Closed adamdecaf closed 2 years ago
@adamdecaf Thanks for the PR. I'd like to know more about why you say the command "skips deps". It used to work, so I'm wondering if this is something new. e.g., running nancy
on the nancy project itself shows deps being audited:
$ go list -json -deps | ./nancy sleuth
Checking for updates...
You are running 0.0.0-dev
A new release is available (1.0.33)
You can visit the Github releases page for the CLI to manually download and install:
https://github.com/sonatype-nexus-community/nancy/releases
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Summary ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━┫
┃ Audited Dependencies ┃ 49 ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━━┫
┃ Vulnerable Dependencies ┃ 0 ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━┻━━━━┛
$ go version
go version go1.18.1 darwin/amd64
What version of go are you using? Any other info about the "why" of this would be great.
It might be the fact that nancy's repository has a main.go
which imports the rest of the codebase. Watchman's main
method is in ./cmd/server
.
Here's what go list -json -deps
produces from the root of moov-io/watchman:
√ moov-io/watchman % go list -json -deps
{
"Dir": "/Users/adam/code/src/github.com/moov-io/watchman",
"ImportPath": "github.com/moov-io/watchman",
"Name": "watchman",
"Target": "/Users/adam/code/pkg/darwin_amd64/github.com/moov-io/watchman.a",
"Root": "/Users/adam/code/src/github.com/moov-io/watchman",
"Module": {
"Path": "github.com/moov-io/watchman",
"Main": true,
"Dir": "/Users/adam/code/src/github.com/moov-io/watchman",
"GoMod": "/Users/adam/code/src/github.com/moov-io/watchman/go.mod",
"GoVersion": "1.18"
},
"Match": [
"."
],
"Stale": true,
"StaleReason": "not installed but available in build cache",
"GoFiles": [
"version.go"
]
}
$ go list -json -deps ./cmd/server | ./bin/nancy sleuth
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Summary ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━┫
┃ Audited Dependencies ┃ 48 ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━━┫
┃ Vulnerable Dependencies ┃ 0 ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━┻━━━━┛
Adding ./...
to the example commands works in both repositories. I've updated the docs to reflect that.
I think the format requirements (of go list
) was required with an older version of nancy, but it's not required anymore.
I don't see any reason not to include your fix everywhere. I plan to push a few additional changes that include the wildcard pattern momentarily.
Thanks again @adamdecaf !
Thank you!
The example in the readme doesn't work. It skips over all dependencies.
However, this command works. It's not pretty, but works for us.
These are both ran over moov-io/watchman Example: https://github.com/moov-io/infra/blob/master/go/lint-project.sh#L124
cc @bhamail / @DarthHater