Nancy does not respect replace directive

[danieljmt]

• What are you trying to do? go list -deps -json | nancy sleuth.

• What feature or behavior is this required for? Running nancy with the recommended usage to detect vulnerable dependencies. Currently it can result in false-positives when a replace directive has been used to ensure that we aren't vulnerable. Upon inspecting the go list -deps -json output it is showing a replace info, just not respecting it.

    "Module": {
        "Path": "github.com/dgrijalva/jwt-go",
        "Version": "v3.2.0+incompatible",
        "Replace": {
            "Path": "github.com/form3tech-oss/jwt-go",
            "Version": "v3.2.3+incompatible",
            "Time": "2021-05-11T16:32:31Z",
            "Dir": "/Users/danielmarshall/go/pkg/mod/github.com/form3tech-oss/jwt-go@v3.2.3+incompatible",
            "GoMod": "/Users/danielmarshall/go/pkg/mod/cache/download/github.com/form3tech-oss/jwt-go/@v/v3.2.3+incompatible.mod"
        },
        "Indirect": true,
        "Dir": "/Users/danielmarshall/go/pkg/mod/github.com/form3tech-oss/jwt-go@v3.2.3+incompatible",
        "GoMod": "/Users/danielmarshall/go/pkg/mod/cache/download/github.com/form3tech-oss/jwt-go/@v/v3.2.3+incompatible.mod"
    },

• How could we solve this issue? (Not knowing is okay!) Use the replace info provided by go list -deps -json

• Anything else?

cc @bhamail / @DarthHater

[DarthHater]

Wild! For some reason I had thought go list -deps -json was smart enough to have gotten PAST the replace directive, as in I had thought it was a final representation. This is a great catch, thank you!!!