Handle subprojects that also have go.mod files

[zendern]

• What are you trying to do? As part of #207 @aeneasr pointed out that they were using subproject/modules and that other big project like Kubernetes have similar setups.

We have fixed the panic issue which is good but what would be even better .... also scanning the deps found in those subproject/modules.

• What feature or behavior is this required for? Make sure all things that a project reference 3rd party dep or subproject/modules is scanned.

• How could we solve this issue? (Not knowing is okay!) So the problem with this is that nancy today requires you to feed it 🥫 🥄 . Which means navigate to where your project go.mod file is located and execute go list -json -m all. That'll give you all the deps of your project and then give that to nancy.

Problem with this is its not recursive. So any submodules that have been referenced using replace will just be listed as hey its over there dummy.

Which is cool and nice that you can do that but now that subproject/modules also has deps that we have not scanned and require the user to setup security scanning on manually.

What would be the bomb diggity is if it could just do it automatically.

See #159 where we have thoughts around making the feeding of nancy no longer a thing. In theory if we did that. We could also then execute the same process for all subproject/modules that we find above.

That just my first thought.... #159 is probably closely related to this but maybe there is another magic way to do it.

• Anything else?

cc @bhamail / @DarthHater

[DarthHater]

So I actually did a lot of this on sage. I'll share some of the code with you!