Open falco467 opened 1 year ago
govulncheck looks at the AST (compiled code) to determine call paths which have known vulnerabilities. This involves compiling with a vulnerable Go's standard library or imported libraries. govulncheck uses the Go project's vulnerability database while Nancy uses Sonatype's and the open source index. Nancy inspects dependency files to look at all possible vulnerable library usage.
It would be great if this was documented in the README
Explained it in README here https://github.com/sonatype-nexus-community/nancy/pull/277
https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
And I'm trying to decide how this tool is different from Nancy and if I should use both of them, or if one fully replaces the other?
What feature or behavior is this required for? Reduced time and complexity of CI-chain.
How could we solve this issue? (Not knowing is okay!) Could you include a section in your readme how Nancy differs from the standard-tool govulncheck ? e.g. what does Nancy do more/less/different. So people can easily decide which tool to use, or if both tools solve different problems.
cc @bhamail / @DarthHater