Closed harishkumarbalaji closed 2 years ago
@harishkumarbalaji have you tried scanning using go list -json -deps | nancy sleuth
, we just released that about a week ago and MIGHT remove this situation, since it's using the deps that go
is actually using for your end binary. If you can give it a try and let me know that would be helpful, I'd sort of assume it would do better than go list -m all
(which is still useful, since you are scanning the breadth of dependencies that you might encounter, testing, etc...)
It's in this release, if you want to take a gander, I noticed you are using 1.0.22 in the linked issue: https://github.com/sonatype-nexus-community/nancy/releases/tag/v1.0.23
@harishkumarbalaji ok if we close this?
closing due to no response. feel free to reopen if needed.
What are you trying to do? I am using prometheus/client_golang library in my project and nancy found a critical vulnerability due to circular dependency. For more information please check the issue that I raised there prometheus/client_golang/issues/916#issue-1009583963.
What feature or behaviour is this required for? This false positive means we simply have to exclude a CVE, but I suspect that this situation might arise with other repositories and result in nancy yielding incorrect results.
Anything else? Issue link : prometheus/client_golang/issues/916#issue-1009583963
cc @bhamail / @DarthHater