Closed harshavardhana closed 4 years ago
I think this is the same issue as #157 , we still need to figure this out. No update quite yet!
@harshavardhana , @ken-duck is looking at this, it should likely be cleaned up by tomorrow. Generally when we have a vulnerability for a project, we implicate subpaths (could create false positives, but we want to make sure we don't have false negatives, too), and this is all kinds of fun since the subpath is a different project. Generally the convention in the golang world is to setup a new repo, new project, etc... and not do this kind of thing, but the world is vast and fun, so you know, it happens :)
I'll be out on vacation the next week or so, but I think either @ken-duck or @brittanybelle will pop in!
@harshavardhana , @ken-duck is looking at this, it should likely be cleaned up by tomorrow. Generally when we have a vulnerability for a project, we implicate subpaths (could create false positives, but we want to make sure we don't have false negatives, too), and this is all kinds of fun since the subpath is a different project. Generally the convention in the golang world is to setup a new repo, new project, etc... and not do this kind of thing, but the world is vast and fun, so you know, it happens :)
I'll be out on vacation the next week or so, but I think either @ken-duck or @brittanybelle will pop in!
Understood, I just wanted to bring this to attention since there are weird situations like this.
We had even a hard time getting go.mod fixed with vault project APIs.
Yeah, we totally appreciate it! Thanks for using Nancy, we are stoked you are!
@harshavardhana this should be addressed now, do you want to verify and close?
Checking..
Yes verified working well, thanks closing.
@DarthHater, could you share some information "how it was fixed" ? I'm facing the same issue now.
Thanks for creating an issue! Please fill out this form so we can be sure to have all the information we need, and to minimize back and forth.
nancy
against https://github.com/minio/minio produces false positivesAlthough we depend on the API and SDK the complain is about server which seems to be incorrect since the Vault server version has been split from their actual API and SDK versions.
https://pkg.go.dev/mod/github.com/hashicorp/vault/sdk https://pkg.go.dev/github.com/hashicorp/vault/api
How can this be fixed?
cc @bhamail / @DarthHater