Merge branch '212708-go-mod-viewer' into 'master'

Implement go.mod viewer

Closes #212708

See merge request gitlab-org/gitlab!28262

app/models/blob.rb

@@ -58,6 +58,7 @@ class Blob < SimpleDelegator
     BlobViewer::Gemfile,
     BlobViewer::Gemspec,
     BlobViewer::GodepsJson,
+    BlobViewer::GoMod,
     BlobViewer::PackageJson,
     BlobViewer::Podfile,
     BlobViewer::Podspec,

app/models/blob_viewer/go_mod.rb

+# frozen_string_literal: true
+
+module BlobViewer
+  class GoMod < DependencyManager
+    include ServerSide
+    include Gitlab::Utils::StrongMemoize
+
+    MODULE_REGEX = /
+      \A (?# beginning of file)
+      module\s+ (?# module directive)
+      (?<name>.*?) (?# module name)
+      \s*(?:\/\/.*)? (?# comment)
+      (?:\n|\z) (?# newline or end of file)
+    /x.freeze
+
+    self.file_types = %i(go_mod go_sum)
+
+    def manager_name
+      'Go Modules'
+    end
+
+    def manager_url
+      'https://golang.org/ref/mod'
+    end
+
+    def package_type
+      'go'
+    end
+
+    def package_name
+      strong_memoize(:package_name) do
+        next if blob.name != 'go.mod'
+        next unless match = MODULE_REGEX.match(blob.data)
+
+        match[:name]
+      end
+    end
+
+    def package_url
+      Gitlab::Golang.package_url(package_name)
+    end
+  end
+end

ee/app/finders/packages/go/module_finder.rb

@@ -3,7 +3,7 @@
 module Packages
   module Go
     class ModuleFinder
-      include ::API::Helpers::Packages::Go::ModuleHelpers
+      include Gitlab::Golang
 
       attr_reader :project, :module_name
 
@@ -15,21 +15,15 @@ module Packages
       end
 
       def execute
-        return if @module_name.blank? || !@module_name.start_with?(gitlab_go_url)
+        return if @module_name.blank? || !@module_name.start_with?(local_module_prefix)
 
-        module_path = @module_name[gitlab_go_url.length..].split('/')
+        module_path = @module_name[local_module_prefix.length..].split('/')
         project_path = project.full_path.split('/')
         module_project_path = module_path.shift(project_path.length)
         return unless module_project_path == project_path
 
         Packages::GoModule.new(@project, @module_name, module_path.join('/'))
       end
-
-      private
-
-      def gitlab_go_url
-        @gitlab_go_url ||= Settings.build_gitlab_go_url + '/'
-      end
     end
   end
 end

ee/app/finders/packages/go/version_finder.rb

@@ -3,7 +3,7 @@
 module Packages
   module Go
     class VersionFinder
-      include ::API::Helpers::Packages::Go::ModuleHelpers
+      include Gitlab::Golang
 
       attr_reader :mod
 
@@ -13,7 +13,7 @@ module Packages
 
       def execute
         @mod.project.repository.tags
-          .filter { |tag| semver? tag }
+          .filter { |tag| semver_tag? tag }
           .map    { |tag| @mod.version_by(ref: tag) }
           .filter { |ver| ver.valid? }
       end

ee/app/models/packages/go_module_version.rb

@@ -2,7 +2,6 @@
 
 class Packages::GoModuleVersion
   include Gitlab::Utils::StrongMemoize
-  include ::API::Helpers::Packages::Go::ModuleHelpers
 
   VALID_TYPES = %i[ref commit pseudo].freeze
 

ee/changelogs/unreleased/212708-go-mod-viewer.yml

+---
+title: Add viewer and linker for go.mod and go.sum
+merge_request: 28262
+author: Ethan Reesor @firelizzard
+type: added

ee/lib/api/go_proxy.rb

 # frozen_string_literal: true
 module API
   class GoProxy < Grape::API
+    helpers Gitlab::Golang
     helpers ::API::Helpers::PackagesHelpers
-    helpers ::API::Helpers::Packages::Go::ModuleHelpers
 
     # basic semver, except case encoded (A => !a)
     MODULE_VERSION_REGEX = /v(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-([-.!a-z0-9]+))?(?:\+([-.!a-z0-9]+))?/.freeze
@@ -12,6 +12,20 @@ module API
     before { require_packages_enabled! }
 
     helpers do
+      def case_decode(str)
+        # Converts "github.com/!azure" to "github.com/Azure"
+        #
+        # From `go help goproxy`:
+        #
+        # > To avoid problems when serving from case-sensitive file systems,
+        # > the <module> and <version> elements are case-encoded, replacing
+        # > every uppercase letter with an exclamation mark followed by the
+        # > corresponding lower-case letter: github.com/Azure encodes as
+        # > github.com/!azure.
+
+        str.gsub(/![[:alpha:]]/) { |s| s[1..].upcase }
+      end
+
       def find_project!(id)
         # based on API::Helpers::Packages::BasicAuthHelpers#authorized_project_find!
 

ee/lib/api/helpers/packages/go/module_helpers.rb

-# frozen_string_literal: true
-
-module API
-  module Helpers
-    module Packages
-      module Go
-        module ModuleHelpers
-          def case_encode(str)
-            # Converts "github.com/Azure" to "github.com/!azure"
-            #
-            # From `go help goproxy`:
-            #
-            # > To avoid problems when serving from case-sensitive file systems,
-            # > the <module> and <version> elements are case-encoded, replacing
-            # > every uppercase letter with an exclamation mark followed by the
-            # > corresponding lower-case letter: github.com/Azure encodes as
-            # > github.com/!azure.
-
-            str.gsub(/A-Z/) { |s| "!#{s.downcase}"}
-          end
-
-          def case_decode(str)
-            # Converts "github.com/!azure" to "github.com/Azure"
-            #
-            # See #case_encode
-
-            str.gsub(/![[:alpha:]]/) { |s| s[1..].upcase }
-          end
-
-          def semver?(tag)
-            return false if tag.dereferenced_target.nil?
-
-            ::Packages::SemVer.match?(tag.name, prefixed: true)
-          end
-
-          def pseudo_version?(version)
-            return false unless version
-
-            if version.is_a? String
-              version = parse_semver version
-              return false unless version
-            end
-
-            pre = version.prerelease
-
-            # Valid pseudo-versions are:
-            #   vX.0.0-yyyymmddhhmmss-sha1337beef0, when no earlier tagged commit exists for X
-            #   vX.Y.Z-pre.0.yyyymmddhhmmss-sha1337beef0, when most recent prior tag is vX.Y.Z-pre
-            #   vX.Y.(Z+1)-0.yyyymmddhhmmss-sha1337beef0, when most recent prior tag is vX.Y.Z
-
-            if version.minor != 0 || version.patch != 0
-              m = /\A(.*\.)?0\./.freeze.match pre
-              return false unless m
-
-              pre = pre[m[0].length..]
-            end
-
-            # This pattern is intentionally more forgiving than the patterns
-            # above. Correctness is verified by #pseudo_version_commit.
-            /\A\d{14}-\h+\z/.freeze.match? pre
-          end
-
-          def pseudo_version_commit(project, semver)
-            # Per Go's implementation of pseudo-versions, a tag should be
-            # considered a pseudo-version if it matches one of the patterns
-            # listed in #pseudo_version?, regardless of the content of the
-            # timestamp or the length of the SHA fragment. However, an error
-            # should be returned if the timestamp is not correct or if the SHA
-            # fragment is not exactly 12 characters long. See also Go's
-            # implementation of:
-            #
-            # - [*codeRepo.validatePseudoVersion](https://github.com/golang/go/blob/daf70d6c1688a1ba1699c933b3c3f04d6f2f73d9/src/cmd/go/internal/modfetch/coderepo.go#L530)
-            # - [Pseudo-version parsing](https://github.com/golang/go/blob/master/src/cmd/go/internal/modfetch/pseudo.go)
-            # - [Pseudo-version request processing](https://github.com/golang/go/blob/master/src/cmd/go/internal/modfetch/coderepo.go)
-
-            # Go ignores anything before '.' or after the second '-', so we will do the same
-            timestamp, sha = semver.prerelease.split('-').last 2
-            timestamp = timestamp.split('.').last
-            commit = project.repository.commit_by(oid: sha)
-
-            # Error messages are based on the responses of proxy.golang.org
-
-            # Verify that the SHA fragment references a commit
-            raise ArgumentError.new 'invalid pseudo-version: unknown commit' unless commit
-
-            # Require the SHA fragment to be 12 characters long
-            raise ArgumentError.new 'invalid pseudo-version: revision is shorter than canonical' unless sha.length == 12
-
-            # Require the timestamp to match that of the commit
-            raise ArgumentError.new 'invalid pseudo-version: does not match version-control timestamp' unless commit.committed_date.strftime('%Y%m%d%H%M%S') == timestamp
-
-            commit
-          end
-
-          def parse_semver(str)
-            ::Packages::SemVer.parse(str, prefixed: true)
-          end
-        end
-      end
-    end
-  end
-end

lib/gitlab/dependency_linker.rb

@@ -13,7 +13,9 @@ module Gitlab
       CartfileLinker,
       GodepsJsonLinker,
       RequirementsTxtLinker,
-      CargoTomlLinker
+      CargoTomlLinker,
+      GoModLinker,
+      GoSumLinker
     ].freeze
 
     def self.linker(blob_name)

lib/gitlab/dependency_linker/go_mod_linker.rb

+# frozen_string_literal: true
+
+module Gitlab
+  module DependencyLinker
+    class GoModLinker < BaseLinker
+      include Gitlab::Golang
+
+      self.file_type = :go_mod
+
+      private
+
+      SEMVER = Gitlab::Regex.unbounded_semver_regex
+      NAME = Gitlab::Regex.go_package_regex
+      REGEX = Regexp.new("(?<name>#{NAME.source})(?:\\s+(?<version>v#{SEMVER.source}))?", SEMVER.options | NAME.options).freeze
+
+      # rubocop: disable CodeReuse/ActiveRecord
+      def link_dependencies
+        highlighted_lines.map!.with_index do |rich_line, i|
+          plain_line = plain_lines[i].chomp
+          match = REGEX.match(plain_line)
+          next rich_line unless match
+
+          i, j = match.offset(:name)
+          marker = StringRangeMarker.new(plain_line, rich_line.html_safe)
+          marker.mark([i..(j - 1)]) do |text, left:, right:|
+            url = package_url(text, match[:version])
+            url ? link_tag(text, url) : text
+          end
+        end
+      end
+      # rubocop: enable CodeReuse/ActiveRecord
+    end
+  end
+end

lib/gitlab/dependency_linker/go_sum_linker.rb

+# frozen_string_literal: true
+
+module Gitlab
+  module DependencyLinker
+    class GoSumLinker < GoModLinker
+      self.file_type = :go_sum
+
+      private
+
+      BASE64 = Gitlab::Regex.base64_regex
+      REGEX = Regexp.new("^\\s*(?<name>#{NAME.source})\\s+(?<version>v#{SEMVER.source})(\/go.mod)?\\s+h1:(?<checksum>#{BASE64.source})\\s*$", NAME.options).freeze
+
+      # rubocop: disable CodeReuse/ActiveRecord
+      def link_dependencies
+        highlighted_lines.map!.with_index do |rich_line, i|
+          plain_line = plain_lines[i].chomp
+          match = REGEX.match(plain_line)
+          next rich_line unless match
+
+          i0, j0 = match.offset(:name)
+          i2, j2 = match.offset(:checksum)
+
+          marker = StringRangeMarker.new(plain_line, rich_line.html_safe)
+          marker.mark([i0..(j0 - 1), i2..(j2 - 1)]) do |text, left:, right:|
+            if left
+              url = package_url(text, match[:version])
+              url ? link_tag(text, url) : text
+
+            elsif right
+              link_tag(text, "https://sum.golang.org/lookup/#{match[:name]}@#{match[:version]}")
+            end
+          end
+        end
+      end
+      # rubocop: enable CodeReuse/ActiveRecord
+    end
+  end
+end

lib/gitlab/file_detector.rb

@@ -32,6 +32,8 @@ module Gitlab
       gemfile_lock: 'Gemfile.lock',
       gemspec: %r{\A[^/]*\.gemspec\z},
       godeps_json: 'Godeps.json',
+      go_mod: 'go.mod',
+      go_sum: 'go.sum',
       package_json: 'package.json',
       podfile: 'Podfile',
       podspec_json: %r{\A[^/]*\.podspec\.json\z},

lib/gitlab/golang.rb

+# frozen_string_literal: true
+
+module Gitlab
+  module Golang
+    extend self
+
+    def local_module_prefix
+      @gitlab_prefix ||= "#{Settings.build_gitlab_go_url}/".freeze
+    end
+
+    def semver_tag?(tag)
+      return false if tag.dereferenced_target.nil?
+
+      Packages::SemVer.match?(tag.name, prefixed: true)
+    end
+
+    def pseudo_version?(version)
+      return false unless version
+
+      if version.is_a? String
+        version = parse_semver version
+        return false unless version
+      end
+
+      pre = version.prerelease
+
+      # Valid pseudo-versions are:
+      #   vX.0.0-yyyymmddhhmmss-sha1337beef0, when no earlier tagged commit exists for X
+      #   vX.Y.Z-pre.0.yyyymmddhhmmss-sha1337beef0, when most recent prior tag is vX.Y.Z-pre
+      #   vX.Y.(Z+1)-0.yyyymmddhhmmss-sha1337beef0, when most recent prior tag is vX.Y.Z
+
+      if version.minor != 0 || version.patch != 0
+        m = /\A(.*\.)?0\./.freeze.match pre
+        return false unless m
+
+        pre = pre[m[0].length..]
+      end
+
+      # This pattern is intentionally more forgiving than the patterns
+      # above. Correctness is verified by #pseudo_version_commit.
+      /\A\d{14}-\h+\z/.freeze.match? pre
+    end
+
+    def pseudo_version_commit(project, semver)
+      # Per Go's implementation of pseudo-versions, a tag should be
+      # considered a pseudo-version if it matches one of the patterns
+      # listed in #pseudo_version?, regardless of the content of the
+      # timestamp or the length of the SHA fragment. However, an error
+      # should be returned if the timestamp is not correct or if the SHA
+      # fragment is not exactly 12 characters long. See also Go's
+      # implementation of:
+      #
+      # - [*codeRepo.validatePseudoVersion](https://github.com/golang/go/blob/daf70d6c1688a1ba1699c933b3c3f04d6f2f73d9/src/cmd/go/internal/modfetch/coderepo.go#L530)
+      # - [Pseudo-version parsing](https://github.com/golang/go/blob/master/src/cmd/go/internal/modfetch/pseudo.go)
+      # - [Pseudo-version request processing](https://github.com/golang/go/blob/master/src/cmd/go/internal/modfetch/coderepo.go)
+
+      # Go ignores anything before '.' or after the second '-', so we will do the same
+      timestamp, sha = semver.prerelease.split('-').last 2
+      timestamp = timestamp.split('.').last
+      commit = project.repository.commit_by(oid: sha)
+
+      # Error messages are based on the responses of proxy.golang.org
+
+      # Verify that the SHA fragment references a commit
+      raise ArgumentError.new 'invalid pseudo-version: unknown commit' unless commit
+
+      # Require the SHA fragment to be 12 characters long
+      raise ArgumentError.new 'invalid pseudo-version: revision is shorter than canonical' unless sha.length == 12
+
+      # Require the timestamp to match that of the commit
+      raise ArgumentError.new 'invalid pseudo-version: does not match version-control timestamp' unless commit.committed_date.strftime('%Y%m%d%H%M%S') == timestamp
+
+      commit
+    end
+
+    def parse_semver(str)
+      Packages::SemVer.parse(str, prefixed: true)
+    end
+
+    def pkg_go_dev_url(name, version = nil)
+      if version
+        "https://pkg.go.dev/#{name}@#{version}"
+      else
+        "https://pkg.go.dev/#{name}"
+      end
+    end
+
+    def package_url(name, version = nil)
+      return unless UrlSanitizer.valid?("https://#{name}")
+
+      return pkg_go_dev_url(name, version) unless name.starts_with?(local_module_prefix)
+
+      # This will not work if `name` refers to a subdirectory of a project. This
+      # could be expanded with logic similar to Gitlab::Middleware::Go to locate
+      # the project, check for permissions, and return a smarter result.
+      "#{Gitlab.config.gitlab.protocol}://#{name}/"
+    end
+  end
+end

lib/gitlab/regex.rb

@@ -47,9 +47,43 @@ module Gitlab
         maven_app_name_regex
       end
 
+      def unbounded_semver_regex
+        # See the official regex: https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string
+
+        # The order of the alternatives in <prerelease> are intentionally
+        # reordered to be greedy. Without this change, the unbounded regex would
+        # only partially match "v0.0.0-20201230123456-abcdefabcdef".
+        @unbounded_semver_regex ||= /
+          (?<major>0|[1-9]\d*)
+          \.(?<minor>0|[1-9]\d*)
+          \.(?<patch>0|[1-9]\d*)
+          (?:-(?<prerelease>(?:\d*[a-zA-Z-][0-9a-zA-Z-]*|[1-9]\d*|0)(?:\.(?:\d*[a-zA-Z-][0-9a-zA-Z-]*|[1-9]\d*|0))*))?
+          (?:\+(?<build>[0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?
+        /x.freeze
+      end
+
       def semver_regex
-        # see the official regex: https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string
-        @semver_regex ||= %r{\A(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?\z}.freeze
+        @semver_regex ||= Regexp.new("\\A#{::Gitlab::Regex.unbounded_semver_regex.source}\\z", ::Gitlab::Regex.unbounded_semver_regex.options)
+      end
+
+      def go_package_regex
+        # A Go package name looks like a URL but is not; it:
+        #   - Must not have a scheme, such as http:// or https://
+        #   - Must not have a port number, such as :8080 or :8443
+
+        @go_package_regex ||= /
+          \b (?# word boundary)
+          (?<domain>
+            [0-9a-z](?:(?:-|[0-9a-z]){0,61}[0-9a-z])? (?# first domain)
+            (?:\.[0-9a-z](?:(?:-|[0-9a-z]){0,61}[0-9a-z])?)* (?# inner domains)
+            \.[a-z]{2,} (?# top-level domain)
+          )
+          (?<path>\/(?:
+            [-\/$_.+!*'(),0-9a-z] (?# plain URL character)
+            | %[0-9a-f]{2})* (?# URL encoded character)
+          )? (?# path)
+          \b (?# word boundary)
+        /ix.freeze
       end
     end
 
@@ -215,6 +249,10 @@ module Gitlab
     def issue
       @issue ||= /(?<issue>\d+\b)/
     end
+
+    def base64_regex
+      @base64_regex ||= /(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=)?/.freeze
+    end
   end
 end
 

spec/lib/gitlab/dependency_linker/go_mod_linker_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Gitlab::DependencyLinker::GoModLinker do
+  let(:file_name) { 'go.mod' }
+  let(:file_content) do
+    <<-CONTENT.strip_heredoc
+      module gitlab.com/gitlab-org/gitlab-workhorse
+
+      go 1.12
+
+      require (
+        github.com/BurntSushi/toml v0.3.1
+        github.com/FZambia/sentinel v1.0.0
+        github.com/alecthomas/chroma v0.7.3
+        github.com/dgrijalva/jwt-go v3.2.0+incompatible
+        github.com/getsentry/raven-go v0.1.2
+        github.com/golang/gddo v0.0.0-20190419222130-af0f2af80721
+        github.com/golang/protobuf v1.3.2
+        github.com/gomodule/redigo v2.0.0+incompatible
+        github.com/gorilla/websocket v1.4.0
+        github.com/grpc-ecosystem/go-grpc-middleware v1.0.0
+        github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0
+        github.com/jfbus/httprs v0.0.0-20190827093123-b0af8319bb15
+        github.com/jpillora/backoff v0.0.0-20170918002102-8eab2debe79d
+        github.com/prometheus/client_golang v1.0.0
+        github.com/rafaeljusto/redigomock v0.0.0-20190202135759-257e089e14a1
+        github.com/sebest/xff v0.0.0-20160910043805-6c115e0ffa35
+        github.com/sirupsen/logrus v1.3.0
+        github.com/stretchr/testify v1.5.1
+        gitlab.com/gitlab-org/gitaly v1.74.0
+        gitlab.com/gitlab-org/labkit v0.0.0-20200520155818-96e583c57891
+        golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f
+        golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa
+        golang.org/x/tools v0.0.0-20200117161641-43d50277825c
+        google.golang.org/grpc v1.24.0
+        gopkg.in/yaml.v2 v2.2.8 // indirect
+        honnef.co/go/tools v0.0.1-2019.2.3
+      )
+    CONTENT
+  end
+
+  describe '.support?' do
+    it 'supports go.mod' do
+      expect(described_class.support?('go.mod')).to be_truthy
+    end
+
+    it 'does not support other files' do
+      expect(described_class.support?('go.mod.example')).to be_falsey
+    end
+  end
+
+  describe '#link' do
+    subject { Gitlab::Highlight.highlight(file_name, file_content) }
+
+    def link(name, url)
+      %{<a href="#{url}" rel="nofollow noreferrer noopener" target="_blank">#{name}</a>}
+    end
+
+    it 'links the module name' do
+      expect(subject).to include(link('gitlab.com/gitlab-org/gitlab-workhorse', 'https://pkg.go.dev/gitlab.com/gitlab-org/gitlab-workhorse'))
+    end
+
+    it 'links dependencies' do
+      expect(subject).to include(link('github.com/BurntSushi/toml', 'https://pkg.go.dev/github.com/BurntSushi/toml@v0.3.1'))
+      expect(subject).to include(link('github.com/FZambia/sentinel', 'https://pkg.go.dev/github.com/FZambia/sentinel@v1.0.0'))
+      expect(subject).to include(link('github.com/alecthomas/chroma', 'https://pkg.go.dev/github.com/alecthomas/chroma@v0.7.3'))
+      expect(subject).to include(link('github.com/dgrijalva/jwt-go', 'https://pkg.go.dev/github.com/dgrijalva/jwt-go@v3.2.0+incompatible'))
+      expect(subject).to include(link('github.com/getsentry/raven-go', 'https://pkg.go.dev/github.com/getsentry/raven-go@v0.1.2'))
+      expect(subject).to include(link('github.com/golang/gddo', 'https://pkg.go.dev/github.com/golang/gddo@v0.0.0-20190419222130-af0f2af80721'))
+      expect(subject).to include(link('github.com/golang/protobuf', 'https://pkg.go.dev/github.com/golang/protobuf@v1.3.2'))
+      expect(subject).to include(link('github.com/gomodule/redigo', 'https://pkg.go.dev/github.com/gomodule/redigo@v2.0.0+incompatible'))
+      expect(subject).to include(link('github.com/gorilla/websocket', 'https://pkg.go.dev/github.com/gorilla/websocket@v1.4.0'))
+      expect(subject).to include(link('github.com/grpc-ecosystem/go-grpc-middleware', 'https://pkg.go.dev/github.com/grpc-ecosystem/go-grpc-middleware@v1.0.0'))
+      expect(subject).to include(link('github.com/grpc-ecosystem/go-grpc-prometheus', 'https://pkg.go.dev/github.com/grpc-ecosystem/go-grpc-prometheus@v1.2.0'))
+      expect(subject).to include(link('github.com/jfbus/httprs', 'https://pkg.go.dev/github.com/jfbus/httprs@v0.0.0-20190827093123-b0af8319bb15'))
+      expect(subject).to include(link('github.com/jpillora/backoff', 'https://pkg.go.dev/github.com/jpillora/backoff@v0.0.0-20170918002102-8eab2debe79d'))
+      expect(subject).to include(link('github.com/prometheus/client_golang', 'https://pkg.go.dev/github.com/prometheus/client_golang@v1.0.0'))
+      expect(subject).to include(link('github.com/rafaeljusto/redigomock', 'https://pkg.go.dev/github.com/rafaeljusto/redigomock@v0.0.0-20190202135759-257e089e14a1'))
+      expect(subject).to include(link('github.com/sebest/xff', 'https://pkg.go.dev/github.com/sebest/xff@v0.0.0-20160910043805-6c115e0ffa35'))
+      expect(subject).to include(link('github.com/sirupsen/logrus', 'https://pkg.go.dev/github.com/sirupsen/logrus@v1.3.0'))
+      expect(subject).to include(link('github.com/stretchr/testify', 'https://pkg.go.dev/github.com/stretchr/testify@v1.5.1'))
+      expect(subject).to include(link('gitlab.com/gitlab-org/gitaly', 'https://pkg.go.dev/gitlab.com/gitlab-org/gitaly@v1.74.0'))
+      expect(subject).to include(link('gitlab.com/gitlab-org/labkit', 'https://pkg.go.dev/gitlab.com/gitlab-org/labkit@v0.0.0-20200520155818-96e583c57891'))
+      expect(subject).to include(link('golang.org/x/lint', 'https://pkg.go.dev/golang.org/x/lint@v0.0.0-20191125180803-fdd1cda4f05f'))
+      expect(subject).to include(link('golang.org/x/net', 'https://pkg.go.dev/golang.org/x/net@v0.0.0-20200114155413-6afb5195e5aa'))
+      expect(subject).to include(link('golang.org/x/tools', 'https://pkg.go.dev/golang.org/x/tools@v0.0.0-20200117161641-43d50277825c'))
+      expect(subject).to include(link('google.golang.org/grpc', 'https://pkg.go.dev/google.golang.org/grpc@v1.24.0'))
+      expect(subject).to include(link('gopkg.in/yaml.v2', 'https://pkg.go.dev/gopkg.in/yaml.v2@v2.2.8'))
+      expect(subject).to include(link('honnef.co/go/tools', 'https://pkg.go.dev/honnef.co/go/tools@v0.0.1-2019.2.3'))
+    end
+  end
+end

spec/lib/gitlab/dependency_linker/go_sum_linker_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Gitlab::DependencyLinker::GoSumLinker do
+  let(:file_name) { 'go.sum' }
+  let(:file_content) do
+    <<-CONTENT.strip_heredoc
+      github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
+      github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+      github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+      github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+      github.com/stretchr/objx v0.1.0 h1:4G4v2dO3VZwixGIRoQ5Lfboy6nUhCyYzaqnIAPPhYs4=
+      github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+      github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
+      github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+      gitlab.com/go-utils/io v0.0.0-20190408212915-156add3f8f97 h1:9EKx8vX3kJzyj977yiWB8iIOXHyvbg8SmfOScw7OcN0=
+      gitlab.com/go-utils/io v0.0.0-20190408212915-156add3f8f97/go.mod h1:cF4ez5kIKPWU1BB1Z4qgu6dQkT3pvknXff8PSlGaNo8=
+      golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7 h1:9zdDQZ7Thm29KFXgAX/+yaf3eVbP7djjWp/dXAppNCc=
+      golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+    CONTENT
+  end
+
+  describe '.support?' do
+    it 'supports go.sum' do
+      expect(described_class.support?('go.sum')).to be_truthy
+    end
+
+    it 'does not support other files' do
+      expect(described_class.support?('go.sum.example')).to be_falsey
+    end
+  end
+
+  describe '#link' do
+    subject { Gitlab::Highlight.highlight(file_name, file_content) }
+
+    def link(name, url)
+      %{<a href="#{url}" rel="nofollow noreferrer noopener" target="_blank">#{name}</a>}
+    end
+
+    it 'links modules' do
+      expect(subject).to include(link('github.com/davecgh/go-spew', 'https://pkg.go.dev/github.com/davecgh/go-spew@v1.1.0'))
+      expect(subject).to include(link('github.com/pmezard/go-difflib', 'https://pkg.go.dev/github.com/pmezard/go-difflib@v1.0.0'))
+      expect(subject).to include(link('github.com/stretchr/objx', 'https://pkg.go.dev/github.com/stretchr/objx@v0.1.0'))
+      expect(subject).to include(link('github.com/stretchr/testify', 'https://pkg.go.dev/github.com/stretchr/testify@v1.3.0'))
+      expect(subject).to include(link('gitlab.com/go-utils/io', 'https://pkg.go.dev/gitlab.com/go-utils/io@v0.0.0-20190408212915-156add3f8f97'))
+      expect(subject).to include(link('golang.org/x/xerrors', 'https://pkg.go.dev/golang.org/x/xerrors@v0.0.0-20190717185122-a985d3407aa7'))
+    end
+
+    it 'links checksums' do
+      expect(subject).to include(link('ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=', 'https://sum.golang.org/lookup/github.com/davecgh/go-spew@v1.1.0'))
+      expect(subject).to include(link('J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=', 'https://sum.golang.org/lookup/github.com/davecgh/go-spew@v1.1.0'))
+      expect(subject).to include(link('4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=', 'https://sum.golang.org/lookup/github.com/pmezard/go-difflib@v1.0.0'))
+      expect(subject).to include(link('iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=', 'https://sum.golang.org/lookup/github.com/pmezard/go-difflib@v1.0.0'))
+      expect(subject).to include(link('4G4v2dO3VZwixGIRoQ5Lfboy6nUhCyYzaqnIAPPhYs4=', 'https://sum.golang.org/lookup/github.com/stretchr/objx@v0.1.0'))
+      expect(subject).to include(link('HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=', 'https://sum.golang.org/lookup/github.com/stretchr/objx@v0.1.0'))
+      expect(subject).to include(link('TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=', 'https://sum.golang.org/lookup/github.com/stretchr/testify@v1.3.0'))
+      expect(subject).to include(link('M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=', 'https://sum.golang.org/lookup/github.com/stretchr/testify@v1.3.0'))
+      expect(subject).to include(link('9EKx8vX3kJzyj977yiWB8iIOXHyvbg8SmfOScw7OcN0=', 'https://sum.golang.org/lookup/gitlab.com/go-utils/io@v0.0.0-20190408212915-156add3f8f97'))
+      expect(subject).to include(link('cF4ez5kIKPWU1BB1Z4qgu6dQkT3pvknXff8PSlGaNo8=', 'https://sum.golang.org/lookup/gitlab.com/go-utils/io@v0.0.0-20190408212915-156add3f8f97'))
+      expect(subject).to include(link('9zdDQZ7Thm29KFXgAX/+yaf3eVbP7djjWp/dXAppNCc=', 'https://sum.golang.org/lookup/golang.org/x/xerrors@v0.0.0-20190717185122-a985d3407aa7'))
+      expect(subject).to include(link('I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=', 'https://sum.golang.org/lookup/golang.org/x/xerrors@v0.0.0-20190717185122-a985d3407aa7'))
+    end
+  end
+end

spec/lib/gitlab/dependency_linker_spec.rb

@@ -91,5 +91,21 @@ describe Gitlab::DependencyLinker do
 
       described_class.link(blob_name, nil, nil)
     end
+
+    it 'links using GoModLinker' do
+      blob_name = 'go.mod'
+
+      expect(described_class::GoModLinker).to receive(:link)
+
+      described_class.link(blob_name, nil, nil)
+    end
+
+    it 'links using GoSumLinker' do
+      blob_name = 'go.sum'
+
+      expect(described_class::GoSumLinker).to receive(:link)
+
+      described_class.link(blob_name, nil, nil)
+    end
   end
 end

spec/lib/gitlab/regex_spec.rb

 # frozen_string_literal: true
 
-require 'spec_helper'
+require 'fast_spec_helper'
 
 describe Gitlab::Regex do
   shared_examples_for 'project/group name regex' do
@@ -274,4 +274,25 @@ describe Gitlab::Regex do
     it { is_expected.not_to match('../../../../../1.2.3') }
     it { is_expected.not_to match('%2e%2e%2f1.2.3') }
   end
+
+  describe '.go_package_regex' do
+    subject { described_class.go_package_regex }
+
+    it { is_expected.to match('example.com') }
+    it { is_expected.to match('example.com/foo') }
+    it { is_expected.to match('example.com/foo/bar') }
+    it { is_expected.to match('example.com/foo/bar/baz') }
+    it { is_expected.to match('tl.dr.foo.bar.baz') }
+  end
+
+  describe '.unbounded_semver_regex' do
+    subject { described_class.unbounded_semver_regex }
+
+    it { is_expected.to match('1.2.3') }
+    it { is_expected.to match('1.2.3-beta') }
+    it { is_expected.to match('1.2.3-alpha.3') }
+    it { is_expected.not_to match('1') }
+    it { is_expected.not_to match('1.2') }
+    it { is_expected.not_to match('1./2.3') }
+  end
 end

spec/models/blob_viewer/go_mod_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe BlobViewer::GoMod do
+  include FakeBlobHelpers
+
+  let(:project) { build_stubbed(:project) }
+  let(:data) do
+    <<-SPEC.strip_heredoc
+      module #{Settings.build_gitlab_go_url}/#{project.full_path}
+    SPEC
+  end
+  let(:blob) { fake_blob(path: 'go.mod', data: data) }
+
+  subject { described_class.new(blob) }
+
+  describe '#package_name' do
+    it 'returns the package name' do
+      expect(subject.package_name).to eq("#{Settings.build_gitlab_go_url}/#{project.full_path}")
+    end
+  end
+
+  describe '#package_url' do
+    it 'returns the package URL' do
+      expect(subject.package_url).to eq("#{Gitlab.config.gitlab.protocol}://#{Settings.build_gitlab_go_url}/#{project.full_path}/")
+    end
+
+    context 'when the homepage has an invalid URL' do
+      let(:data) do
+        <<-SPEC.strip_heredoc
+          module javascript:alert()
+        SPEC
+      end
+
+      it 'returns nil' do
+        expect(subject.package_url).to be_nil
+      end
+    end
+  end
+
+  describe '#package_type' do
+    it 'returns "package"' do
+      expect(subject.package_type).to eq('go')
+    end
+  end
+
+  context 'when the module name does not start with the instance URL' do
+    let(:data) do
+      <<-SPEC.strip_heredoc
+        module example.com/foo/bar
+      SPEC
+    end
+
+    subject { described_class.new(blob) }
+
+    describe '#package_url' do
+      it 'returns the pkg.go.dev URL' do
+        expect(subject.package_url).to eq("https://pkg.go.dev/example.com/foo/bar")
+      end
+    end
+  end
+end