Support Go dependency scanning for pull requests

[teodor-yanev]

#912

Add Go PR vulnerabilities check

The vulnerability checks were tested against the following PR: #725

Proof of functional testing:

Closes #1012

[jhrozek]

I think that this patch is fine, some suggestions inline.

[jhrozek]

why did you change the name to start with an uppercase letter? btw I wonder if we should just compare the names in a case-insensitive manner so that we'd match all of go, Go, gO and GO.

[jhrozek]

oh I understand now, OSV's databases are case-sensitive..I would honestly make the mediator ecosystems case-insensitive.. (but if you disagree, just tell me that it's a bad idea..).

tested with:

curl -X POST -d \
  '{"version": "0.0.1",
    "package": {"name": "golang.org/x/net", "ecosystem": "Go"}}' \
  "https://api.osv.dev/v1/query" | jq

versus:

curl -X POST -d \
  '{"version": "0.0.1",
    "package": {"name": "golang.org/x/net", "ecosystem": "go"}}' \
  "https://api.osv.dev/v1/query" | jq

[teodor-yanev]

Yes, the names are case-sensitive and can be found here: https://ossf.github.io/osv-schema/#affectedpackage-field

I've changed it to lower-case mediator-wise, thanks.

[teodor-yanev]

Re-tested:

[jhrozek]

Ah, I see, while vuln.dev.go does export their data in the OSV format, they don't provide the same API. We might want to even serve our own and fetch their database periodically, but..not now.

[jhrozek]

if you agree about the case-insensitive comparison, maybe we should change this to strings.ToLower and lowercase all the dependencies..

[jhrozek]

oh and it looks like a rebase is in order..too many patches are touching the protobuf structs lately..

[jhrozek]

(you'll want to rebase, then just call make gen, git add the conflicting file pkg/generated/protobuf/go/mediator/v1/mediator.pb.go and git rebase --continue)

[jhrozek]

merged so I can send the next PR atop