search

sonatype-nexus-community / nancy

A tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index
Apache License 2.0
562 stars 74 forks source link

docs: update readme example #262

Closed adamdecaf closed 2 years ago

adamdecaf commented 2 years ago

The example in the readme doesn't work. It skips over all dependencies. 

$ go list -json -deps | nancy sleuth
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Summary                     ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━┫
┃ Audited Dependencies    ┃ 0 ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━┫
┃ Vulnerable Dependencies ┃ 0 ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━┻━━━┛

However, this command works. It's not pretty, but works for us. 

$ go list -deps -f '{{with .Module}}{{.Path}} {{.Version}}{{end}}' ./... | ./bin/nancy sleuth
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Summary                      ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━┫
┃ Audited Dependencies    ┃ 50 ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━━┫
┃ Vulnerable Dependencies ┃ 0  ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━┻━━━━┛

These are both ran over moov-io/watchman Example: https://github.com/moov-io/infra/blob/master/go/lint-project.sh#L124

cc @bhamail / @DarthHater

bhamail commented 2 years ago

@adamdecaf Thanks for the PR. I'd like to know more about why you say the command "skips deps". It used to work, so I'm wondering if this is something new. e.g., running nancy on the nancy project itself shows deps being audited:

$ go list -json -deps | ./nancy sleuth
Checking for updates...
You are running 0.0.0-dev
A new release is available (1.0.33)
You can visit the Github releases page for the CLI to manually download and install:
https://github.com/sonatype-nexus-community/nancy/releases

┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Summary                      ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━┫
┃ Audited Dependencies    ┃ 49 ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━━┫
┃ Vulnerable Dependencies ┃ 0  ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━┻━━━━┛
$ go version
go version go1.18.1 darwin/amd64

What version of go are you using? Any other info about the "why" of this would be great.

adamdecaf commented 2 years ago

It might be the fact that nancy's repository has a main.go which imports the rest of the codebase. Watchman's main method is in ./cmd/server.

Here's what go list -json -deps produces from the root of moov-io/watchman:

√ moov-io/watchman %  go list -json -deps                     
{
    "Dir": "/Users/adam/code/src/github.com/moov-io/watchman",
    "ImportPath": "github.com/moov-io/watchman",
    "Name": "watchman",
    "Target": "/Users/adam/code/pkg/darwin_amd64/github.com/moov-io/watchman.a",
    "Root": "/Users/adam/code/src/github.com/moov-io/watchman",
    "Module": {
        "Path": "github.com/moov-io/watchman",
        "Main": true,
        "Dir": "/Users/adam/code/src/github.com/moov-io/watchman",
        "GoMod": "/Users/adam/code/src/github.com/moov-io/watchman/go.mod",
        "GoVersion": "1.18"
    },
    "Match": [
        "."
    ],
    "Stale": true,
    "StaleReason": "not installed but available in build cache",
    "GoFiles": [
        "version.go"
    ]
}
adamdecaf commented 2 years ago 
$ go list -json -deps ./cmd/server | ./bin/nancy sleuth
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Summary                      ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━┫
┃ Audited Dependencies    ┃ 48 ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━━┫
┃ Vulnerable Dependencies ┃ 0  ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━┻━━━━┛
adamdecaf commented 2 years ago

Adding ./... to the example commands works in both repositories. I've updated the docs to reflect that.

I think the format requirements (of go list) was required with an older version of nancy, but it's not required anymore.

bhamail commented 2 years ago

I don't see any reason not to include your fix everywhere. I plan to push a few additional changes that include the wildcard pattern momentarily.

bhamail commented 2 years ago

Thanks again @adamdecaf !

adamdecaf commented 2 years ago

Thank you!