Why use Go's plugin feature

[fractalqb]

Go's plugin package seem to be a little like an "unloved child" in the Go community. And it is not (yet?) ready for Windows. Windows is not my problem but it might lock out quite some users. And it interferes with Go's sore feature of platform independence.

Apart from that I don't see the benefit. The RAA package is mandatory in the current theragile exe. You cannot run threagile -raa-plugin "". It simply fails with plugin.Open(""): realpath failed. So what's the point in making RAA being a plugin if it must be there in the end. It would be much simpler with the default static linking of Go.

[ezavgorodniy]

Absolutely agree with you and had the same feeling when tried to run this locally. Seems like @joreiche had the same feelings and had introduced a solution to achieve flexibility by meta script language in yaml: https://github.com/Threagile/threagile/blob/master/pkg/security/risks/scripts/accidental-secret-leak.yaml

This is not a feature that can be used from latest docker image although we're working on making an official release of Threagile 1.0 which will contain it.

P. S. I'm aware about lack of documentation on script rules, it's something that other contributors have in their TODO list

[joreiche]

the latest version uses a regular binary as a plugin and passes data via stdin/stdout/stderr to this issue no longer exists