search

sonatype-nexus-community / nancy

A tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index
Apache License 2.0
564 stars 74 forks source link

panic a little less on replaces #221

Closed zendern closed 3 years ago

zendern commented 3 years ago

☝️ hopefully have this happen less 😄

When a replace happened to a package that was internal to the project it blew up this fixes that and validates that the versions should be pulled from pre-internal project replace and still scanned.

As the comment says it'll still pull in the old version pre replace and send it along for scanning. Need to determine if that is the right thing to do or not.

Example github.com/ory/kratos-client-go v0.5.4-alpha.1 => ./internal/httpclient

Will end up as github.com/ory/kratos-client-go v0.5.4-alpha.1

Is that what we want or should we just drop it on the floor (maybe log something??) due to the re-write not having a version.

Also fair warning I didn't make that many changes to the test but I did split them from the one big test into their own individual ones so that they could be run individually while validating this change.

It relates to the following issue #s:

cc @bhamail / @DarthHater / @aeneasr

zendern commented 3 years ago

image

Validates I can run it against the project that reported the issue. Actually running -json version of the command i get 517. So maybe that answers the question on what do we do when its replaced with a directory path. Looks like the json version just drops it on the floor.

image