Closed SirMaster closed 2 years ago
@dnwe , the infallible @SirMaster has cranked this out, if you wouldn't mind taking a gander.
@SirMaster I gave this a quick test on Go 1.16, but it looks like it's not currently extracting the module deps from the the input json. Building from your branch and giving it the -deps -json
output nancy reports that it didn't scan any modules
$ go list -deps -json ./... | ./nancy sleuth
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Summary ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━┫
┃ Audited Dependencies ┃ 0 ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━┫
┃ Vulnerable Dependencies ┃ 0 ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━┻━━━┛
Closing in favor of #247
This is an initial look into allowing
go list -deps
to be supported,go list -deps -json
gives us the specific dependencies that will be used at runtime for a binary of go. By allowing a user to usego list -deps -json ./... | nancy sleuth
we give control to them by allowing them to choose what to check for vulenerabilities.This pull request makes the following changes:
go list -deps -json
It relates to the following issue #s:
cc @bhamail / @DarthHater
Note created a draft PR first to confirm code changes first, if all is good will do documentation changes as well in a full PR.