228 - support for go list -deps

sonatype-nexus-community / nancy

A tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index

Apache License 2.0

549 stars 76 forks source link

228 - support for go list -deps #238

Closed SirMaster closed 2 years ago

SirMaster commented 3 years ago

This is an initial look into allowing go list -deps to be supported, go list -deps -json gives us the specific dependencies that will be used at runtime for a binary of go. By allowing a user to use go list -deps -json ./... | nancy sleuth we give control to them by allowing them to choose what to check for vulenerabilities.

This pull request makes the following changes:

Additional support to slurp in the result stream of go list -deps -json

It relates to the following issue #s:

Fixes #228

cc @bhamail / @DarthHater

Note created a draft PR first to confirm code changes first, if all is good will do documentation changes as well in a full PR.

DarthHater commented 3 years ago

@dnwe , the infallible @SirMaster has cranked this out, if you wouldn't mind taking a gander.

dnwe commented 3 years ago

@SirMaster I gave this a quick test on Go 1.16, but it looks like it's not currently extracting the module deps from the the input json. Building from your branch and giving it the -deps -json output nancy reports that it didn't scan any modules

$ go list -deps -json ./... | ./nancy sleuth
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Summary                     ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━┫
┃ Audited Dependencies    ┃ 0 ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━┫
┃ Vulnerable Dependencies ┃ 0 ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━┻━━━┛

DarthHater commented 2 years ago

Closing in favor of #247