A tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index

Last update: Dec 22, 2022

Comments: 17

Nancy

nancy is a tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index, and as well, works with Nexus IQ Server, allowing you a smooth experience as a Golang developer, using the best tools in the market!

Usage

nancy currently works for projects that use dep or go mod for dependencies.

 ~ > nancy --help
nancy is a tool to check for vulnerabilities in your Golang dependencies,
powered by the 'Sonatype OSS Index', and as well, works with Nexus IQ Server, allowing you
a smooth experience as a Golang developer, using the best tools in the market!

Usage:
  nancy [flags]
  nancy [command]

Examples:
  Typical usage will pipe the output of 'go list -json -m all' to 'nancy':
  go list -json -m all | nancy sleuth [flags]
  go list -json -m all | nancy iq [flags]

  If using dep typical usage is as follows :
  nancy sleuth -p Gopkg.lock [flags]
  nancy iq -p Gopkg.lock [flags]


Available Commands:
  config      Setup credentials to use when connecting to services
  help        Help about any command
  iq          Check for vulnerabilities in your Golang dependencies using 'Sonatype's Nexus IQ IQServer'
  sleuth      Check for vulnerabilities in your Golang dependencies using Sonatype's OSS Index
  update      Check if there are any updates available

Flags:
  -v, -- count              Set log level, multiple v's is more verbose
  -c, --clean-cache         Deletes local cache directory
  -h, --help                help for nancy
      --loud                indicate output should include non-vulnerable packages
  -p, --path string         Specify a path to a dep Gopkg.lock file for scanning
  -q, --quiet               indicate output should contain only packages with vulnerabilities (default true)
      --skip-update-check   Skip the check for updates.
  -t, --token string        Specify OSS Index API token for request
  -u, --username string     Specify OSS Index username for request
  -V, --version             Get the version

Use "nancy [command] --help" for more information about a command.


$ > nancy sleuth --help
'nancy sleuth' is a command to check for vulnerabilities in your Golang dependencies, powered by the 'Sonatype OSS Index'.

Usage:
  nancy sleuth [flags]

Examples:
  go list -json -m all | nancy sleuth --username your_user --token your_token
  nancy sleuth -p Gopkg.lock --username your_user --token your_token

Flags:
  -e, --exclude-vulnerability CveListFlag   Comma separated list of CVEs or OSS Index IDs to exclude (default [])
  -x, --exclude-vulnerability-file string   Path to a file containing newline separated CVEs or OSS Index IDs to be excluded (default "./.nancy-ignore")
  -h, --help                                help for sleuth
  -n, --no-color                            indicate output should not be colorized
  -o, --output string                       Styling for output format. json, json-pretty, text, csv (default "text")

Global Flags:
  -v, -- count              Set log level, multiple v's is more verbose
      --loud                indicate output should include non-vulnerable packages
  -p, --path string         Specify a path to a dep Gopkg.lock file for scanning
  -q, --quiet               indicate output should contain only packages with vulnerabilities (default true)
      --skip-update-check   Skip the check for updates.
  -t, --token string        Specify OSS Index API token for request
  -u, --username string     Specify OSS Index username for request
  -V, --version             Get the version

$ > nancy iq --help
'nancy iq' is a command to check for vulnerabilities in your Golang dependencies, powered by 'Sonatype's Nexus IQ IQServer', allowing you a smooth experience as a Golang developer, using the best tools in the market!

Usage:
  nancy iq [flags]

Examples:
  go list -json -m all | nancy iq --iq-application your_public_application_id --iq-server-url http://your_iq_server_url:port --iq-username your_user --iq-token your_token --iq-stage develop
  nancy iq -p Gopkg.lock --iq-application your_public_application_id --iq-server-url http://your_iq_server_url:port --iq-username your_user --iq-token your_token --iq-stage develop

Flags:
  -h, --help                    help for iq
  -a, --iq-application string   Specify Nexus IQ public application ID for request
  -x, --iq-server-url string    Specify Nexus IQ server url for request (default "http://localhost:8070")
  -s, --iq-stage string         Specify Nexus IQ stage for request (default "develop")
  -k, --iq-token string         Specify Nexus IQ token for request (default "admin123")
  -l, --iq-username string      Specify Nexus IQ username for request (default "admin")

Global Flags:
  -v, -- count              Set log level, multiple v's is more verbose
      --loud                indicate output should include non-vulnerable packages
  -p, --path string         Specify a path to a dep Gopkg.lock file for scanning
  -q, --quiet               indicate output should contain only packages with vulnerabilities (default true)
      --skip-update-check   Skip the check for updates.
  -t, --token string        Specify OSS Index API token for request
  -u, --username string     Specify OSS Index username for request
  -V, --version             Get the version

What is the best usage of Nancy?

The preferred way to use Nancy is:

go list -json -m all | nancy sleuth
nancy sleuth -p /path/to/Gopkg.lock

CI Usage

Here are some additional tools to simplify using Nancy in your CI environment:

Docker usage

nancy now comes in a boat! For ease of use, we've dockerized nancy. To use our Dockerfile:

go list -json -m all | docker run --rm -i sonatypecommunity/nancy:latest sleuth

We publish a few different flavors for convenience:

Latest if you want to be on the bleeding edge ex: latest
The full tag for those concerned with 100% reliability of underlying Nancy ex: v0.1.1
The major version (we respect semver) ex: v0
The major/minor version (seriously, we respect semver) ex: v0.1

Want to build them locally??

Install goreleaser or use their provided docker image (https://goreleaser.com/install/)
Run goreleaser with the following options

goreleaser release --skip-publish --snapshot --rm-dist

or docker version of goreleaser

docker run --privileged \
  -v $PWD:/go/src/github.com/user/repo \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -w /go/src/github.com/user/repo \
  goreleaser/goreleaser release --skip-publish --snapshot --rm-dist

Once complete you will have the images now built locally. Use docker images to see them

> docker images                                                                                                                                                                [789c9df]
REPOSITORY                TAG                           IMAGE ID            CREATED             SIZE
sonatypecommunity/nancy   alpine                        f966c833c762        52 seconds ago      19.9MB
sonatypecommunity/nancy   v1-alpine                     f966c833c762        52 seconds ago      19.9MB
sonatypecommunity/nancy   v1.0-alpine                   f966c833c762        52 seconds ago      19.9MB
sonatypecommunity/nancy   v1.0.0-alpine                 f966c833c762        52 seconds ago      19.9MB
sonatypecommunity/nancy   latest                        7cb89e362115        53 seconds ago      14.1MB
sonatypecommunity/nancy   v1                            7cb89e362115        53 seconds ago      14.1MB
sonatypecommunity/nancy   v1.0                          7cb89e362115        53 seconds ago      14.1MB
sonatypecommunity/nancy   v1.0.0                        7cb89e362115        53 seconds ago      14.1MB

OSS Index Options

Rate limiting / Setting OSS Index config

NOTE: New as of Nancy v0.1.17

If you start using Nancy extensively, you might run into Rate Limiting from OSS Index! Don't worry, we've got your back!

If you run into Rate Limiting you should receive an error that will give you instructions on how to register on OSS Index:

You have been rate limited by OSS Index.
If you do not have a OSS Index account, please visit https://ossindex.sonatype.org/user/register to register an account.
After registering and verifying your account, you can retrieve your username (Email Address), and API Token
at https://ossindex.sonatype.org/user/settings. Upon retrieving those, run 'nancy config', set your OSS Index
settings, and rerun Nancy.

After setting this config, you'll be gifted a nice new higher rate limit. If you escape this limit, you might take a look at using Nexus IQ Server, or reach out to the friendly people at OSS Index for partnership opportunities.

You can also set the user and token via the command line like so:

nancy sleuth --username [email protected] --token A4@k3@p1T0k3n

This can be handy for testing your account out, or if you want to override your set config with a different user.

As of Nancy v1.0.17, you can also specify configuration values using environment variables:

export [email protected]
export OSSI_TOKEN=A4@k3@p1T0k3n
go list -json -m all | ./nancy sleuth
...

Loud mode

By default, nancy runs in a "quiet" mode, only displaying a list of vulnerable components. You can run nancy in a loud manner, showing all components by running:

nancy sleuth --loud -p /path/to/your/Gopkg.lock
go list -json -m all | nancy sleuth --loud

Exclude vulnerabilities

Sometimes you'll run into a dependency that after taking a look at, you either aren't affected by, or cannot resolve for some reason. Nancy understands, and will let you exclude these vulnerabilities so you can get back to a passing build:

Vulnerabilities excluded will then be silenced and not show up in the output or fail your build.

We support exclusion of vulnerability either by CVE-ID (ex: CVE-2018-20303) or via the OSS Index ID (ex: a8c20c84-1f6a-472a-ba1b-3eaedb2a2a14) as not all vulnerabilities have a CVE-ID.

Via CLI flag

nancy sleuth --exclude-vulnerability CVE-789,bcb0c38d-0d35-44ee-b7a7-8f77183d1ae2 -p /path/to/your/Gopkg.lock
go list -json -m all | nancy sleuth --exclude-vulnerability CVE-789,bcb0c38d-0d35-44ee-b7a7-8f77183d1ae2

Via file

By default if a file named .nancy-ignore exists in the same directory that nancy is run it will use it, will no other options need to be passed.

If you would like to define the path to the file you can use the following

nancy sleuth --exclude-vulnerability-file=/path/to/your/exclude-file -p /path/to/your/Gopkg.lock
go list -json -m all | nancy sleuth --exclude-vulnerability-file=/path/to/your/exclude-file

The file format requires each vulnerability that you want to exclude to be on a separate line. Comments are allowed in the file as well to help provide context when needed. See an example file below.

# This vulnerability is coming from package xyz, we are ok with this for now
CVN-111
CVN-123 # Mitigated the risk of this since we only use one method in this package and the affected code doesn't matter
CVN-543

It's also possible to define expiring ignores. Meaning that if you define a date on a vulnerability ignore until that date it will be ignored and once that date is passed it will now be reported by nancy if its still an issue. Format to add an expiring ignore looks as follows. They can also be followed up by comments to provide context to as why its been ignored until that date.

CVN-111 until=2021-01-01
CVN-543 until=2018-02-12 #Waiting on release from third party. Should be out before this date but gives us a little time to fix it.

Output

We support multiple different output formats. Examples can be found below for each. This intentionally vulnerable repo was used to generate the example output. Quiet option is supported in text and csv. json formatting will ignore the Quiet option and output the same values if it's passed or not.

text (default)

Nancy version: development
!!!!! WARNING !!!!!
Scanning cannot be completed on the following package(s) since they do not use semver.
[1/1]pkg:golang/github.com/go-gitea/[email protected]

------------------------------------------------------------
[1/10]pkg:golang/github.com/bitly/[email protected]  [Vulnerable]   1 known vulnerabilities affecting installed version

[CVE-2017-1000070]  URL Redirection to Untrusted Site ("Open Redirect")
The Bitly oauth2_proxy in version 2.1 and earlier was affected by an open redirect vulnerability during the start and termination of the 2-legged OAuth flow. This issue was caused by improper input validation and a violation of RFC-6819

ID:9eb9a5bc-8310-4104-bf85-3a820d28ba79
Details:https://ossindex.sonatype.org/vuln/9eb9a5bc-8310-4104-bf85-3a820d28ba79
[2/10]pkg:golang/github.com/cockroachdb/[email protected]   No known vulnerabilities against package/version
------------------------------------------------------------
[3/10]pkg:golang/github.com/ethereum/[email protected]  [Vulnerable]   1 known vulnerabilities affecting installed version

CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.

...

Audited dependencies:10,Vulnerable:6

json

{"audited":[{"Coordinates":"pkg:golang/github.com/bitly/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/bitly/[email protected]","Vulnerabilities":[{"Id":"9eb9a5bc-8310-4104-bf85-3a820d28ba79","Title":"[CVE-2017-1000070]  URL Redirection to Untrusted Site (\"Open Redirect\")","Description":"The Bitly oauth2_proxy in version 2.1 and earlier was affected by an open redirect vulnerability during the start and termination of the 2-legged OAuth flow. This issue was caused by improper input validation and a violation of RFC-6819","CvssScore":"6.1","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","Cve":"CVE-2017-1000070","Reference":"https://ossindex.sonatype.org/vuln/9eb9a5bc-8310-4104-bf85-3a820d28ba79","Excluded":false}],"InvalidSemVer":false},{"Coordinates":"pkg:golang/github.com/cockroachdb/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/cockroachdb/[email protected]","Vulnerabilities":[],"InvalidSemVer":false},{"Coordinates":"pkg:golang/github.com/ethereum/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/ethereum/[email protected]","Vulnerabilities":[{"Id":"4efaed86-e62e-4c0c-b812-36c07e61ede4","Title":"CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')","Description":"The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.","CvssScore":"7.5","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","Cve":"","Reference":"https://ossindex.sonatype.org/vuln/4efaed86-e62e-4c0c-b812-36c07e61ede4","Excluded":false}],"InvalidSemVer":false},{"Coordinates":"pkg:golang/github.com/elastic/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/elastic/[email protected]","Vulnerabilities":[{"Id":"8e4d562d-517b-4d00-a845-a7a3e2be41db","Title":"[CVE-2017-11480]  Improper Access Control","Description":"Packetbeat versions prior to 5.6.4 are affected by a denial of service flaw in the PostgreSQL protocol handler. If Packetbeat is listening for PostgreSQL traffic and a user is able to send arbitrary network traffic to the monitored port, the attacker could prevent Packetbeat from properly logging other PostgreSQL traffic.","CvssScore":"7.5","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","Cve":"CVE-2017-11480","Reference":"https://ossindex.sonatype.org/vuln/8e4d562d-517b-4d00-a845-a7a3e2be41db","Excluded":false}],"InvalidSemVer":false},{"Coordinates":"pkg:golang/github.com/etcd-io/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/etcd-io/[email protected]","Vulnerabilities":[{"Id":"5c876f5e-2814-4822-baf0-1092fc63ec25","Title":"[CVE-2018-1098]  Cross-Site Request Forgery (CSRF)","Description":"A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. An attacker can set up a website that tries to send a POST request to the etcd server and modify a key. Adding a key is done with PUT so it is theoretically safe (can't PUT from an HTML form or such) but POST allows creating in-order keys that an attacker can send.","CvssScore":"8.8","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","Cve":"CVE-2018-1098","Reference":"https://ossindex.sonatype.org/vuln/5c876f5e-2814-4822-baf0-1092fc63ec25","Excluded":false},{"Id":"8a190129-526c-4ee0-b663-92f38139c165","Title":"[CVE-2018-1099]  Improper Input Validation","Description":"DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An attacker can control his DNS records to direct to localhost, and trick the browser into sending requests to localhost (or any other address).","CvssScore":"5.5","CvssVector":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","Cve":"CVE-2018-1099","Reference":"https://ossindex.sonatype.org/vuln/8a190129-526c-4ee0-b663-92f38139c165","Excluded":false},{"Id":"69b9f08b-8eda-4125-8e84-b7d67a7c9ee5","Title":"[CVE-2018-16886]  Improper Authentication","Description":"etcd versions 3.2.x before 3.2.26 and 3.3.x before 3.3.11 are vulnerable to an improper authentication issue when role-based access control (RBAC) is used and client-cert-auth is enabled. If an etcd client server TLS certificate contains a Common Name (CN) which matches a valid RBAC username, a remote attacker may authenticate as that user with any valid (trusted) client certificate in a REST API request to the gRPC-gateway.","CvssScore":"8.1","CvssVector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","Cve":"CVE-2018-16886","Reference":"https://ossindex.sonatype.org/vuln/69b9f08b-8eda-4125-8e84-b7d67a7c9ee5","Excluded":false}],"InvalidSemVer":false},{"Coordinates":"pkg:golang/github.com/github/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/github/[email protected]","Vulnerabilities":[],"InvalidSemVer":false},{"Coordinates":"pkg:golang/github.com/gogs/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/gogs/[email protected]","Vulnerabilities":[{"Id":"a4c682fa-9c9f-4e9e-b218-720d5125b17f","Title":"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","Description":"The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.","CvssScore":"9.9","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","Cve":"","Reference":"https://ossindex.sonatype.org/vuln/a4c682fa-9c9f-4e9e-b218-720d5125b17f","Excluded":false},{"Id":"304fa9e0-012e-4385-88b2-88c0c5ec3247","Title":"[CVE-2018-15192] An SSRF vulnerability in webhooks in Gitea through 1.5.0-rc2 and Gogs through 0....","Description":"An SSRF vulnerability in webhooks in Gitea through 1.5.0-rc2 and Gogs through 0.11.53 allows remote attackers to access intranet services.","CvssScore":"8.6","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","Cve":"CVE-2018-15192","Reference":"https://ossindex.sonatype.org/vuln/304fa9e0-012e-4385-88b2-88c0c5ec3247","Excluded":false},{"Id":"a8c20c84-1f6a-472a-ba1b-3eaedb2a2a14","Title":"[CVE-2018-20303]  Improper Limitation of a Pathname to a Restricted Directory (\"Path Traversal\")","Description":"In pkg/tool/path.go in Gogs before 0.11.82.1218, a directory traversal in the file-upload functionality can allow an attacker to create a file under data/sessions on the server, a similar issue to CVE-2018-18925.","CvssScore":"7.5","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","Cve":"CVE-2018-20303","Reference":"https://ossindex.sonatype.org/vuln/a8c20c84-1f6a-472a-ba1b-3eaedb2a2a14","Excluded":false},{"Id":"bcb0c38d-0d35-44ee-b7a7-8f77183d1ae2","Title":"[CVE-2018-18925] Gogs 0.11.66 allows remote code execution because it does not properly validate ...","Description":"Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a \"..\" session-file forgery in the file session provider in file.go. This is related to session ID handling in the go-macaron/session code for Macaron.","CvssScore":"9.8","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","Cve":"CVE-2018-18925","Reference":"https://ossindex.sonatype.org/vuln/bcb0c38d-0d35-44ee-b7a7-8f77183d1ae2","Excluded":false},{"Id":"bbbdbb94-f65a-475c-9e9f-6793778fbd9b","Title":"[CVE-2018-15178]  URL Redirection to Untrusted Site (\"Open Redirect\")","Description":"Open redirect vulnerability in Gogs before 0.12 allows remote attackers to redirect users to arbitrary websites and conduct phishing attacks via an initial /\\ substring in the user/login redirect_to parameter, related to the function isValidRedirect in routes/user/auth.go.","CvssScore":"6.1","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","Cve":"CVE-2018-15178","Reference":"https://ossindex.sonatype.org/vuln/bbbdbb94-f65a-475c-9e9f-6793778fbd9b","Excluded":false},{"Id":"fc70a115-52cc-44ea-a33d-793267f860dd","Title":"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","Description":"The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.","CvssScore":"6.1","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","Cve":"","Reference":"https://ossindex.sonatype.org/vuln/fc70a115-52cc-44ea-a33d-793267f860dd","Excluded":false}],"InvalidSemVer":false},{"Coordinates":"pkg:golang/github.com/goharbor/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/goharbor/[email protected]","Vulnerabilities":[],"InvalidSemVer":false},{"Coordinates":"pkg:golang/github.com/gophish/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/gophish/[email protected]","Vulnerabilities":[{"Id":"0416e202-2705-431d-9915-8ed93334ca58","Title":"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","Description":"The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.","CvssScore":"6.1","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","Cve":"","Reference":"https://ossindex.sonatype.org/vuln/0416e202-2705-431d-9915-8ed93334ca58","Excluded":false}],"InvalidSemVer":false},{"Coordinates":"pkg:golang/github.com/ipfs/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/ipfs/[email protected]","Vulnerabilities":[],"InvalidSemVer":false}],"exclusions":[],"invalid":[{"Coordinates":"pkg:golang/github.com/go-gitea/[email protected]","Reference":"","Vulnerabilities":null,"InvalidSemVer":true}],"num_audited":10,"num_vulnerable":6,"version":"development","vulnerable":[{"Coordinates":"pkg:golang/github.com/bitly/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/bitly/[email protected]","Vulnerabilities":[{"Id":"9eb9a5bc-8310-4104-bf85-3a820d28ba79","Title":"[CVE-2017-1000070]  URL Redirection to Untrusted Site (\"Open Redirect\")","Description":"The Bitly oauth2_proxy in version 2.1 and earlier was affected by an open redirect vulnerability during the start and termination of the 2-legged OAuth flow. This issue was caused by improper input validation and a violation of RFC-6819","CvssScore":"6.1","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","Cve":"CVE-2017-1000070","Reference":"https://ossindex.sonatype.org/vuln/9eb9a5bc-8310-4104-bf85-3a820d28ba79","Excluded":false}],"InvalidSemVer":false},{"Coordinates":"pkg:golang/github.com/ethereum/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/ethereum/[email protected]","Vulnerabilities":[{"Id":"4efaed86-e62e-4c0c-b812-36c07e61ede4","Title":"CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')","Description":"The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.","CvssScore":"7.5","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","Cve":"","Reference":"https://ossindex.sonatype.org/vuln/4efaed86-e62e-4c0c-b812-36c07e61ede4","Excluded":false}],"InvalidSemVer":false},{"Coordinates":"pkg:golang/github.com/elastic/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/elastic/[email protected]","Vulnerabilities":[{"Id":"8e4d562d-517b-4d00-a845-a7a3e2be41db","Title":"[CVE-2017-11480]  Improper Access Control","Description":"Packetbeat versions prior to 5.6.4 are affected by a denial of service flaw in the PostgreSQL protocol handler. If Packetbeat is listening for PostgreSQL traffic and a user is able to send arbitrary network traffic to the monitored port, the attacker could prevent Packetbeat from properly logging other PostgreSQL traffic.","CvssScore":"7.5","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","Cve":"CVE-2017-11480","Reference":"https://ossindex.sonatype.org/vuln/8e4d562d-517b-4d00-a845-a7a3e2be41db","Excluded":false}],"InvalidSemVer":false},{"Coordinates":"pkg:golang/github.com/etcd-io/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/etcd-io/[email protected]","Vulnerabilities":[{"Id":"5c876f5e-2814-4822-baf0-1092fc63ec25","Title":"[CVE-2018-1098]  Cross-Site Request Forgery (CSRF)","Description":"A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. An attacker can set up a website that tries to send a POST request to the etcd server and modify a key. Adding a key is done with PUT so it is theoretically safe (can't PUT from an HTML form or such) but POST allows creating in-order keys that an attacker can send.","CvssScore":"8.8","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","Cve":"CVE-2018-1098","Reference":"https://ossindex.sonatype.org/vuln/5c876f5e-2814-4822-baf0-1092fc63ec25","Excluded":false},{"Id":"8a190129-526c-4ee0-b663-92f38139c165","Title":"[CVE-2018-1099]  Improper Input Validation","Description":"DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An attacker can control his DNS records to direct to localhost, and trick the browser into sending requests to localhost (or any other address).","CvssScore":"5.5","CvssVector":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","Cve":"CVE-2018-1099","Reference":"https://ossindex.sonatype.org/vuln/8a190129-526c-4ee0-b663-92f38139c165","Excluded":false},{"Id":"69b9f08b-8eda-4125-8e84-b7d67a7c9ee5","Title":"[CVE-2018-16886]  Improper Authentication","Description":"etcd versions 3.2.x before 3.2.26 and 3.3.x before 3.3.11 are vulnerable to an improper authentication issue when role-based access control (RBAC) is used and client-cert-auth is enabled. If an etcd client server TLS certificate contains a Common Name (CN) which matches a valid RBAC username, a remote attacker may authenticate as that user with any valid (trusted) client certificate in a REST API request to the gRPC-gateway.","CvssScore":"8.1","CvssVector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","Cve":"CVE-2018-16886","Reference":"https://ossindex.sonatype.org/vuln/69b9f08b-8eda-4125-8e84-b7d67a7c9ee5","Excluded":false}],"InvalidSemVer":false},{"Coordinates":"pkg:golang/github.com/gogs/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/gogs/[email protected]","Vulnerabilities":[{"Id":"a4c682fa-9c9f-4e9e-b218-720d5125b17f","Title":"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","Description":"The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.","CvssScore":"9.9","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","Cve":"","Reference":"https://ossindex.sonatype.org/vuln/a4c682fa-9c9f-4e9e-b218-720d5125b17f","Excluded":false},{"Id":"304fa9e0-012e-4385-88b2-88c0c5ec3247","Title":"[CVE-2018-15192] An SSRF vulnerability in webhooks in Gitea through 1.5.0-rc2 and Gogs through 0....","Description":"An SSRF vulnerability in webhooks in Gitea through 1.5.0-rc2 and Gogs through 0.11.53 allows remote attackers to access intranet services.","CvssScore":"8.6","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","Cve":"CVE-2018-15192","Reference":"https://ossindex.sonatype.org/vuln/304fa9e0-012e-4385-88b2-88c0c5ec3247","Excluded":false},{"Id":"a8c20c84-1f6a-472a-ba1b-3eaedb2a2a14","Title":"[CVE-2018-20303]  Improper Limitation of a Pathname to a Restricted Directory (\"Path Traversal\")","Description":"In pkg/tool/path.go in Gogs before 0.11.82.1218, a directory traversal in the file-upload functionality can allow an attacker to create a file under data/sessions on the server, a similar issue to CVE-2018-18925.","CvssScore":"7.5","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","Cve":"CVE-2018-20303","Reference":"https://ossindex.sonatype.org/vuln/a8c20c84-1f6a-472a-ba1b-3eaedb2a2a14","Excluded":false},{"Id":"bcb0c38d-0d35-44ee-b7a7-8f77183d1ae2","Title":"[CVE-2018-18925] Gogs 0.11.66 allows remote code execution because it does not properly validate ...","Description":"Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a \"..\" session-file forgery in the file session provider in file.go. This is related to session ID handling in the go-macaron/session code for Macaron.","CvssScore":"9.8","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","Cve":"CVE-2018-18925","Reference":"https://ossindex.sonatype.org/vuln/bcb0c38d-0d35-44ee-b7a7-8f77183d1ae2","Excluded":false},{"Id":"bbbdbb94-f65a-475c-9e9f-6793778fbd9b","Title":"[CVE-2018-15178]  URL Redirection to Untrusted Site (\"Open Redirect\")","Description":"Open redirect vulnerability in Gogs before 0.12 allows remote attackers to redirect users to arbitrary websites and conduct phishing attacks via an initial /\\ substring in the user/login redirect_to parameter, related to the function isValidRedirect in routes/user/auth.go.","CvssScore":"6.1","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","Cve":"CVE-2018-15178","Reference":"https://ossindex.sonatype.org/vuln/bbbdbb94-f65a-475c-9e9f-6793778fbd9b","Excluded":false},{"Id":"fc70a115-52cc-44ea-a33d-793267f860dd","Title":"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","Description":"The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.","CvssScore":"6.1","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","Cve":"","Reference":"https://ossindex.sonatype.org/vuln/fc70a115-52cc-44ea-a33d-793267f860dd","Excluded":false}],"InvalidSemVer":false},{"Coordinates":"pkg:golang/github.com/gophish/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/gophish/[email protected]","Vulnerabilities":[{"Id":"0416e202-2705-431d-9915-8ed93334ca58","Title":"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","Description":"The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.","CvssScore":"6.1","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","Cve":"","Reference":"https://ossindex.sonatype.org/vuln/0416e202-2705-431d-9915-8ed93334ca58","Excluded":false}],"InvalidSemVer":false}]}

json-pretty

{
  "audited": [
    {
      "Coordinates": "pkg:golang/github.com/bitly/[email protected]",
      "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/bitly/[email protected]",
      "Vulnerabilities": [
        {
          "Id": "9eb9a5bc-8310-4104-bf85-3a820d28ba79",
          "Title": "[CVE-2017-1000070]  URL Redirection to Untrusted Site (\"Open Redirect\")",
          "Description": "The Bitly oauth2_proxy in version 2.1 and earlier was affected by an open redirect vulnerability during the start and termination of the 2-legged OAuth flow. This issue was caused by improper input validation and a violation of RFC-6819",
          "CvssScore": "6.1",
          "CvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "Cve": "CVE-2017-1000070",
          "Reference": "https://ossindex.sonatype.org/vuln/9eb9a5bc-8310-4104-bf85-3a820d28ba79",
          "Excluded": false
        }
      ],
      "InvalidSemVer": false
    },
    {
      "Coordinates": "pkg:golang/github.com/cockroachdb/[email protected]",
      "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/cockroachdb/[email protected]",
      "Vulnerabilities": [],
      "InvalidSemVer": false
    },
    {
      "Coordinates": "pkg:golang/github.com/ethereum/[email protected]",
      "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/ethereum/[email protected]",
      "Vulnerabilities": [
        {
          "Id": "4efaed86-e62e-4c0c-b812-36c07e61ede4",
          "Title": "CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')",
          "Description": "The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.",
          "CvssScore": "7.5",
          "CvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "Cve": "",
          "Reference": "https://ossindex.sonatype.org/vuln/4efaed86-e62e-4c0c-b812-36c07e61ede4",
          "Excluded": false
        }
      ],
      "InvalidSemVer": false
    },
    ...
  ],
  "exclusions": [],
  "invalid": [
    {
      "Coordinates": "pkg:golang/github.com/go-gitea/[email protected]",
      "Reference": "",
      "Vulnerabilities": null,
      "InvalidSemVer": true
    }
  ],
  "num_audited": 10,
  "num_vulnerable": 6,
  "version": "development",
  "vulnerable": [
    {
      "Coordinates": "pkg:golang/github.com/bitly/[email protected]",
      "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/bitly/[email protected]",
      "Vulnerabilities": [
        {
          "Id": "9eb9a5bc-8310-4104-bf85-3a820d28ba79",
          "Title": "[CVE-2017-1000070]  URL Redirection to Untrusted Site (\"Open Redirect\")",
          "Description": "The Bitly oauth2_proxy in version 2.1 and earlier was affected by an open redirect vulnerability during the start and termination of the 2-legged OAuth flow. This issue was caused by improper input validation and a violation of RFC-6819",
          "CvssScore": "6.1",
          "CvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "Cve": "CVE-2017-1000070",
          "Reference": "https://ossindex.sonatype.org/vuln/9eb9a5bc-8310-4104-bf85-3a820d28ba79",
          "Excluded": false
        }
      ],
      "InvalidSemVer": false
    },
    {
      "Coordinates": "pkg:golang/github.com/ethereum/[email protected]",
      "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/ethereum/[email protected]",
      "Vulnerabilities": [
        {
          "Id": "4efaed86-e62e-4c0c-b812-36c07e61ede4",
          "Title": "CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')",
          "Description": "The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.",
          "CvssScore": "7.5",
          "CvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "Cve": "",
          "Reference": "https://ossindex.sonatype.org/vuln/4efaed86-e62e-4c0c-b812-36c07e61ede4",
          "Excluded": false
        }
      ],
      "InvalidSemVer": false
    },
    {
      "Coordinates": "pkg:golang/github.com/elastic/[email protected]",
      "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/elastic/[email protected]",
      "Vulnerabilities": [
        {
          "Id": "8e4d562d-517b-4d00-a845-a7a3e2be41db",
          "Title": "[CVE-2017-11480]  Improper Access Control",
          "Description": "Packetbeat versions prior to 5.6.4 are affected by a denial of service flaw in the PostgreSQL protocol handler. If Packetbeat is listening for PostgreSQL traffic and a user is able to send arbitrary network traffic to the monitored port, the attacker could prevent Packetbeat from properly logging other PostgreSQL traffic.",
          "CvssScore": "7.5",
          "CvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "Cve": "CVE-2017-11480",
          "Reference": "https://ossindex.sonatype.org/vuln/8e4d562d-517b-4d00-a845-a7a3e2be41db",
          "Excluded": false
        }
      ],
      "InvalidSemVer": false
    },
    ...
  ]
}

csv

Summary
Audited Count,Vulnerable Count,Build Version
10,6,development

Invalid Package(s)
Count,Package,Reason
[1/1],pkg:golang/github.com/go-gitea/[email protected],Does not use SemVer

Audited Package(s)
Count,Package,Is Vulnerable,Num Vulnerabilities,Vulnerabilities
[1/10],pkg:golang/github.com/bitly/[email protected],true,1,"[{""Id"":""9eb9a5bc-8310-4104-bf85-3a820d28ba79"",""Title"":""[CVE-2017-1000070]  URL Redirection to Untrusted Site (\""Open Redirect\"")"",""Description"":""The Bitly oauth2_proxy in version 2.1 and earlier was affected by an open redirect vulnerability during the start and termination of the 2-legged OAuth flow. This issue was caused by improper input validation and a violation of RFC-6819"",""CvssScore"":""6.1"",""CvssVector"":""CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"",""Cve"":""CVE-2017-1000070"",""Reference"":""https://ossindex.sonatype.org/vuln/9eb9a5bc-8310-4104-bf85-3a820d28ba79"",""Excluded"":false}]"
[2/10],pkg:golang/github.com/cockroachdb/[email protected],false,0,[]
[3/10],pkg:golang/github.com/ethereum/[email protected],true,1,"[{""Id"":""4efaed86-e62e-4c0c-b812-36c07e61ede4"",""Title"":""CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')"",""Description"":""The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended."",""CvssScore"":""7.5"",""CvssVector"":""CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"",""Cve"":"""",""Reference"":""https://ossindex.sonatype.org/vuln/4efaed86-e62e-4c0c-b812-36c07e61ede4"",""Excluded"":false}]"
...

Nexus IQ Server Options

By default, assuming you have an out of the box Nexus IQ Server running, you can run nancy like so:

go list -json -m all | nancy iq --iq-application public-application-id

It is STRONGLY suggested that you do not do this, and we will warn you on output if you are.

A more logical use of nancy against Nexus IQ Server will look like so:

go list -json -m all | nancy iq --iq-application public-application-id --iq-username nondefaultuser --iq-token yourtoken --iq-server-url http://adifferentserverurl:port --iq-stage develop

Options for stage are as follows:

build, develop, stage-release, release

By default --iq-stage will be develop.

Successful submissions to Nexus IQ Server will result in either an OS exit of 0, meaning all is clear and a response akin to:

Wonderbar! No policy violations reported for this audit!
Report URL:  http://reportURL

Failed submissions will either indicate failure because of an issue with processing the request, or a policy violation. Both will exit with a code of 1, allowing you to fail your build in CI. Policy Violation failures will include a report URL where you can learn more about why you encountered a failure.

Policy violations will look like:

Hi, Nancy here, you have some policy violations to clean up!
Report URL:  http://reportURL

Errors processing in Nexus IQ Server will look like:

Uh oh! There was an error with your request to Nexus IQ Server:

Persistent Nexus IQ Server Config

Nancy lets you set the Nexus IQ Server Address, User and Token as persistent config (application and stage are generally per project so we do not let you set these globally).

To set your Nexus IQ Server config run:

nancy config

Choose iq as an option and run through the rest of the config. Once you are done, Nancy should use this config for communicating with Nexus IQ, simplifying your use of the tool.

As of Nancy v1.0.17, you can also specify configuration values using environment variables:

export [email protected]
export OSSI_TOKEN=A4@k3@p1T0k3n
export IQ_USERNAME=nondefaultuser
export IQ_TOKEN=yourtoken
export IQ_SERVER=http://adifferentserverurl:port
go list -json -m all | ./nancy iq --iq-application public-application-id
...

Usage in CI

You can see an example of using nancy in Travis-CI at this intentionally vulnerable repo we made.

Nancy as well runs on itself (delicious dog food!) in CircleCI, in a myriad of fashions. You can see how we do that here in our repo's CircleCI config.

Big CI Note:

Nancy will automatically check for newer releases of Nancy, and will prompt you when updates are detected. The automatic update check will only occur once every 28 hours, and the date stamp of the last update check is stored in the file: ~/.ossindex/.nancy-config/update_check.yml.

If you have a huge CI matrix build, and want to avoid all the builds performing the automatic update check, you may want to configure your CI build to cache the above directory.

DISCLAIMER

A portion of the golang ecosystem doesn't use proper versions, and instead uses a commit hash to resolve your dependency. Dependencies like this will not work with nancy quite yet, as we don't have a mechanism on OSS Index to lookup vulnerabilities in that manner.

Why Nancy?

Nancy Drew was the first female detective used extensively in literature, and gave women across the world a new hero.

This project is called nancy as like the great detective herself, it looks for problems you might not be aware of, and gives you the information to help put them to an end!

Installation

At the current time you have a few options:

Build from source
Download release binary from here on GitHub
Install via Homebrew (macOS)
Install from the AUR (Arch Linux)

Build from source

Clone the project git clone github.com/sonatype-nexus-community/nancy
In the root of the project run make
- This will execute multiple targets so if you want to short circuit some of that process you can also just run make build to get the binary without running tests, linting, etc
Use that binary where ever your heart so desires!

Download release binary

Each tag pushed to this repo creates a new release binary, and if you'd like to skip building from source, you can download a binary similar to:

$ curl -o /path/where/you/want/nancy \
  https://github.com/sonatype-nexus-community/nancy/releases/download/v0.0.44/nancy-darwin.amd64-v0.0.44

Install via Homebrew (macOS)

On macOS, nancy can be installed using brew:

brew tap sonatype-nexus-community/homebrew-nancy-tap
brew install nancy

brew formulae are created and published to that tap with each new release, so you can use brew to upgrade, etc... as you wish.

You can see more about the formulae, etc... at this repo.

Install from the AUR (Arch Linux)

On Arch Linux, nancy can be installed using the AUR:

$ yay -S nancy-bin

Development

nancy is written using Golang 1.13, so it is best you start there.

Tests can be run like this make test

Adding new files? Get the license header correct with:

go get -u github.com/google/addlicense addlicense -v -f ./header.txt .

Release Process

Follow the steps below to release a new version of Nancy. You need to be part of the deploy from circle ci group for this to work.

Checkout/pull the latest main branch, and create a new tag with the desired semantic version and a helpful note:
```
$ git tag -a v1.0.x -m "Helpful message in tag"
```
Push the tag up:
```
$ git push origin v1.0.x
```
There is no step 3.

Contributing

We care a lot about making the world a safer place, and that's why we created nancy. If you as well want to speed up the pace of software development by working on this project, jump on in! Before you start work, create a new issue, or comment on an existing issue, to let others know you are!

Acknowledgements

The nancy logo was created using a combo of Gopherize.me and good ole Photoshop. Thanks to the creators of Gopherize for an easy way to make a fun Gopher :)

Original Gopher designed by Renee French.

The Fine Print

Remember:

If you are a Sonatype customer, you may file Sonatype support tickets related to nancy support in regard to this project
- We suggest you file issues here on GitHub as well, so that the community can pitch in
If you are not a Sonatype customer, Do NOT file Sonatype support tickets related to nancy support in regard to this project, file an issue here on GitHub

Have fun creating and using nancy and the Sonatype OSS Index, we are glad to have you here!

Getting help

Looking to contribute to our code but need some help? There's a few ways to get information:

Chat with us on Gitter

Owner

Sonatype Community

Community projects meant for the Sonatype Nexus Platform. Affiliated with Sonatype, but inclusive of work our community has done!

https://github.com/sonatype-nexus-community/nancy

Comments

Nancy does not work with full semver

What are you trying to do?

I am trying to resolve a CVE in my go mod:

$  go list -m all | nancy -quiet      
------------------------------------------------------------
[15/26] pkg:golang/github.com/opencontainers/[email protected]  [Vulnerable]    1 known vulnerabilities affecting installed version

[CVE-2019-5736]  Containment Errors (Container Errors)
runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.

ID:d089f726-f419-4e72-ab60-05be37d02b68
Details:https://ossindex.sonatype.org/vuln/d089f726-f419-4e72-ab60-05be37d02b68
Audited dependencies: 26, Vulnerable: 1

However, the go.mod and go.sum list 1.0.0-rc9 which is not listed as vulnerable in the index:

module github.com/ory/dockertest/v3

go 1.13

require (
	// ...
	github.com/opencontainers/runc v1.0.0-rc9
	// ...
)

github.com/opencontainers/runc v1.0.0-rc9 h1:/k06BMULKF5hidyoZymkoDCzdJzltZpz/UU4LguQVtc=
github.com/opencontainers/runc v1.0.0-rc9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=

How could we solve this issue? (Not knowing is okay!)

Nancy should be able to differentiate between pre releases such as alpha alpha1 alpha.1 rc, ...

Anything else?

cc @bhamail / @DarthHater

Nancy uses Nexus IQ Server, the journey
This is a quick lil ditty to get Nancy to work with Nexus IQ Server

This pull request makes the following changes:

Adds iq.go that handles communication with Nexus IQ

Adds cyclonedx package that will turn a []packageurl.PackageURL of purls into a minimal SBOM string

Adds command line config options that shouldn't interfere with current OSS Index usage such that you call ./nancy iq -a application

Successful output looks like:

(base) 685 me:nancy (NancyWithIQ *)$ go list -m all | ./nancy iq -application testapp 2020/01/02 12:09:12 Nancy version: development .......... Wonderbar! No policy violations reported for this audit! Report URL: http://localhost:8070/ui/links/application/testapp/report/7a9655ecf31c40cb89149378b64e439a

Draft PR for now so we people can laugh at my implementation with less shame. I'll add README results after we sort what I did technically.

cc @bhamail / @zendern / @ken-duck / @ajbrown / @fitzoh
Is returning 500 error when accessing OSS Index
Running nancy has started returning a 500 error "Error: An error occurred: [500 Internal Server Error] error accessing OSS Index" when running https://ossindex.sonatype.org/updates-notice says there were index updates yesterday and today is the 1st day I've seen it so it might be related

What are you trying to do? Run nancy against my go dependencies with
go list -m all | docker run --env GITHUB_TOKEN=$GITHUB_TOKEN --pull always --rm -i sonatypecommunity/nancy:latest sleuth

cc @bhamail / @DarthHater

go get failing

Thanks for creating an issue! Please fill out this form so we can be sure to have all the information we need, and to minimize back and forth.

What are you trying to do?

go get -u github.com/sonatype-nexus-community/nancy

What feature or behavior is this required for?
How could we solve this issue? (Not knowing is okay!)
Anything else?

go: finding github.com/dgryski/go-farm latest
go: finding github.com/coreos/pkg latest
go: finding github.com/coreos/go-systemd latest
go: finding github.com/google/pprof latest
go: finding github.com/jstemmer/go-junit-report latest
go: finding github.com/tmc/grpc-websocket-proxy latest
go: finding golang.org/x/lint latest
go: finding google.golang.org/genproto latest
go: finding github.com/prometheus/client_model latest
go: finding golang.org/x/net latest
go: finding github.com/modern-go/concurrent latest
go: finding golang.org/x/sync latest
go: finding golang.org/x/oauth2 latest
go: finding golang.org/x/sys latest
go: finding github.com/logrusorgru/aurora latest
go: finding golang.org/x/mobile latest
go: finding golang.org/x/time latest
go: finding golang.org/x/exp latest
go: finding github.com/shopspring/decimal latest
go: finding golang.org/x/tools latest
go: finding github.com/armon/consul-api latest
go: finding golang.org/x/crypto latest
go: finding github.com/golang/glog latest
go: finding github.com/mwitkow/go-conntrack latest
go: finding github.com/kr/logfmt latest
go: finding github.com/xiang90/probing latest
go: finding github.com/BurntSushi/xgb latest
go: finding github.com/AndreasBriese/bbloom latest
go: finding gopkg.in/check.v1 latest
go: finding github.com/golang/groupcache latest
go: finding golang.org/x/image latest
go: finding github.com/alecthomas/units latest
go: finding github.com/alecthomas/template latest
go: finding github.com/dgryski/go-sip13 latest
# github.com/sonatype-nexus-community/nancy/audit
audit/auditlog.go:32:15: not enough arguments in call to aurora.Gray
	have (string)
	want (uint8, interface {})
# github.com/sonatype-nexus-community/nancy/ossindex
ossindex/ossindex.go:62:6: opts.Dir undefined (type func(string) badger.Options has no field or method Dir)
ossindex/ossindex.go:63:6: opts.ValueDir undefined (type func(string) badger.Options has no field or method ValueDir)
ossindex/ossindex.go:64:23: cannot use opts (type func(string) badger.Options) as type badger.Options in argument to badger.Open
ossindex/ossindex.go:161:16: txn.SetWithTTL undefined (type *badger.Txn has no field or method SetWithTTL)```

Panics with index out of range error

Thanks for creating an issue! Please fill out this form so we can be sure to have all the information we need, and to minimize back and forth.

What are you trying to do?

$ git clone [email protected]:ory/kratos.git
$ cd kratos
$ git checkout -b nancy 9ea96120451cf93be42c87146dcb9db02c67631d
$ go list -m all | nancy sleuth -q
Error: runtime error: index out of range [4] with length 4

[... rest of help message ...]

Anything else?

cc @bhamail / @DarthHater

brew install fails on Mac with M1 chip

What are you trying to do?

brew tap sonatype-nexus-community/nancy-tap

==> Tapping sonatype-nexus-community/nancy-tap
Cloning into '/opt/homebrew/Library/Taps/sonatype-nexus-community/homebrew-nancy-tap'...
Error: Invalid formula: /opt/homebrew/Library/Taps/sonatype-nexus-community/homebrew-nancy-tap/nancy.rb
formulae require at least a URL
Error: Cannot tap sonatype-nexus-community/nancy-tap: invalid syntax in tap!
Tapping sonatype-nexus-community/nancy-tap has failed!

What feature or behavior is this required for? MacBook with M1 chip
How could we solve this issue? (Not knowing is okay!) Add arm64 in goreleaser
Anything else?

I've faced same problem in my projects, so simple adding the arm64 in goreleaser helps at least for home-brew builds.

cc @bhamail / @DarthHater

How to resolve after a detected vulnerability / Why is go.sum used as the source for nancy?

What are you trying to do?

We run nancy as part of our CI pipeline. Today the following issue has been detected:

------------------------------------------------------------                                                                                                                                                                                  
[31/38] golang/golang.org/x/[email protected]  [Vulnerable]    1 known vulnerabilities affecting installed version                                                                                                     
                                                                                                                    
[CVE-2019-11841]  Cryptographic Issues                                                                                                                                                                                                        
A message-forgery issue was discovered in crypto/openpgp/clearsign/clearsign.go in supplementary Go cryptography libraries 2019-03-25. According to the OpenPGP Message Format specification in RFC 4880 chapter 7, a cleartext signed messag$
 can contain one or more optional "Hash" Armor Headers. The "Hash" Armor Header specifies the message digest algorithm(s) used for the signature. However, the Go clearsign package ignores the value of this header, which allows an attacke$
 to spoof it. Consequently, an attacker can lead a victim to believe the signature was generated using a different message digest algorithm than what was actually used. Moreover, since the library skips Armor Header parsing in general, a$
 attacker can not only embed arbitrary Armor Headers, but also prepend arbitrary text to cleartext messages without invalidating the signatures.
                                                                                                                            
ID: 01142a7e-4766-4863-983b-898ab7f482d3                                                                                     
Details: https://ossindex.sonatype.org/vuln/01142a7e-4766-4863-983b-898ab7f482d3

To resolve the issue, I executed:

GO111MODULE=on go get -u golang.org/x/crypto

which updated go.mod and go.sum in my project.

But with the next run of nancy, the problem was not resolved, the issue is still reported, because the vulnerable version of the package is still mentioned in the go.sum file (as well as the newer version):

------------------------------------------------------------
[29/41] golang/golang.org/x/[email protected]  [Vulnerable]    1 known vulnerabilities affecting installed version

[CVE-2019-11841]  Cryptographic Issues
A message-forgery issue was discovered in crypto/openpgp/clearsign/clearsign.go in supplementary Go cryptography libraries 2019-03-25. According to the OpenPGP Message Format specification in RFC 4880 chapter 7, a cleartext signed message
 can contain one or more optional "Hash" Armor Headers. The "Hash" Armor Header specifies the message digest algorithm(s) used for the signature. However, the Go clearsign package ignores the value of this header, which allows an attacker
 to spoof it. Consequently, an attacker can lead a victim to believe the signature was generated using a different message digest algorithm than what was actually used. Moreover, since the library skips Armor Header parsing in general, an
 attacker can not only embed arbitrary Armor Headers, but also prepend arbitrary text to cleartext messages without invalidating the signatures.

ID: 01142a7e-4766-4863-983b-898ab7f482d3
Details: https://ossindex.sonatype.org/vuln/01142a7e-4766-4863-983b-898ab7f482d3

...

[38/41] golang/golang.org/x/[email protected]    No known vulnerabilities against package/version...

This did not change even if I execute GO111MODULE=on go mod tidy.

In the go.mod file the referenced version is correct:

golang.org/x/crypto v0.0.0-20190829043050-9756ffdc2472 // indirect

What feature or behavior is this required for?

A clear way to get back to a proper state after a vulnerability is detected by nancy and there is already an updated version of the dependency available.

How could we solve this issue? (Not knowing is okay!)

I edited the go.sum file manually and removed all but the latest references for golang.org/x/crypto so I endet up with a recent enough version, such that nancy is no longer complaining.

Anything else?

So my question is, what is the correct way to resolve an issue detected by nancy and get back to a proper state, where the CI pipeline does no longer fail.

Why does nancy use the go.sum file as source/reference instead of the go.mod file?

This issue is also related to #16, because this would be the workaround (if there is no updated dependency available yet or to prevent from the need of manually updating go.sum).

cc @bhamail / @DarthHater

Incorrect reporting for vulnerability for golang.org/x/net for latest updates

Thanks for creating an issue! Please fill out this form so we can be sure to have all the information we need, and to minimize back and forth.

What are you trying to do? Trying to fix a vulnerability report

[1/1]	pkg:golang/golang.org/x/[email protected]
6 known vulnerabilities affecting installed version 
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ [CVE-2018-17075]  Improper Input Validation                                                                                                            ┃
┣━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Description        ┃ The html package (aka x/net/html) before 2018-07-13 in Go mishandles "in                                                          ┃
┃                    ┃ frameset" insertion mode, leading to a "panic: runtime error" for                                                                 ┃
┃                    ┃ html.Parse of <template><object>, <template><applet>, or                                                                          ┃
┃                    ┃ <template><marquee>. This is related to HTMLTreeBuilder.cpp in WebKit.                                                            ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ OSS Index ID       ┃ ae060e1b-dedb-41ac-8e61-235d179157b8                                                                                              ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Score         ┃ 7.5/10 (High)                                                                                                                     ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Vector        ┃ CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H                                                                                      ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Link for more info ┃ https://ossindex.sonatype.org/vuln/ae060e1b-dedb-41ac-8e61-235d179157b8?component-type=golang&component-name=golang.org%2Fx%2Fnet ┃
┗━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛

What feature or behavior is this required for?

This shouldn't be reported since we have an updated version of this already in our go.mod in-fact prior to this we were even on

v0.0.0-20200707034311-ab3426394381

How could we solve this issue? (Not knowing is okay!) Looks like a false positive

cc @bhamail / @DarthHater

docs: apply copyright header

This pull request uses our internal tooling (based off of the license-maven-plugin) to consistently apply the copyright at the top of source in this repository.

cc @bhamail / @DarthHater
Dependency names are tabbed too far when list of deps hits 3+ digits
What are you trying to do? It looks like when the dependency index string is too big we get dependencies tabbed over too far, and ends up being worse for the UI in terms of concistency

here's go list -m all | nancy on the hashbrowns repo:

What feature or behavior is this required for?

How could we solve this issue? (Not knowing is okay!) I can mess around with whatever I did in tabwriter in my original PR to line these up

cc @bhamail / @DarthHater
GoReleaser
@nrcook is typically a genius, this is a freshened up version of what he did in #20 .

This pull request makes the following changes:

Moves from TravisCI to CircleCI (niceities, and we use CircleCI in most of our newer projects)

Adds saving test result artifacts, etc... for showing failures in the CircleCI UI

Adds goreleaser config

This should support Alpine Linux as we disable CGO, so all current cases should be covered.

We were able to 1:1 it with the current Nancy releases, and tested it out on @allenhsieh fork of Nancy:

https://github.com/allenhsieh/nancy/releases/tag/v0.1.7

We added a few builds as well, while doing that, mostly for 32 bit use.

cc @bhamail / @DarthHater / @zendern / @fitzoh
Readme: Relation to govulncheck
What are you trying to do? A new tool was released by go developers this month:

https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck

And I'm trying to decide how this tool is different from Nancy and if I should use both of them, or if one fully replaces the other?

What feature or behavior is this required for? Reduced time and complexity of CI-chain.

How could we solve this issue? (Not knowing is okay!) Could you include a section in your readme how Nancy differs from the standard-tool govulncheck ? e.g. what does Nancy do more/less/different. So people can easily decide which tool to use, or if both tools solve different problems.

cc @bhamail / @DarthHater

Subpackages with different versions are incorrectly flagged

Thanks for creating an issue! Please fill out this form so we can be sure to have all the information we need, and to minimize back and forth.

What are you trying to do? The issue is already reported here https://github.com/sonatype-nexus-community/nancy/issues/157, but this time with the package github.com/hashicorp/vault. Releases are tagged here: https://github.com/hashicorp/vault/releases the latest version is v1.11.3 The latest version of github.com/hashicorp/vault/api is v1.7.2 The latest version of github.com/hashicorp/vault/sdk is v0.5.3

Nancy sees I have used github.com/hashicorp/vault/[email protected] and but reports CVE's as if I was using github.com/hashicorp/[email protected] same for github.com/hashicorp/vault/[email protected] - is recommended to be github.com/hashicorp/[email protected]/1.9.8/1.10.5

None of these CVE's should apply to github.com/hashicorp/vault/[email protected] or github.com/hashicorp/vault/[email protected] but it gets confused by the version difference.

Here is what I get:

pkg:golang/github.com/hashicorp/vault/[email protected]
#17 3.431 1 known vulnerabilities affecting installed version 
#17 3.431 ┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
#17 3.431 ┃ [CVE-2022-36129] CWE-863: Incorrect Authorization                                                                                                                                                                           ┃
#17 3.431 ┣━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
#17 3.431 ┃ Description        ┃ HashiCorp Vault Enterprise 1.7.0 through 1.9.7, 1.10.4, and 1.11.0 clusters                                                                                                                            ┃
#17 3.431 ┃                    ┃ using Integrated Storage expose an unauthenticated API endpoint that could                                                                                                                             ┃
#17 3.431 ┃                    ┃ be abused to override the voter status of a node within a Vault HA cluster,                                                                                                                            ┃
#17 3.431 ┃                    ┃ introducing potential for future data loss or catastrophic failure. Fixed                                                                                                                              ┃
#17 3.431 ┃                    ┃ in Vault Enterprise 1.9.8, 1.10.5, and 1.11.1.                                                                                                                                                         ┃
#17 3.431 ┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
#17 3.431 ┃ OSS Index ID       ┃ CVE-2022-36129                                                                                                                                                                                         ┃
#17 3.431 ┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
#17 3.431 ┃ CVSS Score         ┃ 9.1/10 (Critical)                                                                                                                                                                                      ┃
#17 3.431 ┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
#17 3.431 ┃ CVSS Vector        ┃ CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H                                                                                                                                                           ┃
#17 3.431 ┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
#17 3.431 ┃ Link for more info ┃ https://ossindex.sonatype.org/vulnerability/CVE-2022-36129?component-type=golang&component-name=github.com%2Fhashicorp%2Fvault%2Fsdk&utm_source=nancy-client&utm_medium=integration&utm_content=1.0.39 ┃
#17 3.431 ┗━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
#
pkg:golang/github.com/hashicorp/vault/[email protected]
#17 3.431 1 known vulnerabilities affecting installed version 
#17 3.431 ┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
#17 3.431 ┃ [CVE-2022-36129] CWE-863: Incorrect Authorization                                                                                                                                                                           ┃
#17 3.431 ┣━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
#17 3.431 ┃ Description        ┃ HashiCorp Vault Enterprise 1.7.0 through 1.9.7, 1.10.4, and 1.11.0 clusters                                                                                                                            ┃
#17 3.431 ┃                    ┃ using Integrated Storage expose an unauthenticated API endpoint that could                                                                                                                             ┃
#17 3.431 ┃                    ┃ be abused to override the voter status of a node within a Vault HA cluster,                                                                                                                            ┃
#17 3.431 ┃                    ┃ introducing potential for future data loss or catastrophic failure. Fixed                                                                                                                              ┃
#17 3.431 ┃                    ┃ in Vault Enterprise 1.9.8, 1.10.5, and 1.11.1.                                                                                                                                                         ┃
#17 3.431 ┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
#17 3.431 ┃ OSS Index ID       ┃ CVE-2022-36129                                                                                                                                                                                         ┃
#17 3.431 ┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
#17 3.431 ┃ CVSS Score         ┃ 9.1/10 (Critical)                                                                                                                                                                                      ┃
#17 3.431 ┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
#17 3.431 ┃ CVSS Vector        ┃ CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H                                                                                                                                                           ┃
#17 3.431 ┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
#17 3.431 ┃ Link for more info ┃ https://ossindex.sonatype.org/vulnerability/CVE-2022-36129?component-type=golang&component-name=github.com%2Fhashicorp%2Fvault%2Fapi&utm_source=nancy-client&utm_medium=integration&utm_content=1.0.39 ┃
#17 3.431 ┗━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
#17 3.431 
#17 3.431 2 Vulnerable Packages
#17 3.431 
#17 3.431 ┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
#17 3.431 ┃ Summary                       ┃
#17 3.431 ┣━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━┫
#17 3.431 ┃ Audited Dependencies    ┃ 104 ┃
#17 3.431 ┣━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━━━┫
#17 3.431 ┃ Vulnerable Dependencies ┃ 2   ┃
#17 3.431 ┗━━━━━━━━━━━━━━━━━━━━━━━━━┻━━━━━┛

Here is the output of go list:

➜  go list -m all | grep github.com/hashicorp/vault
github.com/hashicorp/vault/api v1.7.2
github.com/hashicorp/vault/sdk v0.5.1

Here is my Nancy version: nancy version 1.0.39

What feature or behavior is this required for? Go dependencies vulnerability scan
How could we solve this issue? (Not knowing is okay!) I think if a subpackage is versioned differently it should be considered separate and not matched against the parent one?
Anything else? No cc @bhamail / @DarthHater

Task execution failure

we are using sonatype-nexus OSS as a repository manager and having issues with the Task execution failure for the maven indexes

what: Maven task index failure due to one of the repositories is failing to connect repository: proxy-maven-jboss-releases, when the task is set to run then the repo becomes remote unavailable service unavailable After running the task we are getting the following error Task Name: Maven - publish indexes Stack-trace: org.sonatype.goodies.common.MultipleFailures$MultipleFailuresException: Failed to run task 'Publish Maven indexes of *'; 1 failure at org.sonatype.goodies.common.MultipleFailures.maybePropagate(MultipleFailures.java:95) at org.sonatype.nexus.repository.RepositoryTaskSupport.execute(RepositoryTaskSupport.java:90) at org.sonatype.nexus.scheduling.TaskSupport.call(TaskSupport.java:100) at org.sonatype.nexus.quartz.internal.task.QuartzTaskJob.doExecute(QuartzTaskJob.java:143) at org.sonatype.nexus.quartz.internal.task.QuartzTaskJob.execute(QuartzTaskJob.java:106) at org.quartz.core.JobRunShell.run(JobRunShell.java:202) at org.sonatype.nexus.quartz.internal.QuartzThreadPool.lambda$0(QuartzThreadPool.java:145) at org.sonatype.nexus.thread.internal.MDCAwareRunnable.run(MDCAwareRunnable.java:40) at org.apache.shiro.subject.support.SubjectRunnable.doRun(SubjectRunnable.java:120) at org.apache.shiro.subject.support.SubjectRunnable.run(SubjectRunnable.java:108) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:750) Suppressed: org.sonatype.nexus.repository.proxy.ProxyServiceException: HTTP/1.1 503 Service Unavailable at org.sonatype.nexus.repository.proxy.ProxyFacetSupport.mayThrowProxyServiceException(ProxyFacetSupport.java:509) at org.sonatype.nexus.repository.proxy.ProxyFacetSupport.fetch(ProxyFacetSupport.java:483) at org.sonatype.nexus.repository.proxy.ProxyFacetSupport.fetch(ProxyFacetSupport.java:417) at org.sonatype.nexus.repository.maven.internal.orient.MavenProxyFacet.fetch(MavenProxyFacet.java:117) at org.sonatype.nexus.repository.proxy.ProxyFacetSupport.doGet(ProxyFacetSupport.java:284) at org.sonatype.nexus.repository.proxy.ProxyFacetSupport.lambda$1(ProxyFacetSupport.java:260) at org.sonatype.nexus.common.io.CooperatingFuture.performCall(CooperatingFuture.java:122) at org.sonatype.nexus.common.io.CooperatingFuture.call(CooperatingFuture.java:64) at org.sonatype.nexus.common.io.ScopedCooperationFactorySupport$ScopedCooperation.cooperate(ScopedCooperationFactorySupport.java:99) at org.sonatype.nexus.repository.proxy.ProxyFacetSupport.get(ProxyFacetSupport.java:251) at org.sonatype.nexus.repository.proxy.ProxyFacetSupport.get(ProxyFacetSupport.java:240) at org.sonatype.nexus.repository.maven.internal.MavenIndexPublisher.prefetch(MavenIndexPublisher.java:245) at org.sonatype.nexus.repository.maven.internal.MavenIndexPublisher.prefetchIndexFiles(MavenIndexPublisher.java:227) at org.sonatype.nexus.repository.maven.internal.MavenIndexPublisher.publishProxyIndex(MavenIndexPublisher.java:160) at org.sonatype.nexus.repository.maven.internal.orient.OrientMavenProxyIndexFacet.publishIndex(OrientMavenProxyIndexFacet.java:96) at org.sonatype.nexus.repository.maven.tasks.PublishMavenIndexTask.execute(PublishMavenIndexTask.java:37) at org.sonatype.nexus.repository.RepositoryTaskSupport.execute(RepositoryTaskSupport.java:79) ... 13 more

Task Name: Maven - publish indexes Stack-trace: org.sonatype.goodies.common.MultipleFailures$MultipleFailuresException: Failed to run task 'Publish Maven indexes of *'; 1 failure at org.sonatype.goodies.common.MultipleFailures.maybePropagate(MultipleFailures.java:95) at org.sonatype.nexus.repository.RepositoryTaskSupport.execute(RepositoryTaskSupport.java:90) at org.sonatype.nexus.scheduling.TaskSupport.call(TaskSupport.java:100) at org.sonatype.nexus.quartz.internal.task.QuartzTaskJob.doExecute(QuartzTaskJob.java:143) at org.sonatype.nexus.quartz.internal.task.QuartzTaskJob.execute(QuartzTaskJob.java:106) at org.quartz.core.JobRunShell.run(JobRunShell.java:202) at org.sonatype.nexus.quartz.internal.QuartzThreadPool.lambda$0(QuartzThreadPool.java:145) at org.sonatype.nexus.thread.internal.MDCAwareRunnable.run(MDCAwareRunnable.java:40) at org.apache.shiro.subject.support.SubjectRunnable.doRun(SubjectRunnable.java:120) at org.apache.shiro.subject.support.SubjectRunnable.run(SubjectRunnable.java:108) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:750) Suppressed: org.sonatype.nexus.repository.proxy.ProxyServiceException: HTTP/1.1 503 Service Unavailable at org.sonatype.nexus.repository.proxy.ProxyFacetSupport.mayThrowProxyServiceException(ProxyFacetSupport.java:509) at org.sonatype.nexus.repository.proxy.ProxyFacetSupport.fetch(ProxyFacetSupport.java:483) at org.sonatype.nexus.repository.proxy.ProxyFacetSupport.fetch(ProxyFacetSupport.java:417) at org.sonatype.nexus.repository.maven.internal.orient.MavenProxyFacet.fetch(MavenProxyFacet.java:117) at org.sonatype.nexus.repository.proxy.ProxyFacetSupport.doGet(ProxyFacetSupport.java:284) at org.sonatype.nexus.repository.proxy.ProxyFacetSupport.lambda$1(ProxyFacetSupport.java:260) at org.sonatype.nexus.common.io.CooperatingFuture.performCall(CooperatingFuture.java:122) at org.sonatype.nexus.common.io.CooperatingFuture.call(CooperatingFuture.java:64) at org.sonatype.nexus.common.io.ScopedCooperationFactorySupport$ScopedCooperation.cooperate(ScopedCooperationFactorySupport.java:99) at org.sonatype.nexus.repository.proxy.ProxyFacetSupport.get(ProxyFacetSupport.java:251) at org.sonatype.nexus.repository.proxy.ProxyFacetSupport.get(ProxyFacetSupport.java:240) at org.sonatype.nexus.repository.maven.internal.MavenIndexPublisher.prefetch(MavenIndexPublisher.java:245) at org.sonatype.nexus.repository.maven.internal.MavenIndexPublisher.prefetchIndexFiles(MavenIndexPublisher.java:227) at org.sonatype.nexus.repository.maven.internal.MavenIndexPublisher.publishProxyIndex(MavenIndexPublisher.java:160) at org.sonatype.nexus.repository.maven.internal.orient.OrientMavenProxyIndexFacet.publishIndex(OrientMavenProxyIndexFacet.java:96) at org.sonatype.nexus.repository.maven.tasks.PublishMavenIndexTask.execute(PublishMavenIndexTask.java:37) at org.sonatype.nexus.repository.RepositoryTaskSupport.execute(RepositoryTaskSupport.java:79) ... 13 more

want to know why the repository proxy-maven-jboss-releases is failing to come online. repo details: maven 2 version-Release layout policy: strict

Thanks, Anil

Wrong brew tap on gonancy.dev

What are you trying to do?

Install nancy on macOS using brew. To do this I used the documentation on https://gonancy.dev which provides the following commands:

$ brew tap sonatype-nexus-community/tap
$ brew install nancy

This causes the following error:

$ brew tap sonatype-nexus-community/tap
==> Tapping sonatype-nexus-community/tap
Cloning into '/usr/local/Homebrew/Library/Taps/sonatype-nexus-community/homebrew-tap'...
remote: Enumerating objects: 14, done.
remote: Total 14 (delta 0), reused 0 (delta 0), pack-reused 14
Receiving objects: 100% (14/14), done.
Resolving deltas: 100% (2/2), done.
Error: Invalid formula: /usr/local/Homebrew/Library/Taps/sonatype-nexus-community/homebrew-tap/Formula/nancy.rb
nancy: Calling bottle :unneeded is disabled! There is no replacement.
Please report this issue to the sonatype-nexus-community/tap tap (not Homebrew/brew or Homebrew/core):
  /usr/local/Homebrew/Library/Taps/sonatype-nexus-community/homebrew-tap/Formula/nancy.rb:6

Error: Cannot tap sonatype-nexus-community/tap: invalid syntax in tap!

The reason is that the tap appears to be outdated.

What feature or behavior is this required for?

Installing nancy on macOS using brew.

How could we solve this issue? (Not knowing is okay!)

Update the documentation on https://gonancy.dev

At the moment the documentation states:

$ brew tap sonatype-nexus-community/tap
$ brew install nancy

It should be:

$ brew tap sonatype-nexus-community/nancy-tap
$ brew install nancy

Anything else?

I'd create a PR myself but was not able to find the repo where https://gonancy.dev is managed.

cc @bhamail / @DarthHater

Q. has any thought been given to scanning for core library vulnerabilities?
What are you trying to do?

Detect Go binaries built against a given toolchain version for known vulnerabities

What feature or behavior is this required for?

For core Go vulnerabilities such as CVE-2021-44716, which is fixed by rebuilding apps with Go 1.17.5 or 1.16.12, it would be useful if we could use nancy to scan pre-built Go binaries to determine what version of Go they were built against and then lookup that version in the OSS index

How could we solve this issue? (Not knowing is okay!)

Using something like rsc.io/goversion as a library to extract the Go version that was used from the debug info of the executable, and then lookup that version in the OSS index for any known vulnerabilities.

Note: this would rely on the Go toolchain being correctly listed and tracked in the OSS index. Whilst it does partially appear to be indexed here the versions and vulnerabilities listed there are not accurate.

Whilst I know currently nancy is more geared towards scanning go.mod pre-compilation to find vulnerabilties, I think it would also be useful if it could be used post-compilation to scan binaries. The obvious advantage is the one mentioned here (scanning for core Go vulns), but it is also worth pointing out that the module / dependency information is also available from the compiled binary and can be parsed (e.g., see mitchellh/golicense/module/module.go)

cc @bhamail / @DarthHater
Running nancy in Azure DevOps requires bash to be present in the image
Thanks for creating an issue! Please fill out this form so we can be sure to have all the information we need, and to minimize back and forth.

What are you trying to do?

Run nancy's official docker image in an Azure DevOps pipeline

How could we solve this issue? (Not knowing is okay!)

ADO requires that any container that you run as part of the pipeline have bash installed in the container. Do you want to add bash to be part of the original image? If not, I'll have to extend the image and maintain my own version

Thank you!

Anything else?

cc @bhamail / @DarthHater

A tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index

Nancy

Usage

What is the best usage of Nancy?

CI Usage

Docker usage

Want to build them locally??

OSS Index Options

Rate limiting / Setting OSS Index config

Loud mode

Exclude vulnerabilities

Via CLI flag

Via file

Output

Nexus IQ Server Options

Persistent Nexus IQ Server Config

Usage in CI

Big CI Note:

DISCLAIMER

Why Nancy?

Installation

Build from source

Download release binary

Install via Homebrew (macOS)

Install from the AUR (Arch Linux)

Development

Release Process

Contributing

Acknowledgements

The Fine Print

Getting help

Owner

Sonatype Community

Comments

Nancy does not work with full semver

Nancy uses Nexus IQ Server, the journey

Is returning 500 error when accessing OSS Index

go get failing

Panics with index out of range error

brew install fails on Mac with M1 chip

How to resolve after a detected vulnerability / Why is go.sum used as the source for nancy?

Incorrect reporting for vulnerability for golang.org/x/net for latest updates

docs: apply copyright header

Dependency names are tabbed too far when list of deps hits 3+ digits

GoReleaser

Readme: Relation to govulncheck

Subpackages with different versions are incorrectly flagged

Task execution failure

Wrong brew tap on gonancy.dev

Q. has any thought been given to scanning for core library vulnerabilities?

Running nancy in Azure DevOps requires bash to be present in the image

Related tags

Git watchdog will scan your public repository and find out the vulnerabilities

SSRFuzz is a tool to find Server Side Request Forgery vulnerabilities, with CRLF chaining capabilities

PHP security vulnerabilities checker

A framework for creating COM-based bypasses utilizing vulnerabilities in Microsoft's WDAPT sensors.

Search for vulnerabilities and exposures while filtering based on age, keywords, and other parameters.

A detector for the Trojan Source and other unicode-based vulnerabilities.

🍷 Find exploits and vulnerabilities in the most important databases.

Scan systems and docker images for potential spring4shell vulnerabilities.

Tool to check whether one of your applications is affected by a vulnerability in log4j: CVE-2021-44228

Use golang.org/x/vuln to scan your dependencies

The most complete TigoPesa API Wrapper written in golang with zero external dependencies. Supports Push Pay, C2B and B2C.

CLI client (and Golang module) for deps.dev API. Free access to dependencies, licenses, advisories, and other critical health and security signals for open source package versions.

AI-Powered Code Reviews for Best Practices & Security Issues Across Languages

PoC for CVE-2015-1635 / MS15-034 - HTTP.sys Allows Remote Code Execution / Check & DOS

Check and exploit log4j2 vulnerability with single Go program.

Check and exploit log4j2 vulnerability with single Go program.

PHP functions implementation to Golang. This package is for the Go beginners who have developed PHP code before. You can use PHP like functions in your app, module etc. when you add this module to your project.

Ah shhgit! Find secrets in your code. Secrets detection for your GitHub, GitLab and Bitbucket repositories: www.shhgit.com

Encrypt your files or notes by your GPG key and save to MinIO or Amazon S3 easily!