Readme: Relation to govulncheck

[falco467]

• What are you trying to do? A new tool was released by go developers this month:

https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck

And I'm trying to decide how this tool is different from Nancy and if I should use both of them, or if one fully replaces the other?

• What feature or behavior is this required for? Reduced time and complexity of CI-chain.

• How could we solve this issue? (Not knowing is okay!) Could you include a section in your readme how Nancy differs from the standard-tool govulncheck ? e.g. what does Nancy do more/less/different. So people can easily decide which tool to use, or if both tools solve different problems.

cc @bhamail / @DarthHater

[adamdecaf]

govulncheck looks at the AST (compiled code) to determine call paths which have known vulnerabilities. This involves compiling with a vulnerable Go's standard library or imported libraries. govulncheck uses the Go project's vulnerability database while Nancy uses Sonatype's and the open source index. Nancy inspects dependency files to look at all possible vulnerable library usage.

[kishaningithub]

It would be great if this was documented in the README

[orsenthil]

Explained it in README here https://github.com/sonatype-nexus-community/nancy/pull/277