Git Product home page Git Product logo

nancy's Introduction

nancy logo

Circle CI Build Status Gitter

Nancy

nancy is a tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index, and as well, works with Nexus IQ Server, allowing you a smooth experience as a Golang developer, using the best tools in the market!

Usage

nancy currently works for projects that use dep or go mod for dependencies.

 ~ > nancy --help
nancy is a tool to check for vulnerabilities in your Golang dependencies,
powered by the 'Sonatype OSS Index', and as well, works with Nexus IQ Server, allowing you
a smooth experience as a Golang developer, using the best tools in the market!

Usage:
  nancy [flags]
  nancy [command]

Examples:
  Typical usage will pipe the output of 'go list -json -deps' to 'nancy':
  go list -json -deps ./... | nancy sleuth [flags]
  go list -json -deps ./... | nancy iq [flags]

  If using dep typical usage is as follows :
  nancy sleuth -p Gopkg.lock [flags]
  nancy iq -p Gopkg.lock [flags]


Available Commands:
  config      Setup credentials to use when connecting to services
  help        Help about any command
  iq          Check for vulnerabilities in your Golang dependencies using 'Sonatype's Nexus IQ IQServer'
  sleuth      Check for vulnerabilities in your Golang dependencies using Sonatype's OSS Index
  update      Check if there are any updates available

Flags:
  -v, -- count                 Set log level, multiple v's is more verbose
  -c, --clean-cache            Deletes local cache directory
  -d, --db-cache-path string   Specify an alternate path for caching responses from OSS Inde, example: /tmp
  -h, --help                   help for nancy
      --loud                   indicate output should include non-vulnerable packages
  -p, --path string            Specify a path to a dep Gopkg.lock file for scanning
  -q, --quiet                  indicate output should contain only packages with vulnerabilities (default true)
      --skip-update-check      Skip the check for updates.
  -t, --token string           Specify OSS Index API token for request
  -u, --username string        Specify OSS Index username for request
  -V, --version                Get the version

Use "nancy [command] --help" for more information about a command.


$ > nancy sleuth --help
'nancy sleuth' is a command to check for vulnerabilities in your Golang dependencies, powered by the 'Sonatype OSS Index'.

Usage:
  nancy sleuth [flags]

Examples:
  go list -json -deps ./... | nancy sleuth --username your_user --token your_token
  nancy sleuth -p Gopkg.lock --username your_user --token your_token

Flags:
  -a, --additional-exclude-vulnerability-files strings   Path to additional files containing newline separated CVEs or OSS Index IDs to be excluded
  -e, --exclude-vulnerability CveListFlag                Comma separated list of CVEs or OSS Index IDs to exclude (default [])
  -x, --exclude-vulnerability-file string                Path to a file containing newline separated CVEs or OSS Index IDs to be excluded (default "./.nancy-ignore")
  -h, --help                                             help for sleuth
  -n, --no-color                                         indicate output should not be colorized
  -o, --output string                                    Styling for output format. json, json-pretty, text, csv (default "text")

Global Flags:
  -v, -- count                 Set log level, multiple v's is more verbose
  -d, --db-cache-path string   Specify an alternate path for caching responses from OSS Inde, example: /tmp
      --loud                   indicate output should include non-vulnerable packages
  -p, --path string            Specify a path to a dep Gopkg.lock file for scanning
  -q, --quiet                  indicate output should contain only packages with vulnerabilities (default true)
      --skip-update-check      Skip the check for updates.
  -t, --token string           Specify OSS Index API token for request
  -u, --username string        Specify OSS Index username for request
  -V, --version                Get the version

$ > nancy iq --help
'nancy iq' is a command to check for vulnerabilities in your Golang dependencies, powered by 'Sonatype's Nexus IQ IQServer', allowing you a smooth experience as a Golang developer, using the best tools in the market!

Usage:
  nancy iq [flags]

Examples:
  go list -json -deps ./... | nancy iq --iq-application your_public_application_id --iq-server-url http://your_iq_server_url:port --iq-username your_user --iq-token your_token --iq-stage develop
  nancy iq -p Gopkg.lock --iq-application your_public_application_id --iq-server-url http://your_iq_server_url:port --iq-username your_user --iq-token your_token --iq-stage develop

Flags:
  -h, --help                    help for iq
  -a, --iq-application string   Specify Nexus IQ public application ID for request
  -x, --iq-server-url string    Specify Nexus IQ server url for request (default "http://localhost:8070")
  -s, --iq-stage string         Specify Nexus IQ stage for request (default "develop")
  -k, --iq-token string         Specify Nexus IQ token for request (default "admin123")
  -l, --iq-username string      Specify Nexus IQ username for request (default "admin")

Global Flags:
  -v, -- count                 Set log level, multiple v's is more verbose
  -d, --db-cache-path string   Specify an alternate path for caching responses from OSS Inde, example: /tmp
      --loud                   indicate output should include non-vulnerable packages
  -p, --path string            Specify a path to a dep Gopkg.lock file for scanning
  -q, --quiet                  indicate output should contain only packages with vulnerabilities (default true)
      --skip-update-check      Skip the check for updates.
  -t, --token string           Specify OSS Index API token for request
  -u, --username string        Specify OSS Index username for request
  -V, --version                Get the version

What is the best usage of Nancy?

The preferred way to use Nancy is:

  • go list -json -deps ./... | nancy sleuth
  • nancy sleuth -p /path/to/Gopkg.lock

If you would like to scan all dependencies, including those that do not end up in the final binary, you can use go list -json -m all instead:

  • go list -json -m all | nancy sleuth

CI Usage

Here are some additional tools to simplify using Nancy in your CI environment:

Docker usage

nancy docker logo

nancy now comes in a boat! For ease of use, we've dockerized nancy. To use our Dockerfile:

go list -json -deps ./... | docker run --rm -i sonatypecommunity/nancy:latest sleuth

We publish a few different flavors for convenience:

  • Latest if you want to be on the bleeding edge ex: latest
  • The full tag for those concerned with 100% reliability of underlying Nancy ex: v0.1.1
  • The major version (we respect semver) ex: v0
  • The major/minor version (seriously, we respect semver) ex: v0.1
Want to build them locally??

  1. Install goreleaser or use their provided docker image (https://goreleaser.com/install/)

  2. Run goreleaser with the following options

    goreleaser release --skip-publish --snapshot --rm-dist

    or docker version of goreleaser

    docker run --privileged \
  -v $PWD:/go/src/github.com/user/repo \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -w /go/src/github.com/user/repo \
  goreleaser/goreleaser release --skip-publish --snapshot --rm-dist

  3. Once complete you will have the images now built locally. Use docker images to see them

    > docker images                                                                                                                                                                [789c9df]
REPOSITORY                TAG                           IMAGE ID            CREATED             SIZE
sonatypecommunity/nancy   alpine                        f966c833c762        52 seconds ago      19.9MB
sonatypecommunity/nancy   v1-alpine                     f966c833c762        52 seconds ago      19.9MB
sonatypecommunity/nancy   v1.0-alpine                   f966c833c762        52 seconds ago      19.9MB
sonatypecommunity/nancy   v1.0.0-alpine                 f966c833c762        52 seconds ago      19.9MB
sonatypecommunity/nancy   latest                        7cb89e362115        53 seconds ago      14.1MB
sonatypecommunity/nancy   v1                            7cb89e362115        53 seconds ago      14.1MB
sonatypecommunity/nancy   v1.0                          7cb89e362115        53 seconds ago      14.1MB
sonatypecommunity/nancy   v1.0.0                        7cb89e362115        53 seconds ago      14.1MB

OSS Index Options

Rate limiting / Setting OSS Index config

NOTE: New as of Nancy v0.1.17

If you start using Nancy extensively, you might run into Rate Limiting from OSS Index! Don't worry, we've got your back!

If you run into Rate Limiting you should receive an error that will give you instructions on how to register on OSS Index:

You have been rate limited by OSS Index.
If you do not have a OSS Index account, please visit https://ossindex.sonatype.org/user/register to register an account.
After registering and verifying your account, you can retrieve your username (Email Address), and API Token
at https://ossindex.sonatype.org/user/settings. Upon retrieving those, run 'nancy config', set your OSS Index
settings, and rerun Nancy.

After setting this config, you'll be gifted a nice new higher rate limit. If you escape this limit, you might take a look at using Nexus IQ Server, or reach out to the friendly people at OSS Index for partnership opportunities.

You can also set the user and token via the command line like so:

nancy sleuth --username [email protected] --token A4@k3@p1T0k3n

This can be handy for testing your account out, or if you want to override your set config with a different user.

As of Nancy v1.0.17, you can also specify configuration values using environment variables:

export [email protected]
export OSSI_TOKEN=A4@k3@p1T0k3n
go list -json -deps ./... | ./nancy sleuth
...

Loud mode

By default, nancy runs in a "quiet" mode, only displaying a list of vulnerable components. You can run nancy in a loud manner, showing all components by running:

  • nancy sleuth --loud -p /path/to/your/Gopkg.lock
  • go list -json -deps ./... | nancy sleuth --loud

Exclude vulnerabilities

Sometimes you'll run into a dependency that after taking a look at, you either aren't affected by, or cannot resolve for some reason. Nancy understands, and will let you exclude these vulnerabilities, so you can get back to a passing build:

Vulnerabilities excluded will then be silenced and not show up in the output or fail your build.

We support exclusion of vulnerability either by CVE-ID (ex: CVE-2018-20303) or via the OSS Index ID (ex: a8c20c84-1f6a-472a-ba1b-3eaedb2a2a14) as not all vulnerabilities have a CVE-ID.

Via CLI flag
  • nancy sleuth --exclude-vulnerability CVE-789,bcb0c38d-0d35-44ee-b7a7-8f77183d1ae2 -p /path/to/your/Gopkg.lock
  • go list -json -deps ./... | nancy sleuth --exclude-vulnerability CVE-789,bcb0c38d-0d35-44ee-b7a7-8f77183d1ae2
Via file

By default, if a file named .nancy-ignore exists in the same directory that nancy is run it will use it - no other options need to be passed.

If you would like to define the path to the file you can use the following

  • nancy sleuth --exclude-vulnerability-file=/path/to/your/exclude-file -p /path/to/your/Gopkg.lock
  • go list -json -deps ./... | nancy sleuth --exclude-vulnerability-file=/path/to/your/exclude-file

If you would like to split up your excludes into multiple files besides your root .nancy-ignore you can pass them via the -a or --additional-exclude-vulnerability-files flags.

  • nancy sleuth --additional-exclude-vulnerability-files=/path/to/first,/path/to/second
  • nancy sleuth -a /path/to/first -a /path/to/second

You can also combine it with the -x / --exclude-vulnerability-file flag. Nancy merges the additional files on top of the root .nancy-ignore.

  • nancy sleuth -x .nancy-ignore.global -a .nancy-ignore.local

The file format requires each vulnerability that you want to exclude to be on a separate line. Comments are allowed in the file as well to help provide context when needed. See an example file below.

# This vulnerability is coming from package xyz, we are ok with this for now
CVN-111
CVN-123 # Mitigated the risk of this since we only use one method in this package and the affected code doesn't matter
CVN-543

It's also possible to define expiring ignores. Meaning that if you define a date on a vulnerability ignore until that date it will be ignored and once that date is passed it will now be reported by nancy if it's still an issue. Format to add an expiring ignore looks as follows. They can also be followed up by comments to provide context as to why it's been ignored until that date.

CVN-111 until=2021-01-01
CVN-543 until=2018-02-12 #Waiting on release from third party. Should be out before this date but gives us a little time to fix it.

Output

We support multiple different output formats. Examples can be found below for each. This intentionally vulnerable repo was used to generate the example output. Quiet option is supported in text and csv. json formatting will ignore the Quiet option and output the same values if it's passed or not.

text (default)

Nancy version: development
!!!!! WARNING !!!!!
Scanning cannot be completed on the following package(s) since they do not use semver.
[1/1]pkg:golang/github.com/go-gitea/[email protected]

------------------------------------------------------------
[1/10]pkg:golang/github.com/bitly/[email protected]  [Vulnerable]   1 known vulnerabilities affecting installed version

[CVE-2017-1000070]  URL Redirection to Untrusted Site ("Open Redirect")
The Bitly oauth2_proxy in version 2.1 and earlier was affected by an open redirect vulnerability during the start and termination of the 2-legged OAuth flow. This issue was caused by improper input validation and a violation of RFC-6819

ID:9eb9a5bc-8310-4104-bf85-3a820d28ba79
Details:https://ossindex.sonatype.org/vuln/9eb9a5bc-8310-4104-bf85-3a820d28ba79
[2/10]pkg:golang/github.com/cockroachdb/[email protected]   No known vulnerabilities against package/version
------------------------------------------------------------
[3/10]pkg:golang/github.com/ethereum/[email protected]  [Vulnerable]   1 known vulnerabilities affecting installed version

CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.

...

Audited dependencies:10,Vulnerable:6

json

{"audited":[{"Coordinates":"pkg:golang/github.com/bitly/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/bitly/[email protected]","Vulnerabilities":[{"Id":"9eb9a5bc-8310-4104-bf85-3a820d28ba79","Title":"[CVE-2017-1000070]  URL Redirection to Untrusted Site (\"Open Redirect\")","Description":"The Bitly oauth2_proxy in version 2.1 and earlier was affected by an open redirect vulnerability during the start and termination of the 2-legged OAuth flow. This issue was caused by improper input validation and a violation of RFC-6819","CvssScore":"6.1","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","Cve":"CVE-2017-1000070","Reference":"https://ossindex.sonatype.org/vuln/9eb9a5bc-8310-4104-bf85-3a820d28ba79","Excluded":false}],"InvalidSemVer":false},{"Coordinates":"pkg:golang/github.com/cockroachdb/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/cockroachdb/[email protected]","Vulnerabilities":[],"InvalidSemVer":false},{"Coordinates":"pkg:golang/github.com/ethereum/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/ethereum/[email protected]","Vulnerabilities":[{"Id":"4efaed86-e62e-4c0c-b812-36c07e61ede4","Title":"CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')","Description":"The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.","CvssScore":"7.5","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","Cve":"","Reference":"https://ossindex.sonatype.org/vuln/4efaed86-e62e-4c0c-b812-36c07e61ede4","Excluded":false}],"InvalidSemVer":false},{"Coordinates":"pkg:golang/github.com/elastic/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/elastic/[email protected]","Vulnerabilities":[{"Id":"8e4d562d-517b-4d00-a845-a7a3e2be41db","Title":"[CVE-2017-11480]  Improper Access Control","Description":"Packetbeat versions prior to 5.6.4 are affected by a denial of service flaw in the PostgreSQL protocol handler. If Packetbeat is listening for PostgreSQL traffic and a user is able to send arbitrary network traffic to the monitored port, the attacker could prevent Packetbeat from properly logging other PostgreSQL traffic.","CvssScore":"7.5","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","Cve":"CVE-2017-11480","Reference":"https://ossindex.sonatype.org/vuln/8e4d562d-517b-4d00-a845-a7a3e2be41db","Excluded":false}],"InvalidSemVer":false},{"Coordinates":"pkg:golang/github.com/etcd-io/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/etcd-io/[email protected]","Vulnerabilities":[{"Id":"5c876f5e-2814-4822-baf0-1092fc63ec25","Title":"[CVE-2018-1098]  Cross-Site Request Forgery (CSRF)","Description":"A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. An attacker can set up a website that tries to send a POST request to the etcd server and modify a key. Adding a key is done with PUT so it is theoretically safe (can't PUT from an HTML form or such) but POST allows creating in-order keys that an attacker can send.","CvssScore":"8.8","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","Cve":"CVE-2018-1098","Reference":"https://ossindex.sonatype.org/vuln/5c876f5e-2814-4822-baf0-1092fc63ec25","Excluded":false},{"Id":"8a190129-526c-4ee0-b663-92f38139c165","Title":"[CVE-2018-1099]  Improper Input Validation","Description":"DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An attacker can control his DNS records to direct to localhost, and trick the browser into sending requests to localhost (or any other address).","CvssScore":"5.5","CvssVector":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","Cve":"CVE-2018-1099","Reference":"https://ossindex.sonatype.org/vuln/8a190129-526c-4ee0-b663-92f38139c165","Excluded":false},{"Id":"69b9f08b-8eda-4125-8e84-b7d67a7c9ee5","Title":"[CVE-2018-16886]  Improper Authentication","Description":"etcd versions 3.2.x before 3.2.26 and 3.3.x before 3.3.11 are vulnerable to an improper authentication issue when role-based access control (RBAC) is used and client-cert-auth is enabled. If an etcd client server TLS certificate contains a Common Name (CN) which matches a valid RBAC username, a remote attacker may authenticate as that user with any valid (trusted) client certificate in a REST API request to the gRPC-gateway.","CvssScore":"8.1","CvssVector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","Cve":"CVE-2018-16886","Reference":"https://ossindex.sonatype.org/vuln/69b9f08b-8eda-4125-8e84-b7d67a7c9ee5","Excluded":false}],"InvalidSemVer":false},{"Coordinates":"pkg:golang/github.com/github/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/github/[email protected]","Vulnerabilities":[],"InvalidSemVer":false},{"Coordinates":"pkg:golang/github.com/gogs/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/gogs/[email protected]","Vulnerabilities":[{"Id":"a4c682fa-9c9f-4e9e-b218-720d5125b17f","Title":"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","Description":"The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.","CvssScore":"9.9","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","Cve":"","Reference":"https://ossindex.sonatype.org/vuln/a4c682fa-9c9f-4e9e-b218-720d5125b17f","Excluded":false},{"Id":"304fa9e0-012e-4385-88b2-88c0c5ec3247","Title":"[CVE-2018-15192] An SSRF vulnerability in webhooks in Gitea through 1.5.0-rc2 and Gogs through 0....","Description":"An SSRF vulnerability in webhooks in Gitea through 1.5.0-rc2 and Gogs through 0.11.53 allows remote attackers to access intranet services.","CvssScore":"8.6","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","Cve":"CVE-2018-15192","Reference":"https://ossindex.sonatype.org/vuln/304fa9e0-012e-4385-88b2-88c0c5ec3247","Excluded":false},{"Id":"a8c20c84-1f6a-472a-ba1b-3eaedb2a2a14","Title":"[CVE-2018-20303]  Improper Limitation of a Pathname to a Restricted Directory (\"Path Traversal\")","Description":"In pkg/tool/path.go in Gogs before 0.11.82.1218, a directory traversal in the file-upload functionality can allow an attacker to create a file under data/sessions on the server, a similar issue to CVE-2018-18925.","CvssScore":"7.5","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","Cve":"CVE-2018-20303","Reference":"https://ossindex.sonatype.org/vuln/a8c20c84-1f6a-472a-ba1b-3eaedb2a2a14","Excluded":false},{"Id":"bcb0c38d-0d35-44ee-b7a7-8f77183d1ae2","Title":"[CVE-2018-18925] Gogs 0.11.66 allows remote code execution because it does not properly validate ...","Description":"Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a \"..\" session-file forgery in the file session provider in file.go. This is related to session ID handling in the go-macaron/session code for Macaron.","CvssScore":"9.8","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","Cve":"CVE-2018-18925","Reference":"https://ossindex.sonatype.org/vuln/bcb0c38d-0d35-44ee-b7a7-8f77183d1ae2","Excluded":false},{"Id":"bbbdbb94-f65a-475c-9e9f-6793778fbd9b","Title":"[CVE-2018-15178]  URL Redirection to Untrusted Site (\"Open Redirect\")","Description":"Open redirect vulnerability in Gogs before 0.12 allows remote attackers to redirect users to arbitrary websites and conduct phishing attacks via an initial /\\ substring in the user/login redirect_to parameter, related to the function isValidRedirect in routes/user/auth.go.","CvssScore":"6.1","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","Cve":"CVE-2018-15178","Reference":"https://ossindex.sonatype.org/vuln/bbbdbb94-f65a-475c-9e9f-6793778fbd9b","Excluded":false},{"Id":"fc70a115-52cc-44ea-a33d-793267f860dd","Title":"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","Description":"The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.","CvssScore":"6.1","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","Cve":"","Reference":"https://ossindex.sonatype.org/vuln/fc70a115-52cc-44ea-a33d-793267f860dd","Excluded":false}],"InvalidSemVer":false},{"Coordinates":"pkg:golang/github.com/goharbor/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/goharbor/[email protected]","Vulnerabilities":[],"InvalidSemVer":false},{"Coordinates":"pkg:golang/github.com/gophish/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/gophish/[email protected]","Vulnerabilities":[{"Id":"0416e202-2705-431d-9915-8ed93334ca58","Title":"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","Description":"The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.","CvssScore":"6.1","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","Cve":"","Reference":"https://ossindex.sonatype.org/vuln/0416e202-2705-431d-9915-8ed93334ca58","Excluded":false}],"InvalidSemVer":false},{"Coordinates":"pkg:golang/github.com/ipfs/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/ipfs/[email protected]","Vulnerabilities":[],"InvalidSemVer":false}],"exclusions":[],"invalid":[{"Coordinates":"pkg:golang/github.com/go-gitea/[email protected]","Reference":"","Vulnerabilities":null,"InvalidSemVer":true}],"num_audited":10,"num_vulnerable":6,"version":"development","vulnerable":[{"Coordinates":"pkg:golang/github.com/bitly/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/bitly/[email protected]","Vulnerabilities":[{"Id":"9eb9a5bc-8310-4104-bf85-3a820d28ba79","Title":"[CVE-2017-1000070]  URL Redirection to Untrusted Site (\"Open Redirect\")","Description":"The Bitly oauth2_proxy in version 2.1 and earlier was affected by an open redirect vulnerability during the start and termination of the 2-legged OAuth flow. This issue was caused by improper input validation and a violation of RFC-6819","CvssScore":"6.1","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","Cve":"CVE-2017-1000070","Reference":"https://ossindex.sonatype.org/vuln/9eb9a5bc-8310-4104-bf85-3a820d28ba79","Excluded":false}],"InvalidSemVer":false},{"Coordinates":"pkg:golang/github.com/ethereum/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/ethereum/[email protected]","Vulnerabilities":[{"Id":"4efaed86-e62e-4c0c-b812-36c07e61ede4","Title":"CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')","Description":"The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.","CvssScore":"7.5","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","Cve":"","Reference":"https://ossindex.sonatype.org/vuln/4efaed86-e62e-4c0c-b812-36c07e61ede4","Excluded":false}],"InvalidSemVer":false},{"Coordinates":"pkg:golang/github.com/elastic/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/elastic/[email protected]","Vulnerabilities":[{"Id":"8e4d562d-517b-4d00-a845-a7a3e2be41db","Title":"[CVE-2017-11480]  Improper Access Control","Description":"Packetbeat versions prior to 5.6.4 are affected by a denial of service flaw in the PostgreSQL protocol handler. If Packetbeat is listening for PostgreSQL traffic and a user is able to send arbitrary network traffic to the monitored port, the attacker could prevent Packetbeat from properly logging other PostgreSQL traffic.","CvssScore":"7.5","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","Cve":"CVE-2017-11480","Reference":"https://ossindex.sonatype.org/vuln/8e4d562d-517b-4d00-a845-a7a3e2be41db","Excluded":false}],"InvalidSemVer":false},{"Coordinates":"pkg:golang/github.com/etcd-io/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/etcd-io/[email protected]","Vulnerabilities":[{"Id":"5c876f5e-2814-4822-baf0-1092fc63ec25","Title":"[CVE-2018-1098]  Cross-Site Request Forgery (CSRF)","Description":"A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. An attacker can set up a website that tries to send a POST request to the etcd server and modify a key. Adding a key is done with PUT so it is theoretically safe (can't PUT from an HTML form or such) but POST allows creating in-order keys that an attacker can send.","CvssScore":"8.8","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","Cve":"CVE-2018-1098","Reference":"https://ossindex.sonatype.org/vuln/5c876f5e-2814-4822-baf0-1092fc63ec25","Excluded":false},{"Id":"8a190129-526c-4ee0-b663-92f38139c165","Title":"[CVE-2018-1099]  Improper Input Validation","Description":"DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An attacker can control his DNS records to direct to localhost, and trick the browser into sending requests to localhost (or any other address).","CvssScore":"5.5","CvssVector":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","Cve":"CVE-2018-1099","Reference":"https://ossindex.sonatype.org/vuln/8a190129-526c-4ee0-b663-92f38139c165","Excluded":false},{"Id":"69b9f08b-8eda-4125-8e84-b7d67a7c9ee5","Title":"[CVE-2018-16886]  Improper Authentication","Description":"etcd versions 3.2.x before 3.2.26 and 3.3.x before 3.3.11 are vulnerable to an improper authentication issue when role-based access control (RBAC) is used and client-cert-auth is enabled. If an etcd client server TLS certificate contains a Common Name (CN) which matches a valid RBAC username, a remote attacker may authenticate as that user with any valid (trusted) client certificate in a REST API request to the gRPC-gateway.","CvssScore":"8.1","CvssVector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","Cve":"CVE-2018-16886","Reference":"https://ossindex.sonatype.org/vuln/69b9f08b-8eda-4125-8e84-b7d67a7c9ee5","Excluded":false}],"InvalidSemVer":false},{"Coordinates":"pkg:golang/github.com/gogs/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/gogs/[email protected]","Vulnerabilities":[{"Id":"a4c682fa-9c9f-4e9e-b218-720d5125b17f","Title":"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","Description":"The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.","CvssScore":"9.9","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","Cve":"","Reference":"https://ossindex.sonatype.org/vuln/a4c682fa-9c9f-4e9e-b218-720d5125b17f","Excluded":false},{"Id":"304fa9e0-012e-4385-88b2-88c0c5ec3247","Title":"[CVE-2018-15192] An SSRF vulnerability in webhooks in Gitea through 1.5.0-rc2 and Gogs through 0....","Description":"An SSRF vulnerability in webhooks in Gitea through 1.5.0-rc2 and Gogs through 0.11.53 allows remote attackers to access intranet services.","CvssScore":"8.6","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","Cve":"CVE-2018-15192","Reference":"https://ossindex.sonatype.org/vuln/304fa9e0-012e-4385-88b2-88c0c5ec3247","Excluded":false},{"Id":"a8c20c84-1f6a-472a-ba1b-3eaedb2a2a14","Title":"[CVE-2018-20303]  Improper Limitation of a Pathname to a Restricted Directory (\"Path Traversal\")","Description":"In pkg/tool/path.go in Gogs before 0.11.82.1218, a directory traversal in the file-upload functionality can allow an attacker to create a file under data/sessions on the server, a similar issue to CVE-2018-18925.","CvssScore":"7.5","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","Cve":"CVE-2018-20303","Reference":"https://ossindex.sonatype.org/vuln/a8c20c84-1f6a-472a-ba1b-3eaedb2a2a14","Excluded":false},{"Id":"bcb0c38d-0d35-44ee-b7a7-8f77183d1ae2","Title":"[CVE-2018-18925] Gogs 0.11.66 allows remote code execution because it does not properly validate ...","Description":"Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a \"..\" session-file forgery in the file session provider in file.go. This is related to session ID handling in the go-macaron/session code for Macaron.","CvssScore":"9.8","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","Cve":"CVE-2018-18925","Reference":"https://ossindex.sonatype.org/vuln/bcb0c38d-0d35-44ee-b7a7-8f77183d1ae2","Excluded":false},{"Id":"bbbdbb94-f65a-475c-9e9f-6793778fbd9b","Title":"[CVE-2018-15178]  URL Redirection to Untrusted Site (\"Open Redirect\")","Description":"Open redirect vulnerability in Gogs before 0.12 allows remote attackers to redirect users to arbitrary websites and conduct phishing attacks via an initial /\\ substring in the user/login redirect_to parameter, related to the function isValidRedirect in routes/user/auth.go.","CvssScore":"6.1","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","Cve":"CVE-2018-15178","Reference":"https://ossindex.sonatype.org/vuln/bbbdbb94-f65a-475c-9e9f-6793778fbd9b","Excluded":false},{"Id":"fc70a115-52cc-44ea-a33d-793267f860dd","Title":"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","Description":"The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.","CvssScore":"6.1","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","Cve":"","Reference":"https://ossindex.sonatype.org/vuln/fc70a115-52cc-44ea-a33d-793267f860dd","Excluded":false}],"InvalidSemVer":false},{"Coordinates":"pkg:golang/github.com/gophish/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/gophish/[email protected]","Vulnerabilities":[{"Id":"0416e202-2705-431d-9915-8ed93334ca58","Title":"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","Description":"The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.","CvssScore":"6.1","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","Cve":"","Reference":"https://ossindex.sonatype.org/vuln/0416e202-2705-431d-9915-8ed93334ca58","Excluded":false}],"InvalidSemVer":false}]}

json-pretty

{
  "audited": [
    {
      "Coordinates": "pkg:golang/github.com/bitly/[email protected]",
      "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/bitly/[email protected]",
      "Vulnerabilities": [
        {
          "Id": "9eb9a5bc-8310-4104-bf85-3a820d28ba79",
          "Title": "[CVE-2017-1000070]  URL Redirection to Untrusted Site (\"Open Redirect\")",
          "Description": "The Bitly oauth2_proxy in version 2.1 and earlier was affected by an open redirect vulnerability during the start and termination of the 2-legged OAuth flow. This issue was caused by improper input validation and a violation of RFC-6819",
          "CvssScore": "6.1",
          "CvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "Cve": "CVE-2017-1000070",
          "Reference": "https://ossindex.sonatype.org/vuln/9eb9a5bc-8310-4104-bf85-3a820d28ba79",
          "Excluded": false
        }
      ],
      "InvalidSemVer": false
    },
    {
      "Coordinates": "pkg:golang/github.com/cockroachdb/[email protected]",
      "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/cockroachdb/[email protected]",
      "Vulnerabilities": [],
      "InvalidSemVer": false
    },
    {
      "Coordinates": "pkg:golang/github.com/ethereum/[email protected]",
      "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/ethereum/[email protected]",
      "Vulnerabilities": [
        {
          "Id": "4efaed86-e62e-4c0c-b812-36c07e61ede4",
          "Title": "CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')",
          "Description": "The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.",
          "CvssScore": "7.5",
          "CvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "Cve": "",
          "Reference": "https://ossindex.sonatype.org/vuln/4efaed86-e62e-4c0c-b812-36c07e61ede4",
          "Excluded": false
        }
      ],
      "InvalidSemVer": false
    },
    ...
  ],
  "exclusions": [],
  "invalid": [
    {
      "Coordinates": "pkg:golang/github.com/go-gitea/[email protected]",
      "Reference": "",
      "Vulnerabilities": null,
      "InvalidSemVer": true
    }
  ],
  "num_audited": 10,
  "num_vulnerable": 6,
  "version": "development",
  "vulnerable": [
    {
      "Coordinates": "pkg:golang/github.com/bitly/[email protected]",
      "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/bitly/[email protected]",
      "Vulnerabilities": [
        {
          "Id": "9eb9a5bc-8310-4104-bf85-3a820d28ba79",
          "Title": "[CVE-2017-1000070]  URL Redirection to Untrusted Site (\"Open Redirect\")",
          "Description": "The Bitly oauth2_proxy in version 2.1 and earlier was affected by an open redirect vulnerability during the start and termination of the 2-legged OAuth flow. This issue was caused by improper input validation and a violation of RFC-6819",
          "CvssScore": "6.1",
          "CvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "Cve": "CVE-2017-1000070",
          "Reference": "https://ossindex.sonatype.org/vuln/9eb9a5bc-8310-4104-bf85-3a820d28ba79",
          "Excluded": false
        }
      ],
      "InvalidSemVer": false
    },
    {
      "Coordinates": "pkg:golang/github.com/ethereum/[email protected]",
      "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/ethereum/[email protected]",
      "Vulnerabilities": [
        {
          "Id": "4efaed86-e62e-4c0c-b812-36c07e61ede4",
          "Title": "CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')",
          "Description": "The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.",
          "CvssScore": "7.5",
          "CvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "Cve": "",
          "Reference": "https://ossindex.sonatype.org/vuln/4efaed86-e62e-4c0c-b812-36c07e61ede4",
          "Excluded": false
        }
      ],
      "InvalidSemVer": false
    },
    {
      "Coordinates": "pkg:golang/github.com/elastic/[email protected]",
      "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/elastic/[email protected]",
      "Vulnerabilities": [
        {
          "Id": "8e4d562d-517b-4d00-a845-a7a3e2be41db",
          "Title": "[CVE-2017-11480]  Improper Access Control",
          "Description": "Packetbeat versions prior to 5.6.4 are affected by a denial of service flaw in the PostgreSQL protocol handler. If Packetbeat is listening for PostgreSQL traffic and a user is able to send arbitrary network traffic to the monitored port, the attacker could prevent Packetbeat from properly logging other PostgreSQL traffic.",
          "CvssScore": "7.5",
          "CvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "Cve": "CVE-2017-11480",
          "Reference": "https://ossindex.sonatype.org/vuln/8e4d562d-517b-4d00-a845-a7a3e2be41db",
          "Excluded": false
        }
      ],
      "InvalidSemVer": false
    },
    ...
  ]
}

csv

Summary
Audited Count,Vulnerable Count,Build Version
10,6,development

Invalid Package(s)
Count,Package,Reason
[1/1],pkg:golang/github.com/go-gitea/[email protected],Does not use SemVer

Audited Package(s)
Count,Package,Is Vulnerable,Num Vulnerabilities,Vulnerabilities
[1/10],pkg:golang/github.com/bitly/[email protected],true,1,"[{""Id"":""9eb9a5bc-8310-4104-bf85-3a820d28ba79"",""Title"":""[CVE-2017-1000070]  URL Redirection to Untrusted Site (\""Open Redirect\"")"",""Description"":""The Bitly oauth2_proxy in version 2.1 and earlier was affected by an open redirect vulnerability during the start and termination of the 2-legged OAuth flow. This issue was caused by improper input validation and a violation of RFC-6819"",""CvssScore"":""6.1"",""CvssVector"":""CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"",""Cve"":""CVE-2017-1000070"",""Reference"":""https://ossindex.sonatype.org/vuln/9eb9a5bc-8310-4104-bf85-3a820d28ba79"",""Excluded"":false}]"
[2/10],pkg:golang/github.com/cockroachdb/[email protected],false,0,[]
[3/10],pkg:golang/github.com/ethereum/[email protected],true,1,"[{""Id"":""4efaed86-e62e-4c0c-b812-36c07e61ede4"",""Title"":""CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')"",""Description"":""The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended."",""CvssScore"":""7.5"",""CvssVector"":""CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"",""Cve"":"""",""Reference"":""https://ossindex.sonatype.org/vuln/4efaed86-e62e-4c0c-b812-36c07e61ede4"",""Excluded"":false}]"
...

Nexus IQ Server Options

By default, assuming you have an out-of-the-box Nexus IQ Server running, you can run nancy like so:

go list -json -deps ./... | nancy iq --iq-application public-application-id

It is STRONGLY suggested that you do not do this, and we will warn you on output if you are.

A more logical use of nancy against Nexus IQ Server will look like so:

go list -json -deps ./... | nancy iq --iq-application public-application-id --iq-username nondefaultuser --iq-token yourtoken --iq-server-url http://adifferentserverurl:port --iq-stage develop

Options for stage are as follows:

build, develop, stage-release, release

By default --iq-stage will be develop.

Successful submissions to Nexus IQ Server will result in either an OS exit of 0, meaning all is clear and a response akin to:

Wonderbar! No policy violations reported for this audit!
Report URL:  http://reportURL

Failed submissions will either indicate failure because of an issue with processing the request, or a policy violation. Both will exit with a code of 1, allowing you to fail your build in CI. Policy Violation failures will include a report URL where you can learn more about why you encountered a failure.

Policy violations will look like:

Hi, Nancy here, you have some policy violations to clean up!
Report URL:  http://reportURL

Errors processing in Nexus IQ Server will look like:

Uh oh! There was an error with your request to Nexus IQ Server: <error>

Persistent Nexus IQ Server Config

Nancy lets you set the Nexus IQ Server Address, User and Token as persistent config (application and stage are generally per project, so we do not let you set these globally).

To set your Nexus IQ Server config run:

nancy config

Choose iq as an option and run through the rest of the config. Once you are done, Nancy should use this config for communicating with Nexus IQ, simplifying your use of the tool.

As of Nancy v1.0.17, you can also specify configuration values using environment variables:

export [email protected]
export OSSI_TOKEN=A4@k3@p1T0k3n
export IQ_USERNAME=nondefaultuser
export IQ_TOKEN=yourtoken
export IQ_SERVER=http://adifferentserverurl:port
go list -json -deps ./... | ./nancy iq --iq-application public-application-id
...

Usage in CI

You can see an example of using nancy in Travis-CI at this intentionally vulnerable repo we made.

Nancy as well runs on itself (delicious dog food!) in CircleCI, in a myriad of fashions. You can see how we do that here in our repo's CircleCI config.

Big CI Note:

Nancy will automatically check for newer releases of Nancy, and will prompt you when updates are detected. The automatic update check will only occur once every 28 hours, and the date stamp of the last update check is stored in the file: ~/.ossindex/.nancy-config/update_check.yml.

If you have a huge CI matrix build, and want to avoid all the builds performing the automatic update check, you may want to configure your CI build to cache the above directory.

DISCLAIMER

A portion of the golang ecosystem doesn't use proper versions, and instead uses a commit hash to resolve your dependency. Dependencies like this will not work with nancy quite yet, as we don't have a mechanism on OSS Index to lookup vulnerabilities in that manner.

Why Nancy?

Nancy Drew was the first female detective used extensively in literature, and gave women across the world a new hero.

This project is called nancy as like the great detective herself, it looks for problems you might not be aware of, and gives you the information to help put them to an end!

Relationship to govulncheck

Go community starting 1.18, has used a tool called govulncheck shipped with golang distribution to verify vulnerablities. Govulncheck reports known vulnerabilities using static analysis of source code or a binary's symbol table. Nancy uses Sonatype's and the open source index. Nancy inspects dependency files to look at all possible vulnerable library usage.

Installation

At the current time you have a few options:

  • Build from source
  • Download release binary from here on GitHub
  • Install via Homebrew (macOS)
  • Install from the AUR (Arch Linux)

Build from source

  • Clone the project git clone github.com/sonatype-nexus-community/nancy
  • In the root of the project run make
    • This will execute multiple targets so if you want to short circuit some of that process you can also just run make build to get the binary without running tests, linting, etc
  • Use that binary wherever your heart so desires!

Download release binary

Each tag pushed to this repo creates a new release binary, and if you'd like to skip building from source, you can download a binary similar to:

$ curl -o /path/where/you/want/nancy \
  https://github.com/sonatype-nexus-community/nancy/releases/download/v0.0.44/nancy-darwin.amd64-v0.0.44

Install via Homebrew (macOS)

On macOS, nancy can be installed using brew:

  • brew install sonatype-nexus-community/nancy-tap/nancy

brew formulae are created and published to that tap with each new release, so you can use brew to upgrade, etc... as you wish.

You can see more about the formulae, etc... at this repo.

Install from the AUR (Arch Linux)

On Arch Linux, nancy can be installed using the AUR:

$ yay -S nancy-bin

How to Fix Vulnerabilities

So you've found a vulnerability. Now what? The best case is to upgrade the vulnerable component to a newer/non-vulnerable version. However, it is likely the vulnerable component is not a direct dependency, but instead is a transitive dependency (a dependency of a dependency, of a dependency, wash-rinse-repeat). In such a case, the first step is to figure out which direct dependency (and sub-dependencies) depend on the vulnerable component.

The command go mod graph | grep my/vulnerable will show which module(s) pulls in the my/vulnerable package.

As an example, suppose we've learned that component github.com/gogo/protobuf, version 1.2.1 is vulnerable (CVE-2021-3121). Use the following command to determine which components depend on github.com/gogo/protobuf.

$ go mod graph | grep github.com/gogo/protobuf
github.com/gogo/[email protected] github.com/kisielk/[email protected]
github.com/spf13/[email protected] github.com/gogo/[email protected]
github.com/prometheus/[email protected] github.com/gogo/[email protected]
github.com/prometheus/[email protected] github.com/gogo/[email protected]
github.com/spf13/[email protected] github.com/gogo/[email protected]

There are a number of approaches to resolving the vulnerability, but no matter which approach you choose, you should probably make sure all the tests are passing before making any dependency changes.

Click to expand output of command: 
$ go test ./...
 
$ go test ./...
?       github.com/sonatype-nexus-community/nancy       [no test files]
ok      github.com/sonatype-nexus-community/nancy/buildversion  (cached)
ok      github.com/sonatype-nexus-community/nancy/internal/audit        (cached)
ok      github.com/sonatype-nexus-community/nancy/internal/cmd  0.206s
ok      github.com/sonatype-nexus-community/nancy/internal/customerrors (cached)
?       github.com/sonatype-nexus-community/nancy/internal/logger       [no test files]
ok      github.com/sonatype-nexus-community/nancy/packages      (cached)
ok      github.com/sonatype-nexus-community/nancy/parse (cached)
?       github.com/sonatype-nexus-community/nancy/settings      [no test files]
ok      github.com/sonatype-nexus-community/nancy/types (cached)
ok      github.com/sonatype-nexus-community/nancy/update        (cached)

We now know the vulnerable component is pulled in by github.com/spf13/[email protected] (among others). Ideally, we could upgrade the direct dependency (github.com/spf13/viper) to a version that does not depend on a vulnerable version of the transitive dependency (github.com/gogo/protobuf).

In some cases, no such upgrade of the direct dependency exists that avoids a dependence on the vulnerable component. In such a case, the next step is to file an issue with the direct dependency project for them to update the vulnerable sub-dependencies. Be sure to read and follow any vulnerability reporting instructions published by the project: Look for a SECURITY.md file, or other instructions on how to report vulnerabilities. Some projects may prefer you not report the vulnerability publicly. Here's an example of such a bug report: Issue #1066

Avoid use of replace command to permit use of new go install command.

  • The section below describing the use of the replace directive is no longer ideal due to changes in how the go install command behaves with projects containing replace directives. See Deprecation of 'go get' for installing executables.

    Here's an example of the issue: cmd/go: go install cmd@version errors out when module with main package has replace directive

  • Instead of replace, you can update the // indirect dependency version to a non-vulnerable version. e.g.: In the second require stanza of go.mod where all the indirect dependencies are listed, update the dependency version:

    require (
    ... <first require stanza - direct dependencies listed here>
)

require (
    ... <second require stanza - indirect dependencies listed here>
    // fix vulnerability: CVE-2021-38561 in golang.org/x/text v0.3.5
    golang.org/x/text v0.3.7 // indirect
    ...
)

(Deprecated see above) Until the direct dependency is updated, the next best solution is to use a replace directive in the go.mod file to use a newer version of the transitive dependency. See replace directive.

To avoid semver issues, you probably want to use a newer dependency version that is in the same "major.minor" version as the vulnerable dependency version.

(Deprecated see above) You can add the following replace directive to your go.mod file to us a newer version of github.com/gogo/protobuf:

// fix vulnerability: CVE-2021-3121 in github.com/gogo/protobuf v1.2.1
replace github.com/gogo/protobuf => github.com/gogo/protobuf v1.3.2

Be aware that even after you add a replace directive, go mod graph will still show the old dependency version. You can verify the new version is actually used via the go list command:

$ go mod tidy -compat=1.17
$ go list -deps | grep github.com/gogo/protobuf
github.com/gogo/protobuf v1.2.1 => github.com/gogo/protobuf v1.3.2

You can see the v1.2.1 is replaced with v1.3.2.

Finally, you may want to submit a PR to the project with the vulnerable dependency (to fix the issues you reported earlier) in a new release of the direct dependency. Even better, also tell them about nancy and maybe they will add nancy to their own CI system.

Yet another resolution, if no other options make sense, is to knowingly ignore the vulnerability. This may be the best option if you know the application does not use the vulnerable code path and no upgraded/non-vulnerable versions are available. See: Exclude vulnerabilities

Development

nancy is written using Golang 1.13, so it is best you start there.

Tests can be run like this make test

Adding new files? Get the license header correct with:

go get -u github.com/google/addlicense addlicense -v -f ./header.txt .

Release Process

Follow the steps below to release a new version of Nancy. You need to be part of the deploy from circle ci group for this to work.

  1. Checkout/pull the latest main branch, and create a new tag with the desired semantic version and a helpful note:

    $ git tag -a v1.0.x -m "Helpful message in tag"

  2. Push the tag up:

    $ git push origin v1.0.x

  3. There is no step 3.

Contributing

We care a lot about making the world a safer place, and that's why we created nancy. If you as well want to speed up the pace of software development by working on this project, jump on in! Before you start work, create a new issue, or comment on an existing issue, to let others know you are!

Acknowledgements

The nancy logo was created using a combo of Gopherize.me and good ole Photoshop. Thanks to the creators of Gopherize for an easy way to make a fun Gopher :)

Original Gopher designed by Renee French.

The Fine Print

Remember:

It is worth noting that this is NOT SUPPORTED by Sonatype, and is a contribution of ours to the open source community (read: you!)

  • Use this contribution at the risk tolerance that you have
  • Do NOT file Sonatype support tickets related to bach support in regard to this project
  • DO file issues here on GitHub, so that the community can pitch in

Phew, that was easier than I thought. Last but not least of all - have fun!

Getting help

Looking to contribute to our code but need some help? There's a few ways to get information:

nancy's People

Contributors

adamdecaf avatar ajbrown avatar alexandear avatar bcbarbosa avatar bhamail avatar bradcupit avatar danieljmt avatar darthhater avatar deadlysyn avatar designergod420 avatar fitzoh avatar flimzy avatar jmdacruz avatar ken-duck avatar kishaningithub avatar michelkazi avatar nblair avatar orsenthil avatar packrat386 avatar protoworlock69 avatar scherzhaft avatar tneer avatar uvegla avatar zendern avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

nrcook chriswininger sabley darthhater ajbrown fitzoh ja98200wilcox hokiegeek packrat386 zendern s-spindler jroberts07 joakimsoderberg backwardn tingyuz francischung abaer123 gitter-badger baerbox allenhsieh timlevett adamjwsuch levett-tech-consulting steve-thousand ametry sbaker617 stfods cmyanko ctunited15 cristianm5555 stangles fantalytics intypicatech msmagoo87 butterb0wl iletee bhamail greut designergod420 thecodinator19 protoworlock69 michelkazi preisschild jeremybryan kishaningithub sealmindset fighting-dreamer cah-nathan-zender deadlysyn syllogy jasonfmorton jsoref developgo isgasho bradcupit ekmixon kursatoguzhanakinci ankurpshah danieljmt woshizilong donrenando prelaunch-lift om3go adamdecaf jmdacruz isabella232 bcbarbosa magnologan kukamara iq-scm kostto-ray x-oss-byte askylyz briansu2004

nancy's Issues

How to resolve after a detected vulnerability / Why is go.sum used as the source for nancy?

  • What are you trying to do?

We run nancy as part of our CI pipeline. Today the following issue has been detected:

------------------------------------------------------------                                                                                                                                                                                  
[31/38] golang/golang.org/x/[email protected]  [Vulnerable]    1 known vulnerabilities affecting installed version                                                                                                     
                                                                                                                    
[CVE-2019-11841]  Cryptographic Issues                                                                                                                                                                                                        
A message-forgery issue was discovered in crypto/openpgp/clearsign/clearsign.go in supplementary Go cryptography libraries 2019-03-25. According to the OpenPGP Message Format specification in RFC 4880 chapter 7, a cleartext signed messag$
 can contain one or more optional "Hash" Armor Headers. The "Hash" Armor Header specifies the message digest algorithm(s) used for the signature. However, the Go clearsign package ignores the value of this header, which allows an attacke$
 to spoof it. Consequently, an attacker can lead a victim to believe the signature was generated using a different message digest algorithm than what was actually used. Moreover, since the library skips Armor Header parsing in general, a$
 attacker can not only embed arbitrary Armor Headers, but also prepend arbitrary text to cleartext messages without invalidating the signatures.
                                                                                                                            
ID: 01142a7e-4766-4863-983b-898ab7f482d3                                                                                     
Details: https://ossindex.sonatype.org/vuln/01142a7e-4766-4863-983b-898ab7f482d3

To resolve the issue, I executed:

GO111MODULE=on go get -u golang.org/x/crypto

which updated go.mod and go.sum in my project.

But with the next run of nancy, the problem was not resolved, the issue is still reported, because the vulnerable version of the package is still mentioned in the go.sum file (as well as the newer version):

------------------------------------------------------------
[29/41] golang/golang.org/x/[email protected]  [Vulnerable]    1 known vulnerabilities affecting installed version

[CVE-2019-11841]  Cryptographic Issues
A message-forgery issue was discovered in crypto/openpgp/clearsign/clearsign.go in supplementary Go cryptography libraries 2019-03-25. According to the OpenPGP Message Format specification in RFC 4880 chapter 7, a cleartext signed message
 can contain one or more optional "Hash" Armor Headers. The "Hash" Armor Header specifies the message digest algorithm(s) used for the signature. However, the Go clearsign package ignores the value of this header, which allows an attacker
 to spoof it. Consequently, an attacker can lead a victim to believe the signature was generated using a different message digest algorithm than what was actually used. Moreover, since the library skips Armor Header parsing in general, an
 attacker can not only embed arbitrary Armor Headers, but also prepend arbitrary text to cleartext messages without invalidating the signatures.

ID: 01142a7e-4766-4863-983b-898ab7f482d3
Details: https://ossindex.sonatype.org/vuln/01142a7e-4766-4863-983b-898ab7f482d3

...

[38/41] golang/golang.org/x/[email protected]    No known vulnerabilities against package/version...

This did not change even if I execute GO111MODULE=on go mod tidy.

In the go.mod file the referenced version is correct:

golang.org/x/crypto v0.0.0-20190829043050-9756ffdc2472 // indirect
  • What feature or behavior is this required for?

A clear way to get back to a proper state after a vulnerability is detected by nancy and there is already an updated version of the dependency available.

  • How could we solve this issue? (Not knowing is okay!)

I edited the go.sum file manually and removed all but the latest references for golang.org/x/crypto so I endet up with a recent enough version, such that nancy is no longer complaining.

  • Anything else?

So my question is, what is the correct way to resolve an issue detected by nancy and get back to a proper state, where the CI pipeline does no longer fail.

Why does nancy use the go.sum file as source/reference instead of the go.mod file?

This issue is also related to #16, because this would be the workaround (if there is no updated dependency available yet or to prevent from the need of manually updating go.sum).

cc @bhamail / @DarthHater

Remove go.sum option

  • What are you trying to do?
    Only support the new authoritative way in go to get a list of dependencies. go list -m all should be the way, the path, the truth. So allowing for using go.sum should no longer be needed.

  • What feature or behavior is this required for?
    To not support 2 ways to deal with go mod. go list -m all is the authoritative way to do the thing so lets do that.

  • How could we solve this issue? (Not knowing is okay!)
    Remove some code :)

  • Anything else?
    When we do this its probably a major bump of nancy as we are removing functionality

cc @bhamail / @DarthHater

Missing Gopkg.lock causes crash

In the case that Gopkg.toml exists but Gopkg.lock does, not, nancy crashes with a nil pointer dereference:

Nancy version: development
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x48 pc=0x935557]

goroutine 1 [running]:
github.com/sonatype-nexus-community/nancy/packages.ExtractPurlsUsingDep(0xc00002a124, 0x2b, 0xc00002b170, 0x2b, 0xc00002a139, 0x16, 0xc0001749a0, 0x0, 0x0, 0xc00002a139, ...)
        /home/jonhall/go/src/github.com/sonatype-nexus-community/nancy/packages/dep.go:23 +0x37
main.doCheckExistenceAndParse()
        /home/jonhall/go/src/github.com/sonatype-nexus-community/nancy/main.go:102 +0x214
main.main()
        /home/jonhall/go/src/github.com/sonatype-nexus-community/nancy/main.go:63 +0x104

To reproduce, create an empty directory containing a Gopkg.toml file, then attempt to run nancy. Example:

$ mkdir asdf
$ cd asdf
asdf$ touch Gopkg.toml
asdf$ nancy Gopkg.lock

Integration/Dogfood test for our docker image

  • What are you trying to do?
    We have really good dogfood tests for nancy on itself for the binary build but we do not have that in place for the Docker image.

  • What feature or behavior is this required for?
    Doing the same dogfood test for the docker image to make sure we dont break it

  • How could we solve this issue? (Not knowing is okay!)
    Probably need to build the Dockerfile at build time (even though it will happen again as part of goreleaser) and then run it and make sure it does what we expect.

  • Anything else?

cc @bhamail / @DarthHater

Allow comments in .nancy-ignore

Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.

  • What are you trying to do?
    Exclude a vulnerability in nancy and make it clear why it was ignored

  • What feature or behavior is this required for?
    Allowing future me to know wtf is going on without having to dig into git history

  • How could we solve this issue? (Not knowing is okay!)
    Add comments to .nancy-ignore

  • Anything else?
    Maybe this sort of works already?
    Would a "comment" just be an ignored vuln?

cc @bhamail / @DarthHater

Implement logging for Nancy

Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.

  • What are you trying to do?
    Nancy could use some logging, for helping people diagnose issues like @fitzoh in #71

  • What feature or behavior is this required for?
    It is just a way we can get some better detail from users when they run into issues

  • How could we solve this issue? (Not knowing is okay!)
    The suggestion is to:

  • Log to ~/.ossindex
  • Provide a mechanism to specify the log location (if someone wants to log to /tmp, etc...
  • Log debug by default to it's own file (all log levels), and then errors to an error file
  • Maybe cycle logs on each request (so people don't end up with a growing log file and have no idea why)
  • DO NOT LOG SENSITIVE INFO
  • Anything else?
    Have fun!?

cc @bhamail / @DarthHater

Inconsistency when stdin is from file [bug]

Steps to reproduce

  1. Try variant 1:

     go list -m all | nancy

  2. Try variant 2:

     go list -m all > go-list.txt
 nancy < go-list.txt

Actual result

The variant 1 works OK, variant 2 does not work (prints the usage):

C:\nancy>go list -m all | nancy
<...>
2020/03/11 22:45:54 Nancy version: development
Nancy version: development
[1/38]�[1mpkg:golang/github.com/AndreasBriese/[email protected]�[0m�[38;5;251m   No known vulnerabilities against package/version
�[0m[2/38]�[1mpkg:golang/github.com/BurntSushi/[email protected]�[0m�[38;5;251m   No known vulnerabilities against package/version
<...>
�[0m[38/38]�[1mpkg:golang/github.com/go-yaml/[email protected]�[0m�[38;5;251m   No known vulnerabilities against package/version
�[0m
Audited dependencies:38,Vulnerable:�[1;31m0�[0m

C:\nancy>go list -m all > go-list.txt

C:\nancy>nancy < go-list.txt
<...>
2020/03/11 22:46:14 Nancy version: development
Usage:
        go list -m all | nancy [options]
        go list -m all | nancy iq [options]
        nancy [options] </path/to/Gopkg.lock>
        nancy [options] </path/to/go.sum>

Options:
<...>

Expected result

Both variants work identically.

cc @bhamail / @DarthHater

Is there a better way to do this test logic??

  • What are you trying to do?
    Checking for if running in a test in production code is kinda icky..... is there a refactor that can be done here so that this is not necessary??

nancy/logger/logger.go

Line 29 in a76019e

const TestLogfilename = "nancy.test.log"

nancy/logger/logger.go

Lines 75 to 80 in a76019e

func useTestLogFile(args []string) bool {
if stringPrefixInSlice("-test.", args) && !stringInSlice("-iq", args) {
return true
}
return false
}

  • What feature or behavior is this required for?
    Nothing really.....just removing a little ickyness

  • How could we solve this issue? (Not knowing is okay!)
    Maybe conversion to a struct or something where the log directory could be passed in easily. Or something else ¯_(ツ)_/¯

  • Anything else?

cc @bhamail / @DarthHater

Simplify Config

Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.

  • What are you trying to do?

Right now the methods for parsing config (OSS Index and IQ) are largely identical, which is a code smell!

We should endeavor to make these as simple as possible (but no simpler, don't go too wild!)

  • What feature or behavior is this required for?

Long term code maintainability, right now if we add a common config variable we have two places to deal with it. An example is the verbose flags for the logger.

  • How could we solve this issue? (Not knowing is okay!)

Buyer's choice! Don't let me hamper your creativity!

  • Anything else?

AH THE JOYS OF CONFIG!

cc @bhamail / @DarthHater / @zendern / @fitzoh

Building docker image locally

Steps to reproduce

docker build -t nancy:latest .

Actual result

C:\nancy>docker build -t nancy:latest .
Sending build context to Docker daemon  19.07MB
Step 1/8 : FROM alpine:latest as builder
 ---> 11cd0b38bc3c
Step 2/8 : RUN apk update     && apk upgrade     && apk add --no-cache ca-certificates     && update-ca-certificates 2>/dev/null || true     && rm -rf /var/cache/apk/*
 ---> Using cache
 ---> 6b6b2114f9b6
Step 3/8 : COPY nancy /
COPY failed: stat /var/lib/docker/tmp/docker-builder436129135/nancy: no such file or directory

Expected result

No errors.

cc @bhamail / @DarthHater

Ingest Dockerfile into Nancy repo, publish to Dockerhub

Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.

  • What are you trying to do?
    @djschleen wrote this:

https://github.com/sonatype-nexus-community/docker-nancy

I would like to bring that Docker stuff into the nancy main repo, so that when we create new versions of nancy, we can also create docker images and push them to the hub, in a sorta seemless manner.

  • What feature or behavior is this required for?

It's not required for anything per se, but it makes our publishing of things out to the wild a bit easier.

  • How could we solve this issue? (Not knowing is okay!)

WORK! Bring in the Dockerfile, build it as a part of our release step.

One thing that is mandatory is that: Nancy on a boat has to come over to this repo too, that logo is way too cute to be lost!

Another nice thing would be to go update https://github.com/sonatype-nexus-community/nancy-github-action to use an image we publish to the hub

  • Anything else?

Have a blast!

cc @bhamail / @DarthHater

go get failing

Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.

  • What are you trying to do?

go get -u github.com/sonatype-nexus-community/nancy

  • What feature or behavior is this required for?

  • How could we solve this issue? (Not knowing is okay!)

  • Anything else?

go: finding github.com/dgryski/go-farm latest
go: finding github.com/coreos/pkg latest
go: finding github.com/coreos/go-systemd latest
go: finding github.com/google/pprof latest
go: finding github.com/jstemmer/go-junit-report latest
go: finding github.com/tmc/grpc-websocket-proxy latest
go: finding golang.org/x/lint latest
go: finding google.golang.org/genproto latest
go: finding github.com/prometheus/client_model latest
go: finding golang.org/x/net latest
go: finding github.com/modern-go/concurrent latest
go: finding golang.org/x/sync latest
go: finding golang.org/x/oauth2 latest
go: finding golang.org/x/sys latest
go: finding github.com/logrusorgru/aurora latest
go: finding golang.org/x/mobile latest
go: finding golang.org/x/time latest
go: finding golang.org/x/exp latest
go: finding github.com/shopspring/decimal latest
go: finding golang.org/x/tools latest
go: finding github.com/armon/consul-api latest
go: finding golang.org/x/crypto latest
go: finding github.com/golang/glog latest
go: finding github.com/mwitkow/go-conntrack latest
go: finding github.com/kr/logfmt latest
go: finding github.com/xiang90/probing latest
go: finding github.com/BurntSushi/xgb latest
go: finding github.com/AndreasBriese/bbloom latest
go: finding gopkg.in/check.v1 latest
go: finding github.com/golang/groupcache latest
go: finding golang.org/x/image latest
go: finding github.com/alecthomas/units latest
go: finding github.com/alecthomas/template latest
go: finding github.com/dgryski/go-sip13 latest
# github.com/sonatype-nexus-community/nancy/audit
audit/auditlog.go:32:15: not enough arguments in call to aurora.Gray
	have (string)
	want (uint8, interface {})
# github.com/sonatype-nexus-community/nancy/ossindex
ossindex/ossindex.go:62:6: opts.Dir undefined (type func(string) badger.Options has no field or method Dir)
ossindex/ossindex.go:63:6: opts.ValueDir undefined (type func(string) badger.Options has no field or method ValueDir)
ossindex/ossindex.go:64:23: cannot use opts (type func(string) badger.Options) as type badger.Options in argument to badger.Open
ossindex/ossindex.go:161:16: txn.SetWithTTL undefined (type *badger.Txn has no field or method SetWithTTL)```

Add exclusions

I would like to add nancy to the build of a Go project and have it fail if a vulnerability is discovered.
To do this I would need an option to exclude certain vulnerabilities from the scan as there might be false positives and vulnerabilities that do not apply in a certain context.
This would be similar to e.g. the ossindex maven plugin: https://sonatype.github.io/ossindex-maven/maven-plugin/excludes.

Make nancy not so exit heavy

  • What are you trying to do?
    As part of #68 @DarthHater was trying to do some testing and it the fact that Nancy exits like its going out of style made it overly difficult.

For now the exits have been put back in place instead of using a panic which made testing easier to do.

General go guidance is as follows, so this is where we should start to move the codebase.

The convention in the Go libraries is that even when a package uses panic internally, its external API still presents explicit error return values.

  • What feature or behavior is this required for?
    No real feature just more of a tech debt/cleanup/make it better type thing.

  • How could we solve this issue? (Not knowing is okay!)
    Stop exiting so much and panic instead but at the same time we still will want to preserve the exit codes and the user friendly messages after this change. No stack trace should be presented to the user.

  • Anything else?
    ¯_(ツ)_/¯

cc @bhamail / @DarthHater

nancy requires glibc

I'm trying to run nancy as part of my build chain which uses an alpine tag (1.13.0-alpine3.10) of the official golang docker image.

The nancy binary would not run. To reproduce, create the following Dockerfile:

FROM golang:1.13.0-alpine3.10

RUN wget -O- -q "https://github.com/sonatype-nexus-community/nancy/releases/download/v0.0.24/nancy-linux.amd64-v0.0.24" > /usr/bin/nancy\
    && chmod +x /usr/bin/nancy

And build & run it like this: docker run -it --rm $(docker build -q .) /usr/bin/nancy

The result will be standard_init_linux.go:211: exec user process caused "no such file or directory".

This is due to nancy being built with CGO_ENABLED=1 (the default setting) against glibc. Since alpine does not bring a glibc but musl as their libc implementation this doesn't work.

As far as I can see nancy does not need CGO_ENABLED so the fix is simple: disable it. I will open a PR...

/cc @bhamail / @DarthHater

400 bad request when checking Gopkg.lock

Shared on behalf of @Tanner from gophers.slack.com

After installing via go get sonatype-nexus-community/nancy/... , the following error is received when attempting to scan the Gopkg.lock file:

badger 2019/02/13 16:03:11 INFO: All 0 tables opened in 0s
badger 2019/02/13 16:03:12 WARNING: While forcing compaction on level 0: Unable to fill tables
Error auditing packages - error: [400 Bad Request] error accessing OSS Index

Sample file from another user that also fails w/ a 400:
Gopkg.lock.txt

(had to add a .txt extension so GitHub would accept the file upload)

Extra newline printed in quiet mode

Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.

  • What are you trying to do?

Use the quiet mode. When I run it, I see:

image

Where there's an extra odd newline. This newline makes sense when not in quiet mode, as a line will be printed for each dependency, so this helps distinguish the results. But in quiet mode, it just looks weird.

  • What feature or behavior is this required for?

Quiet mode.

  • How could we solve this issue? (Not knowing is okay!)

If in quiet mode, don't print the extra newline before the results.

  • Anything else?

cc @bhamail / @DarthHater

Refactor config to use `config *interface{}`

We've been sneaking up on changing the design of the OSSI / IQ config classes to support better reuse/reduced duplication/DRYness.

This Issue exists to track that, and collect ideas on how to git 'er done.

see: loadConfigFromFile(configLocation string, config *Configuration)

see: https://github.com/sonatype-nexus-community/nancy/pull/108/files

Another idea: refactor the configuration/parse.go -> loadConfigFromFile() and loadIQConfigFromFile() methods to take io.Reader - instead of a path configLocation. The tests could then easily pass in bytes representing the various file contents. This would also allow the test avoid pesky disk access.

And in the other direction, similarly use io.Writer instead of ConfigLocation inside configuration/set.go -> marshallAndWriteToDisk.

cc @bhamail / @DarthHater

Exit with non-zero status on Mac OS when there's any vulnerabilies found

nancy doesn't exit with non-zero status code on Mac OS. I'm using the latest binary for Darwin (nancy-darwin.amd64-v0.0.33) in one of my projects which has 1 vulnerability. It goes through all the packages and shows the result correctly:

...
Audited dependencies: 402, Vulnerable: 1

however it seems like exit code was 0:

$ echo $!                                                     1
0

Seems like it's not the case in linux packages that we're using in CI: https://travis-ci.org/sonatype-nexus-community/intentionally-vulnerable-golang-project/builds/490260408

Cleanup error messaging

  • What are you trying to do?
    Cleanup the output of the cli..... steps to reproduce
  1. Install nancy
  2. Execute nancy --version
  3. Notice the no such file or directory error...probably not important to show that error.
nancy --version                                                                                           [4b539b9]
open /Users/zender/.ossindex/.oss-index-config: no such file or directory
0.1.17
build time: 2020-04-10T19:19:52Z
build commit: ddaa880e12e6ce183caa4ff5f55fda1d16b94390

  • What feature or behavior is this required for?
    Nothing really .... just cleaning stuff up.

  • How could we solve this issue? (Not knowing is okay!)
    First thought is to change that to a logLady instead of the println that it probably is.

  • Anything else?

cc @bhamail / @DarthHater

switch to Go Modules

Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.

  • What are you trying to do?

Switch from using dep for dependency management to using Go Modules & a module proxy (i.e. GoNexus)

  • What feature or behavior is this required for?

Building the project

  • How could we solve this issue? (Not knowing is okay!)

Run go mod init to migrate from the dep config files, and then verify that the build still works and tests still pass

  • Anything else?

I'm happy to do this work, if folks are ok with the general idea

Exclude by package

  • What are you trying to do?
    After a conversation on gitter with @islippers a nice to have feature would be to add the ability to exclude a full package. Use case here would be if you know that a package is only used in tests and you dont care about any CVE that pop up for it.

This is really a stop gap until go mod contains a good way to separate the difference between prod and test packages.

  • What feature or behavior is this required for?
    Easily exclude test packages from nancy scanning.

  • How could we solve this issue? (Not knowing is okay!)
    Update exclusion logic to along with CVE, OSS Index ID to support package name/path as well.

  • Anything else?

cc @bhamail / @DarthHater

Introduce go linting to CI process

  • What are you trying to do?

The issue that spurred PR #59 was found via running a go linter. https://github.com/golangci/golangci-lint to be specific. But we should get this or at a dead minimum go vet in place as part of our CI pipeline. This will help our code suck less.

  • What feature or behavior is this required for?
    Doing linting on all PRs and master builds

  • How could we solve this issue? (Not knowing is okay!)
    Introduce golangci-lint or go vet as part of the build process.

  • Anything else?
    golangci-lint has a lot of configurability as well as lots more linters/tools that come with that have the ability to help find and fix issues. Whereas go vet is a do one thing and only that thing. It did point out the same issue fixed as part of #59 but that was it.

golangci-lint does in fact run go vet as part of its process.

The defaults for golangci-lint are as follows :
image

@flimzy mentioned that he likes to configure some others that are not enabled by default so hopefully they will fill us in on those details and we can discuss further.

I currently dont have strong opinions on what we enable at the moment. At this point getting either in place or even a different option is better than the nothing we have today.

cc @bhamail / @DarthHater / @flimzy

Allow Vulnerability Exclusion via a file

Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.

  • What are you trying to do?

It would be neat if someone could check in a file that has the CVE's, vulnerabilities, etc... that they want excluded from Nancy. It would run as if you were running ./nancy -exclude-vulnerability but take a file path or pick one up by default

  • What feature or behavior is this required for?

It's just an improved way of allowing someone to use Nancy on their project

  • How could we solve this issue? (Not knowing is okay!)

You'd likely create a new command line flag for a file, determine a type of file and format (comma seperated list or new line separated list come to mind), and either load it by default if present, or allow someone to specify a path for it

  • Anything else?

Have fun! You can look at #28 to get an idea of how to put things together.

cc @bhamail / @DarthHater

panic when passing -q flag

I mistakenly tried to use -q instead of -quiet (forgetting the usage). Instead of being told of the bad flag, nancy instead panicked.

panic: runtime error: slice bounds out of range [:5] with length 2

goroutine 1 [running]:
github.com/sonatype-nexus-community/nancy/logger.init.0()
	/home/jake/go/pkg/mod/github.com/sonatype-nexus-community/[email protected]/logger/logger.go:35 +0x1c5

Forgive my deletion of the template; it seemed like a feature request template whereas this is a bug.

I'm on v0.1.11.

cc @bhamail / @DarthHater

Make nancy scan something vulnerable as part of CI

  • What are you trying to do?
    We have this project here https://github.com/sonatype-nexus-community/intentionally-vulnerable-golang-project. That we created as part of digging into #107 we found that it was no longer correct and a validate example. We should probably make nancy and it a little more integrated.

  • What feature or behavior is this required for?
    Make sure nancy doesn't break and is actually picking up vulns and keep our test project up to date when we need to.

  • How could we solve this issue? (Not knowing is okay!)
    Initial though is to wire up nancy to scan this repo at CI time and make sure that vulns are actually being reported.

intentionally-vulnerable-golang-project does have a script already that runs nancy against it.
https://github.com/sonatype-nexus-community/intentionally-vulnerable-golang-project/blob/master/build.sh
So we could look at modifying that but it living in nancy repo??
Or maybe we move the whole project into nancy repo??
Or maybe we just trigger that build and use latest nancy version after??
Idk .... dealers choice really.

  • Anything else?
    ¯_(ツ)_/¯

cc @bhamail / @DarthHater

Nancy does not work with full semver

  • What are you trying to do?

I am trying to resolve a CVE in my go mod:

$  go list -m all | nancy -quiet      
------------------------------------------------------------
[15/26] pkg:golang/github.com/opencontainers/[email protected]  [Vulnerable]    1 known vulnerabilities affecting installed version

[CVE-2019-5736]  Containment Errors (Container Errors)
runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.

ID:d089f726-f419-4e72-ab60-05be37d02b68
Details:https://ossindex.sonatype.org/vuln/d089f726-f419-4e72-ab60-05be37d02b68
Audited dependencies: 26, Vulnerable: 1

However, the go.mod and go.sum list 1.0.0-rc9 which is not listed as vulnerable in the index:

module github.com/ory/dockertest/v3

go 1.13

require (
	// ...
	github.com/opencontainers/runc v1.0.0-rc9
	// ...
)

github.com/opencontainers/runc v1.0.0-rc9 h1:/k06BMULKF5hidyoZymkoDCzdJzltZpz/UU4LguQVtc=
github.com/opencontainers/runc v1.0.0-rc9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
  • How could we solve this issue? (Not knowing is okay!)

Nancy should be able to differentiate between pre releases such as alpha alpha1 alpha.1 rc, ...

  • Anything else?

cc @bhamail / @DarthHater

Allow Nancy to run on go list -m all

Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.

  • What are you trying to do?

Go tooling has a handy command for listing dependencies:

(base) 504 local:nancy (ExclusionList)$ go list -m all
github.com/sonatype-nexus-community/nancy
github.com/AndreasBriese/bbloom v0.0.0-20180913140656-343706a395b7
github.com/BurntSushi/toml v0.3.1
github.com/davecgh/go-spew v1.1.0
github.com/dgraph-io/badger v1.5.5-0.20181004181505-439fd464b155
github.com/dgryski/go-farm v0.0.0-20180109070241-2de33835d102
github.com/dustin/go-humanize v1.0.0
github.com/golang/protobuf v1.2.0
github.com/logrusorgru/aurora v0.0.0-20181002194514-a7b3b318ed4e
github.com/pkg/errors v0.8.0
github.com/pmezard/go-difflib v1.0.0
github.com/shopspring/decimal v0.0.0-20180709203117-cd690d0c9e24
github.com/stretchr/objx v0.1.0
github.com/stretchr/testify v1.3.0
golang.org/x/net v0.0.0-20181220203305-927f97764cc3
golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4
golang.org/x/sys v0.0.0-20181228144115-9a3f9b0469bb
  • What feature or behavior is this required for?

This is likely more reliable than using go.sum as that is not a reliable lockfile

  • How could we solve this issue? (Not knowing is okay!)

It is likely we could take some of the work from ahab where we parse StdIn and use it on Nancy, and construct the PURLs from the list output.

  • Anything else?

FUN!

cc @bhamail / @DarthHater

Display nancy version by default

  • What are you trying to do?
    Display the nancy version for easy debugging

  • What feature or behavior is this required for?
    I'm using nancy from jenkins and the github action, where it's not entirely clear what version of nancy is running. I don't have an easy way to run nancy version, which makes it difficult to debug

  • How could we solve this issue? (Not knowing is okay!)
    By displaying the nancy version for a normal run unless quiet mode is enabled.

  • Anything else?

cc @bhamail / @DarthHater

Remove --noColor option

  • What are you trying to do?

We have deprecated the noColor option to make all options consistently lisp case. This issues serves as a reminder to clean it up eventually.

  • What feature or behavior is this required for?

Cleanup an option that is not needed after some period of time to allow for migration away from it.

  • How could we solve this issue? (Not knowing is okay!)

Delete some code and probably make it a major release version bump to follow semver convention of a breaking change.

  • Anything else?
    No code is good code ... That is all 😁

cc @bhamail / @DarthHater

Docker usage produces invalid json [bug]

Steps to reproduce

go list -m all > list.txt
docker run -v "%CD%":/project -i sonatypecommunity/nancy:latest -output=json /project/list.txt > result.json
python -m json.tool < result.json
head result.json

Actual result

C:\project>go list -m all > list.txt

C:\project>docker run -i sonatypecommunity/nancy:latest -output=json list.txt > result.json
2020/03/11 10:30:08 Nancy version: 0.1.6

C:\project>python -m json.tool < result.json
Expecting value: line 1 column 2 (char 1)

C:\project>head result.json
 __  __
/\ \/\ \
\ \ `\\ \      __       ___      ___    __  __
 \ \ , ` \   /'__`\   /' _ `\   /'___\ /\ \/\ \
  \ \ \`\ \ /\ \L\.\_ /\ \/\ \ /\ \__/ \ \ \_\ \
   \ \_\ \_\\ \__/.\_\\ \_\ \_\\ \____\ \/`____ \
	\/_/\/_/ \/__/\/_/ \/_/\/_/ \/____/  `/___/> \
											/\___/
											\/__/
  _        _                           _    _

Expected result

No errors on parsing JSON.

Possible solution

Do not write the pseudo-graphical logo at least when the output format is other than text. Actually it is useless in the text format too.

cc @bhamail / @DarthHater

Badger alternative

  • What are you trying to do?
    Find a caching alternative for our current Badger usage. As part of #77 Badger issues/corruption was brought up and the fact that its probably more heavyweight than what we really need. On top of that we have other issues currently with later versions of Badger having vulnerabilities itself #54. So removing it would hopefully resolve those issues.

By removing Badger it should hopefully fix this as well #64 .

  • What feature or behavior is this required for?
    Caching of the results from OSS Index. It is rate limited so the reason this is in place is to not overload that service and realistically deps don't change that often so caching the results for 12 hours currently helps with those things.

  • How could we solve this issue? (Not knowing is okay!)
    Does go have a simple http request diskcache??
    Serialize the contents to disk ourselves??
    Find a different caching solution instead of Badger??

  • Anything else?

cc @bhamail / @DarthHater

"intentionally-vulnerable-golang-project" Not showing vulnerabilities

I started tested Nancy v0.1.15 on "intentionally-vulnerable-golang-project" to see what type of vulnerabilities I can expect. But this was the final output "Audited dependencies:31,Vulnerable:0"
Also I might be doing something wrong.

I was expecting some vulnerabilities to be highlighted.

Output

~/awesomeProject/intentionally-vulnerable-golang-project$ ./nancy -vvv go.sum                
 __  __
/\ \/\ \
\ \ `\\ \      __       ___      ___    __  __
 \ \ , ` \   /'__`\   /' _ `\   /'___\ /\ \/\ \
  \ \ \`\ \ /\ \L\.\_ /\ \/\ \ /\ \__/ \ \ \_\ \
   \ \_\ \_\\ \__/.\_\\ \_\ \_\\ \____\ \/`____ \
    \/_/\/_/ \/__/\/_/ \/_/\/_/ \/____/  `/___/> \
                                            /\___/
                                            \/__/
  _        _                           _    _
 /_)      /_` _  _  _ _/_     _  _    (/   /_` _ . _  _   _/  _
/_) /_/  ._/ /_// //_|/  /_/ /_//_'  (_X  /   / / /_'/ //_/ _\
    _/                   _/ /
Nancy version: 0.1.15
[1/31]pkg:golang/github.com/AndreasBriese/[email protected]   No known vulnerabilities against package/version
[2/31]pkg:golang/github.com/BurntSushi/[email protected]   No known vulnerabilities against package/version                                                                                                                                     
[3/31]pkg:golang/github.com/Flaque/[email protected]   No known vulnerabilities against package/version                                                                                                            
[4/31]pkg:golang/github.com/Masterminds/[email protected]   No known vulnerabilities against package/version                                                                                                      
[5/31]pkg:golang/github.com/Masterminds/[email protected]   No known vulnerabilities against package/version                                                                                                                                  
[6/31]pkg:golang/github.com/Masterminds/[email protected]   No known vulnerabilities against package/version                                                                                                                                    
[7/31]pkg:golang/github.com/armon/[email protected]   No known vulnerabilities against package/version                                                                                                                                      
[8/31]pkg:golang/github.com/boltdb/[email protected]   No known vulnerabilities against package/version                                                                                                                                         
[9/31]pkg:golang/github.com/davecgh/[email protected]   No known vulnerabilities against package/version                                                                                                                                     
[10/31]pkg:golang/github.com/davecgh/[email protected]   No known vulnerabilities against package/version                                                                                                                                    
[11/31]pkg:golang/github.com/dgraph-io/[email protected]   No known vulnerabilities against package/version                                                                                                     
[12/31]pkg:golang/github.com/dgryski/[email protected]   No known vulnerabilities against package/version                                                                                                        
[13/31]pkg:golang/github.com/dustin/[email protected]   No known vulnerabilities against package/version                                                                                                                                 
[14/31]pkg:golang/github.com/golang/[email protected]   No known vulnerabilities against package/version                                                                                                                                         
[15/31]pkg:golang/github.com/golang/[email protected]   No known vulnerabilities against package/version                                                                                                                                    
[16/31]pkg:golang/github.com/jmank88/[email protected]   No known vulnerabilities against package/version                                                                                                                                       
[17/31]pkg:golang/github.com/logrusorgru/[email protected]   No known vulnerabilities against package/version                                                                                                     
[18/31]pkg:golang/github.com/nightlyone/[email protected]   No known vulnerabilities against package/version                                                                                                    
[19/31]pkg:golang/github.com/package-url/[email protected]   No known vulnerabilities against package/version                                                                                                                          
[20/31]pkg:golang/github.com/pelletier/[email protected]   No known vulnerabilities against package/version                                                                                                                                  
[21/31]pkg:golang/github.com/pkg/[email protected]   No known vulnerabilities against package/version                                                                                                                                         
[22/31]pkg:golang/github.com/pmezard/[email protected]   No known vulnerabilities against package/version                                                                                                                                 
[23/31]pkg:golang/github.com/sdboyer/[email protected]   No known vulnerabilities against package/version                                                                                                       
[24/31]pkg:golang/github.com/shopspring/[email protected]   No known vulnerabilities against package/version                                                                                                     
[25/31]pkg:golang/github.com/spf13/[email protected]   No known vulnerabilities against package/version                                                                                                                                        
[26/31]pkg:golang/github.com/stretchr/[email protected]   No known vulnerabilities against package/version                                                                                                                                   
[27/31]pkg:golang/golang.org/x/[email protected]   No known vulnerabilities against package/version                                                                                                                  
[28/31]pkg:golang/golang.org/x/[email protected]   No known vulnerabilities against package/version                                                                                                                 
[29/31]pkg:golang/golang.org/x/[email protected]   No known vulnerabilities against package/version                                                                                                                  
[30/31]pkg:golang/golang.org/x/[email protected]   No known vulnerabilities against package/version                                                                                                                                             
[31/31]pkg:golang/github.com/coreos/[email protected]%20incompatible   No known vulnerabilities against package/version                                                                                                                        

Audited dependencies:31,Vulnerable:0

*******************************************************************

Output of log cat ~/.ossindex/nancy.combined.log 
{"level":"info","msg":"Starting Nancy","time":"2020-04-02T20:04:32+02:00"}
{"level":"info","msg":"Nancy parsing config for OSS Index","time":"2020-04-02T20:04:32+02:00"}
{"level":"info","msg":"Attempting to print header","time":"2020-04-02T20:04:32+02:00"}
{"level":"info","msg":"Printing Nancy version","time":"2020-04-02T20:04:32+02:00","version":"0.1.15"}
{"level":"info","msg":"Finished printing header","time":"2020-04-02T20:04:32+02:00"}
{"level":"info","msg":"Parsing config for file based scan","time":"2020-04-02T20:04:32+02:00"}
{"dep":"pkg:golang/github.com/AndreasBriese/[email protected]","level":"debug","msg":"Unique dependency, adding it","time":"2020-04-02T20:04:32+02:00"}
{"dep":"pkg:golang/github.com/BurntSushi/[email protected]","level":"debug","msg":"Unique dependency, adding it","time":"2020-04-02T20:04:32+02:00"}
{"dep":"pkg:golang/github.com/Flaque/[email protected]","level":"debug","msg":"Unique dependency, adding it","time":"2020-04-02T20:04:32+02:00"}
{"dep":"pkg:golang/github.com/Masterminds/[email protected]","level":"debug","msg":"Unique dependency, adding it","time":"2020-04-02T20:04:32+02:00"}
{"dep":"pkg:golang/github.com/Masterminds/[email protected]","level":"debug","msg":"Unique dependency, adding it","time":"2020-04-02T20:04:32+02:00"}
{"dep":"pkg:golang/github.com/Masterminds/[email protected]","level":"debug","msg":"Unique dependency, adding it","time":"2020-04-02T20:04:32+02:00"}
{"dep":"pkg:golang/github.com/armon/[email protected]","level":"debug","msg":"Unique dependency, adding it","time":"2020-04-02T20:04:32+02:00"}
{"dep":"pkg:golang/github.com/boltdb/[email protected]","level":"debug","msg":"Unique dependency, adding it","time":"2020-04-02T20:04:32+02:00"}
{"dep":"pkg:golang/github.com/coreos/[email protected]+incompatible","level":"debug","msg":"Unique dependency, adding it","time":"2020-04-02T20:04:32+02:00"}
{"dep":"pkg:golang/github.com/davecgh/[email protected]","level":"debug","msg":"Unique dependency, adding it","time":"2020-04-02T20:04:32+02:00"}
{"dep":"pkg:golang/github.com/davecgh/[email protected]","level":"debug","msg":"Unique dependency, adding it","time":"2020-04-02T20:04:32+02:00"}
{"dep":"pkg:golang/github.com/dgraph-io/[email protected]","level":"debug","msg":"Unique dependency, adding it","time":"2020-04-02T20:04:32+02:00"}
{"dep":"pkg:golang/github.com/dgryski/[email protected]","level":"debug","msg":"Unique dependency, adding it","time":"2020-04-02T20:04:32+02:00"}
{"dep":"pkg:golang/github.com/dustin/[email protected]","level":"debug","msg":"Unique dependency, adding it","time":"2020-04-02T20:04:32+02:00"}
{"dep":"pkg:golang/github.com/golang/[email protected]","level":"debug","msg":"Unique dependency, adding it","time":"2020-04-02T20:04:32+02:00"}
{"dep":"pkg:golang/github.com/golang/[email protected]","level":"debug","msg":"Unique dependency, adding it","time":"2020-04-02T20:04:32+02:00"}
{"dep":"pkg:golang/github.com/jmank88/[email protected]","level":"debug","msg":"Unique dependency, adding it","time":"2020-04-02T20:04:32+02:00"}
{"dep":"pkg:golang/github.com/logrusorgru/[email protected]","level":"debug","msg":"Unique dependency, adding it","time":"2020-04-02T20:04:32+02:00"}
{"dep":"pkg:golang/github.com/nightlyone/[email protected]","level":"debug","msg":"Unique dependency, adding it","time":"2020-04-02T20:04:32+02:00"}
{"dep":"pkg:golang/github.com/package-url/[email protected]","level":"debug","msg":"Unique dependency, adding it","time":"2020-04-02T20:04:32+02:00"}
{"dep":"pkg:golang/github.com/pelletier/[email protected]","level":"debug","msg":"Unique dependency, adding it","time":"2020-04-02T20:04:32+02:00"}
{"dep":"pkg:golang/github.com/pkg/[email protected]","level":"debug","msg":"Unique dependency, adding it","time":"2020-04-02T20:04:32+02:00"}
{"dep":"pkg:golang/github.com/pmezard/[email protected]","level":"debug","msg":"Unique dependency, adding it","time":"2020-04-02T20:04:32+02:00"}
{"dep":"pkg:golang/github.com/sdboyer/[email protected]","level":"debug","msg":"Unique dependency, adding it","time":"2020-04-02T20:04:32+02:00"}
{"dep":"pkg:golang/github.com/shopspring/[email protected]","level":"debug","msg":"Unique dependency, adding it","time":"2020-04-02T20:04:32+02:00"}
{"dep":"pkg:golang/github.com/spf13/[email protected]","level":"debug","msg":"Unique dependency, adding it","time":"2020-04-02T20:04:32+02:00"}
{"dep":"pkg:golang/github.com/stretchr/[email protected]","level":"debug","msg":"Unique dependency, adding it","time":"2020-04-02T20:04:32+02:00"}
{"dep":"pkg:golang/golang.org/x/[email protected]","level":"debug","msg":"Unique dependency, adding it","time":"2020-04-02T20:04:32+02:00"}
{"dep":"pkg:golang/golang.org/x/[email protected]","level":"debug","msg":"Unique dependency, adding it","time":"2020-04-02T20:04:32+02:00"}
{"dep":"pkg:golang/golang.org/x/[email protected]","level":"debug","msg":"Unique dependency, adding it","time":"2020-04-02T20:04:32+02:00"}
{"dep":"pkg:golang/golang.org/x/[email protected]","level":"debug","msg":"Unique dependency, adding it","time":"2020-04-02T20:04:32+02:00"}
{"level":"trace","msg":"Attempting to get database directory","time":"2020-04-02T20:04:32+02:00"}
{"home_dir":"/home/user","level":"trace","msg":"Obtained user directory","time":"2020-04-02T20:04:32+02:00"}
{"level":"debug","msg":"Attempting to open Badger DB","time":"2020-04-02T20:04:32+02:00"}
{"level":"trace","msg":"Attempting to get database directory","time":"2020-04-02T20:04:32+02:00"}
{"home_dir":"/home/user","level":"trace","msg":"Obtained user directory","time":"2020-04-02T20:04:32+02:00"}
{"level":"trace","msg":"Attempting to get database directory","time":"2020-04-02T20:04:32+02:00"}
{"home_dir":"/home/user","level":"trace","msg":"Obtained user directory","time":"2020-04-02T20:04:32+02:00"}
{"badger_opts":{"Dir":"/home/user/.ossindex/golang","ValueDir":"/home/user/.ossindex/golang","SyncWrites":true,"TableLoadingMode":1,"ValueLogLoadingMode":2,"NumVersionsToKeep":1,"MaxTableSize":67108864,"LevelSizeMultiplier":10,"MaxLevels":7,"ValueThreshold":32,"NumMemtables":5,"NumLevelZeroTables":5,"NumLevelZeroTablesStall":10,"LevelOneSize":268435456,"ValueLogFileSize":1073741823,"ValueLogMaxEntries":1000000,"NumCompactors":3,"DoNotCompact":false,"ReadOnly":false,"Truncate":false},"level":"debug","msg":"Set Badger Options","time":"2020-04-02T20:04:32+02:00"}
{"json_string":"{\"coordinates\":[\"pkg:golang/github.com/coreos/[email protected]+incompatible\"]}","level":"debug","msg":"Setting up new POST request to OSS Index","time":"2020-04-02T20:04:32+02:00"}
{"level":"debug","msg":"Obtaining User Agent","time":"2020-04-02T20:04:32+02:00"}
{"level":"trace","msg":"Obtaining parsed User Agent string","time":"2020-04-02T20:04:32+02:00"}
{"level":"trace","msg":"Attempting to obtain user agent and version","time":"2020-04-02T20:04:32+02:00"}
{"level":"trace","msg":"Obtained user agent and version","time":"2020-04-02T20:04:32+02:00","user_agent_base":"nancy-client/0.1.15"}
{"level":"trace","msg":"Obtained parsed User Agent string","time":"2020-04-02T20:04:32+02:00","user_agent_parsed":"nancy-client/0.1.15 (non ci usage; linux amd64; )"}
{"level":"info","msg":"Nancy finished parsing config for OSS Index","time":"2020-04-02T20:04:33+02:00"}

cc @bhamail / @DarthHater

Release on Goreleaser

  • What are you trying to do?

Download a realease from GoReleaser.

  • What feature or behavior is this required for?

It's very convenient to download releases from there and I think it would also streamline the process of creating releases.

  • How could we solve this issue? (Not knowing is okay!)

Publish to GoReleaser

  • Anything else?

cc @bhamail / @DarthHater

[Feature request] output option in json format

  • What are you trying to do?
    Trying to figure out how to output in json format

  • What feature or behavior is this required for?
    exporting results in json makes parsing and understanding easy and helpful

  • How could we solve this issue? (Not knowing is okay!)
    have an argument like --json

cc @bhamail / @DarthHater

Explore cleaner text output

  • What are you trying to do?
    Is there anything we can do to cleanup our text output

Current :

 __  __
/\ \/\ \
\ \ `\\ \      __       ___      ___    __  __
 \ \ , ` \   /'__`\   /' _ `\   /'___\ /\ \/\ \
  \ \ \`\ \ /\ \L\.\_ /\ \/\ \ /\ \__/ \ \ \_\ \
   \ \_\ \_\\ \__/.\_\\ \_\ \_\\ \____\ \/`____ \
    \/_/\/_/ \/__/\/_/ \/_/\/_/ \/____/  `/___/> \
                                            /\___/
                                            \/__/
  _        _                           _    _
 /_)      /_` _  _  _ _/_     _  _    (/   /_` _ . _  _   _/  _
/_) /_/  ._/ /_// //_|/  /_/ /_//_'  (_X  /   / / /_'/ //_/ _\
    _/                   _/ /
Nancy version: development
[1/38]pkg:golang/github.com/AndreasBriese/[email protected]   No known vulnerabilities against package/version
[2/38]pkg:golang/github.com/BurntSushi/[email protected]   No known vulnerabilities against package/version
[3/38]pkg:golang/github.com/Flaque/[email protected]   No known vulnerabilities against package/version
[4/38]pkg:golang/github.com/Masterminds/[email protected]   No known vulnerabilities against package/version
[5/38]pkg:golang/github.com/Masterminds/[email protected]   No known vulnerabilities against package/version
[6/38]pkg:golang/github.com/armon/[email protected]   No known vulnerabilities against package/version
[7/38]pkg:golang/github.com/beevik/[email protected]   No known vulnerabilities against package/version
[8/38]pkg:golang/github.com/boltdb/[email protected]   No known vulnerabilities against package/version
[9/38]pkg:golang/github.com/common-nighthawk/[email protected]   No known vulnerabilities against package/version
[10/38]pkg:golang/github.com/davecgh/[email protected]   No known vulnerabilities against package/version
[11/38]pkg:golang/github.com/dgraph-io/[email protected]   No known vulnerabilities against package/version
[12/38]pkg:golang/github.com/dgryski/[email protected]   No known vulnerabilities against package/version
[13/38]pkg:golang/github.com/dustin/[email protected]   No known vulnerabilities against package/version
[14/38]pkg:golang/github.com/golang/[email protected]   No known vulnerabilities against package/version
[15/38]pkg:golang/github.com/golang/[email protected]   No known vulnerabilities against package/version
[16/38]pkg:golang/github.com/google/[email protected]   No known vulnerabilities against package/version
[17/38]pkg:golang/github.com/jarcoal/[email protected]   No known vulnerabilities against package/version
[18/38]pkg:golang/github.com/jmank88/[email protected]   No known vulnerabilities against package/version
[19/38]pkg:golang/github.com/konsorten/[email protected]   No known vulnerabilities against package/version
[20/38]pkg:golang/github.com/logrusorgru/[email protected]   No known vulnerabilities against package/version
[21/38]pkg:golang/github.com/nightlyone/[email protected]   No known vulnerabilities against package/version
[22/38]pkg:golang/github.com/package-url/[email protected]   No known vulnerabilities against package/version
[23/38]pkg:golang/github.com/pelletier/[email protected]   No known vulnerabilities against package/version
[24/38]pkg:golang/github.com/pkg/[email protected]   No known vulnerabilities against package/version
[25/38]pkg:golang/github.com/pmezard/[email protected]   No known vulnerabilities against package/version
[26/38]pkg:golang/github.com/sdboyer/[email protected]   No known vulnerabilities against package/version
[27/38]pkg:golang/github.com/shopspring/[email protected]   No known vulnerabilities against package/version
[28/38]pkg:golang/github.com/sirupsen/[email protected]   No known vulnerabilities against package/version
[29/38]pkg:golang/github.com/spf13/[email protected]   No known vulnerabilities against package/version
[30/38]pkg:golang/github.com/stretchr/[email protected]   No known vulnerabilities against package/version
[31/38]pkg:golang/github.com/stretchr/[email protected]   No known vulnerabilities against package/version
[32/38]pkg:golang/golang.org/x/[email protected]   No known vulnerabilities against package/version
[33/38]pkg:golang/golang.org/x/[email protected]   No known vulnerabilities against package/version
[34/38]pkg:golang/golang.org/x/[email protected]   No known vulnerabilities against package/version
[35/38]pkg:golang/golang.org/x/[email protected]   No known vulnerabilities against package/version
[36/38]pkg:golang/github.com/go-check/[email protected]   No known vulnerabilities against package/version
[37/38]pkg:golang/github.com/go-playground/[email protected]   No known vulnerabilities against package/version
[38/38]pkg:golang/github.com/go-yaml/[email protected]   No known vulnerabilities against package/version

Audited dependencies:38,Vulnerable:0
  • What feature or behavior is this required for?
    Nothing really....just looking at maybe making these easier to parse by human ಠ_ಠ
  • Do the continuous No known vulnerabilities against package/version really help??
  • If they were equally spaced (column like if you will) would that help?? (see below)
[37/38]pkg:golang/github.com/go-playground/[email protected]   No known vulnerabilities against package/version
[38/38]pkg:golang/github.com/go-yaml/[email protected]           No known vulnerabilities against package/version

  • Maybe we remove them altogether and just have a heading??

  • Can we use more/different coloring to make things easier to parse by human eyes??

  • How could we solve this issue? (Not knowing is okay!)
    No idea....but maybe we create a new text-beta for a bit before we remove the current text formatting? Our current formatter setup should make creating this new one pretty simple.

  • Anything else?
    Dont lose that sweet sweet ASCII art at the top :)

cc @bhamail / @DarthHater

JenkinsFile using Makefile

  • What are you trying to do?
    Cleanup a little duplication

  • What feature or behavior is this required for?
    Whats in the .circleci/config.yml and JenkinsFile are pretty similar. And some of it already is in the Makefile.

  • How could we solve this issue? (Not knowing is okay!)
    So to keep everything more in sync switch over parts that are possible and maybe pull more into the Makefile.

  • Anything else?

cc @bhamail / @DarthHater

400 bad request when checking Gopkg.lock (part 2)

Deja vu from #9

$ nancy Gopkg.lock
2020/01/10 22:43:03 Nancy version: v0.0.40
!!!!! WARNING !!!!!
Scanning cannot be completed on the following package(s) since they do not use semver.
[1/52] pkg:golang/github.com/Dieterbe/artisanalhistogram@master
[2/52] pkg:golang/github.com/Dieterbe/profiletrigger@master
[3/52] pkg:golang/github.com/alyu/configparser@master
[4/52] pkg:golang/github.com/armon/go-metrics@06b60999766278efd6d2b5d8418a58c3d5b99e87
[5/52] pkg:golang/github.com/beorn7/perks@master
[6/52] pkg:golang/github.com/dgryski/go-jump@master
[7/52] pkg:golang/github.com/dgryski/go-linlog@master
[8/52] pkg:golang/github.com/eapache/go-resiliency@b86b1ec0dd4209a588dc1285cdd471e73525c0b3
[9/52] pkg:golang/github.com/eapache/go-xerial-snappy@master
[10/52] pkg:golang/github.com/glacjay/goini@master
[11/52] pkg:golang/github.com/go-macaron/inject@master
[12/52] pkg:golang/github.com/gocql/gocql@1982a06ad6b987c24beec15336019914d71b2e31
[13/52] pkg:golang/github.com/golang/snappy@master
[14/52] pkg:golang/github.com/gopherjs/gopherjs@4b53e1bddba0e2f734514aeb6c02db652f4c6fe8
[15/52] pkg:golang/github.com/grafana/globalconf@master
[16/52] pkg:golang/github.com/hailocab/go-hostpool@master
[17/52] pkg:golang/github.com/hashicorp/errwrap@master
[18/52] pkg:golang/github.com/hashicorp/go-msgpack@master
[19/52] pkg:golang/github.com/hashicorp/go-multierror@d30f09973e19c1dfcd120b2d9c4f168e68d6b5d5
[20/52] pkg:golang/github.com/hashicorp/go-sockaddr@master
[21/52] pkg:golang/github.com/hashicorp/memberlist@master
[22/52] pkg:golang/github.com/jtolds/gls@b4936e06046bbecbb94cae9c18127ebe510a2cb9
[23/52] pkg:golang/github.com/kisielk/whisper-go@master
[24/52] pkg:golang/github.com/klauspost/compress@14c9a76e3c95e47f8ccce949bba2c1101a8b85e6
[25/52] pkg:golang/github.com/klauspost/crc32@6834731faf32e62a2dd809d99fb24d1e4ae5a92d
[26/52] pkg:golang/github.com/kr/logfmt@master
[27/52] pkg:golang/github.com/metrics20/go-metrics20@master
[28/52] pkg:golang/github.com/miekg/dns@48c8acaf0c2dc19fbb4f1b2776c1cee4e6f65aa0
[29/52] pkg:golang/github.com/mitchellh/go-homedir@master
[30/52] pkg:golang/github.com/nightlyone/lockfile@master
[31/52] pkg:golang/github.com/philhofer/fwd@92647f2bd94a89b170c19e96e6456dd64ac37e1a
[32/52] pkg:golang/github.com/prometheus/client_golang@master
[33/52] pkg:golang/github.com/prometheus/client_model@master
[34/52] pkg:golang/github.com/prometheus/common@master
[35/52] pkg:golang/github.com/prometheus/procfs@75f2d6163c7a100bed6e971044ea3de30ee3a678
[36/52] pkg:golang/github.com/prometheus/tsdb@master
[37/52] pkg:golang/github.com/raintank/dur@master
[38/52] pkg:golang/github.com/raintank/gziper@master
[39/52] pkg:golang/github.com/raintank/met@master
[40/52] pkg:golang/github.com/rcrowley/go-metrics@master
[41/52] pkg:golang/github.com/rs/[email protected]
[42/52] pkg:golang/github.com/sean-/seed@master
[43/52] pkg:golang/github.com/sirupsen/logrus@08e90462da344fbb3880e8e47a0ddacc37508579
[44/52] pkg:golang/github.com/smartystreets/goconvey@master
[45/52] pkg:golang/golang.org/x/crypto@master
[46/52] pkg:golang/golang.org/x/net@cbe0f9307d0156177f9dd5dc85da1a31abc5f2fb
[47/52] pkg:golang/golang.org/x/oauth2@master
[48/52] pkg:golang/golang.org/x/sync@master
[49/52] pkg:golang/golang.org/x/sys@master
[50/52] pkg:golang/golang.org/x/time@master
[51/52] pkg:golang/google.golang.org/api@master
[52/52] pkg:golang/google.golang.org/genproto@master

Error auditing packages - error: [400 Bad Request] error accessing OSS Index
nancy version: v0.0.40

  • What feature or behavior is this required for?
    Doing that thing that Nancy does

  • How could we solve this issue? (Not knowing is okay!)
    Have Nancy not send an invalid request to OSS Index

  • Anything else?
    Miss you @DarthHater

Also maybe a debug mode that prints OSS Index (and IQ?) payloads/responses?

cc @bhamail / @DarthHater /@nzender

Installing via go get fails

  • What are you trying to do?
$ go get -u github.com/sonatype-nexus-community/nancy
# github.com/sonatype-nexus-community/nancy/audit
../go/src/github.com/sonatype-nexus-community/nancy/audit/auditlog.go:32:15: not enough arguments in call to aurora.Gray
        have (string)
        want (uint8, interface {})
# github.com/sonatype-nexus-community/nancy/ossindex
../go/src/github.com/sonatype-nexus-community/nancy/ossindex/ossindex.go:62:6: opts.Dir undefined (type func(string) badger.Options has no field or method Dir)
../go/src/github.com/sonatype-nexus-community/nancy/ossindex/ossindex.go:63:6: opts.ValueDir undefined (type func(string) badger.Options has no field or method ValueDir)
../go/src/github.com/sonatype-nexus-community/nancy/ossindex/ossindex.go:64:23: cannot use opts (type func(string) badger.Options) as type badger.Options in argument to badger.Open
../go/src/github.com/sonatype-nexus-community/nancy/ossindex/ossindex.go:161:16: txn.SetWithTTL undefined (type *badger.Txn has no field or method SetWithTTL)

fails on both Linux and macOS (using Go 1.13).

  • What feature or behavior is this required for?

To install Nancy

  • How could we solve this issue? (Not knowing is okay!)

Fix the respective dependencies.

  • Anything else?

cc @bhamail / @DarthHater

Temporary vulnerability exclusion

  • What are you trying to do?

Temporarily exclude vulnerability checks.

  • What feature or behavior is this required for?

One of our dependencies has a vulnerability. An upstream fix is forthcoming. We want to temporarily exclude the vulnerability for e.g a month.

  • How could we solve this issue? (Not knowing is okay!)

For .nancy-ignore perhaps something like:

CVE-XYZ # Permanent exclusion
CVE-ABC until=2019-12-01 # Temporary exclusion. On/after 1st December this will be ignored

Not sure how this might look for command line arguments.

  • Anything else?

Happy to work on the code!

cc @bhamail / @DarthHater

Usage when improper command

  • What are you trying to do?
    Nancy should show usage when improper command is passed.

  • What feature or behavior is this required for?

zender [projects/oss/nancy]  master ✔ → nancy thisaintright                                                                                        [a76019e]
open /Users/zender/.ossindex/.oss-index-config: no such file or directory
 __  __
/\ \/\ \
\ \ `\\ \      __       ___      ___    __  __
 \ \ , ` \   /'__`\   /' _ `\   /'___\ /\ \/\ \
  \ \ \`\ \ /\ \L\.\_ /\ \/\ \ /\ \__/ \ \ \_\ \
   \ \_\ \_\\ \__/.\_\\ \_\ \_\\ \____\ \/`____ \
    \/_/\/_/ \/__/\/_/ \/_/\/_/ \/____/  `/___/> \
                                            /\___/
                                            \/__/
  _        _                           _    _
 /_)      /_` _  _  _ _/_     _  _    (/   /_` _ . _  _   _/  _
/_) /_/  ._/ /_// //_|/  /_/ /_//_'  (_X  /   / / /_'/ //_/ _\
    _/                   _/ /
Nancy version: development
zender [projects/oss/nancy]  master ✔ →
  • How could we solve this issue? (Not knowing is okay!)
    I think when we introduced nancy config we only look for that value. We should tell users when they type it in wrong (cause I know i did :) ) what the correct usage is like we do when you type an incorrect flag.
zender [projects/oss/nancy]  master ✔ → nancy --thisaintright                                                                                      [a76019e]
open /Users/zender/.ossindex/.oss-index-config: no such file or directory
flag provided but not defined: -thisaintright
Usage:
	go list -m all | nancy [options]
	go list -m all | nancy iq [options]
	nancy config
	nancy [options] </path/to/Gopkg.lock>
	nancy [options] </path/to/go.sum>

Options:
  -clean-cache
    	Deletes local cache directory
  -exclude-vulnerability value
    	Comma separated list of CVEs to exclude
  -exclude-vulnerability-file string
    	Path to a file containing newline separated CVEs to be excluded (default "./.nancy-ignore")
  -help
    	provides help text on how to use nancy
  -no-color
    	indicate output should not be colorized
  -output string
    	Styling for output format. ["json-pretty" "text" "csv" "json"] (default "text")
  -quiet
    	indicate output should contain only packages with vulnerabilities
  -token string
    	Specify OSS Index API token for request
  -user string
    	Specify OSS Index username for request
  -v	Set log level to Info
  -version
    	prints current nancy version
  -vv
    	Set log level to Debug
  -vvv
    	Set log level to Trace
  • Anything else?

cc @bhamail / @DarthHater

Example CVE?

  • What are you trying to do?

I want to test my CI pipeline with a known vulnerability, to verify that nancy catches it.

  • How could we solve this issue? (Not knowing is okay!)

It would be nice to document a known library, version, and vulnerability that can be used for testing purposes.

cc @bhamail / @DarthHater

Use dep interfaces for parsing Gopkg.toml, etc...

Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.

  • What are you trying to do?
    As pointed out by @sdboyer, there are interfaces that dep exposes that we can use to parse things, rather than parsing it ourselves.

  • What feature or behavior is this required for?
    Nothing explicitly, but may as well use these, they exist and can help us keep on track with dep development in the future

  • How could we solve this issue? (Not knowing is okay!)
    Take a look at dep and find these, and replace the parsing we do with them.

  • Anything else?
    FUN!

Remove version from github release artifact name

  • What are you trying to do?
    Make it even easier to install nancy and stay up to date.

  • What feature or behavior is this required for?
    If i wanted to download nancy as part of a build and not have to build from source it should be easy to do and easy to keep up to date.

Github has an auto redirect if you use the following url that will take you to the latest release.
https://github.com/sonatype-nexus-community/nancy/releases/download/latest/nancy-darwin.amd64-v0.0.31

But it doesn't really do much good for us since we include the version number in the artifact name.

Proposal is to switch it to this. That way we can suggest that people just curl/wget this url and it will give the the latest and greatest nancy binary available.
https://github.com/sonatype-nexus-community/nancy/releases/download/latest/nancy-darwin.amd64

  • How could we solve this issue? (Not knowing is okay!)
    Remove the version number from the release artifact when releasing via travis

cc @bhamail / @DarthHater

Nancy sometimes logs HTTP responses

  • What are you trying to do?

Run Nancy on a project

$ nancy -quiet go.sum
2019/09/26 11:24:03 Response: &{Status:200 OK StatusCode:200 Proto:HTTP/2.0 ProtoMajor:2 ProtoMinor:0 Header:map[Content-Length:[664] Content-Type:[application/vnd.ossindex.component-report.v1+json] Date:[Thu, 26 Sep 2019 09:24:03 GMT] Set-Cookie:[AWSALB=BWff6DfuYnR9mHrXBvHS5C/o66uxqRRKutqrdMQ4hSgioBHC5C8jI3tCp4ziVoed
PtWWDGjxg5fUeeaHhfzwttovAlo0WpAwSqd8p++k2MsU7qHKu+WIxSpeSU2F; Expires=Thu, 03 Oct 2019 09:24:03 GMT; Path=/]] Body:{cs:0xc0059a6140} ContentLength:664 TransferEncoding:[] Close:false Uncompressed:false Trailer:map[] Request:0xc00011a200 TLS:0xc0059940b0}

Audited dependencies: 5, Vulnerable: 0
  • What feature or behavior is this required for?

Running Nancy on a project without obtrusive log statements

  • How could we solve this issue? (Not knowing is okay!)

Disable these log statements if not in development/debugging mode.

  • Anything else?

The go.sum file I was checking was the following: https://github.com/mastertinner/clong/blob/master/go.sum

cc @bhamail / @DarthHater

Research and add all GoPkg formats

  • What are you trying to do?
    Idk man ask @DarthHater .... he added this comment awhile ago ;P

nancy/packages/packages.go

Line 30 in a76019e

// FIXME: Research the various Gopkg name formats and convert them correctly

  • What feature or behavior is this required for?
    Make sure we are in fact handling all the GoPkg formats that are possible.

  • How could we solve this issue? (Not knowing is okay!)
    Add them and delete that comment once we have the definitive list....and maybe we are good already but this issue if to validate that.

  • Anything else?

cc @bhamail / @DarthHater

Switch CI to use Github Actions

  • What are you trying to do?
    Use the cool new hotness in CI tech :)

  • What feature or behavior is this required for?
    Nothing really .... should be the same output as travis. It might simplify things potentially.

  • How could we solve this issue? (Not knowing is okay!)
    Convert our .travis.yml over to actions. Maybe even use this guy too?? It's not being updated automatically but maybe dogfooding it will make that better at the same time. '

https://github.com/sonatype-nexus-community/nancy-github-action

There are also lots of prebuilt actions out in the marketplace that might make our CI lives easier. linters, go build setup, etc. That all we have to do is plug them in ¯_(ツ)_/¯

cc @bhamail / @DarthHater

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.