What are you trying to do?go list -deps -json | nancy sleuth.
What feature or behavior is this required for?
Running nancy with the recommended usage to detect vulnerable dependencies. Currently it can result in false-positives when a replace directive has been used to ensure that we aren't vulnerable. Upon inspecting the go list -deps -json output it is showing a replace info, just not respecting it.
Wild! For some reason I had thought go list -deps -json was smart enough to have gotten PAST the replace directive, as in I had thought it was a final representation. This is a great catch, thank you!!!
What are you trying to do?
go list -deps -json | nancy sleuth
.What feature or behavior is this required for? Running nancy with the recommended usage to detect vulnerable dependencies. Currently it can result in false-positives when a replace directive has been used to ensure that we aren't vulnerable. Upon inspecting the
go list -deps -json
output it is showing a replace info, just not respecting it.How could we solve this issue? (Not knowing is okay!) Use the replace info provided by
go list -deps -json
Anything else?
cc @bhamail / @DarthHater