, and many others have adopted DeepSource to enable continuous quality and security on their code. With features and fixes based on the feedback we received from early adopters, we are pleased to announce that the DeepSource's Go analyzer is now generally available. Read on to know all the details.
Support for package managers
DeepSource installs the 3rd party dependencies listed in your project during the analysis to get a full view of your application. Up until this release, we supported go modules as the only way to install them, and if we detected some other package manager, we'd try to move it to go modules (using the go mod init <import path> command). While this approach worked for many repositories, it did not for others. One such case was when a dependency of the analyzed repository had versioned packages (package.domain.tld/v1), but the repository itself was using the unversioned package (the "zeroth" version).
To analyze such packages better, we now detect the package manager used for the repository and use it to install the dependencies. We now support 10 package managers, details about which can be found here.
21 new issues detected
We now detect 21 new issues in your Go code, which brings the total number of issues raised to 154, which we have categorized into 72 bug risk issues, 41 anti-patterns, 19 security issues, 11 style issues and 11 performance issues. Of these 21 new issues, 12 prevent bug risks, 4 detect anti-patterns, and 5 of them help improve performance. Let's look at some of the new issues:
Copy the arrays, you must not.
Override, you shall not, an imported package's name.
We're so excited about this release, and we're sure you'd find these new issues useful if you're writing code in Go. Why don't you go ahead and signup on DeepSource and start analysis on your Go repositories? It's free forever for open-source!