<!-- Copyright 2018-present Sonatype Inc. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --> <p align="center"> <img src="https://github.com/sonatype-nexus-community/nancy/blob/main/docs/images/nancy.png?raw=true" width="350" alt="nancy logo"/> </p>

Nancy

[![shield_gh-workflow-test]][link_gh-workflow-test] [![shield_license]][license_file]

nancy is a tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index, and as well, works with Nexus IQ Server, allowing you a smooth experience as a Golang developer, using the best tools in the market!

Usage

nancy currently works for projects that use dep or go mod for dependencies.

 ~ > nancy --help
nancy is a tool to check for vulnerabilities in your Golang dependencies,
powered by the 'Sonatype OSS Index', and as well, works with Nexus IQ Server, allowing you
a smooth experience as a Golang developer, using the best tools in the market!

Usage:
  nancy [flags]
  nancy [command]

Examples:
  Typical usage will pipe the output of 'go list -json -deps' to 'nancy':
  go list -json -deps ./... | nancy sleuth [flags]
  go list -json -deps ./... | nancy iq [flags]

  If using dep typical usage is as follows :
  nancy sleuth -p Gopkg.lock [flags]
  nancy iq -p Gopkg.lock [flags]


Available Commands:
  config      Setup credentials to use when connecting to services
  help        Help about any command
  iq          Check for vulnerabilities in your Golang dependencies using 'Sonatype's Nexus IQ IQServer'
  sleuth      Check for vulnerabilities in your Golang dependencies using Sonatype's OSS Index
  update      Check if there are any updates available

Flags:
  -v, -- count                 Set log level, multiple v's is more verbose
  -c, --clean-cache            Deletes local cache directory
  -d, --db-cache-path string   Specify an alternate path for caching responses from OSS Inde, example: /tmp
  -h, --help                   help for nancy
      --loud                   indicate output should include non-vulnerable packages
  -p, --path string            Specify a path to a dep Gopkg.lock file for scanning
  -q, --quiet                  indicate output should contain only packages with vulnerabilities (default true)
      --skip-update-check      Skip the check for updates.
  -t, --token string           Specify OSS Index API token for request
  -u, --username string        Specify OSS Index username for request
  -V, --version                Get the version

Use "nancy [command] --help" for more information about a command.


$ > nancy sleuth --help
'nancy sleuth' is a command to check for vulnerabilities in your Golang dependencies, powered by the 'Sonatype OSS Index'.

Usage:
  nancy sleuth [flags]

Examples:
  go list -json -deps ./... | nancy sleuth --username your_user --token your_token
  nancy sleuth -p Gopkg.lock --username your_user --token your_token

Flags:
  -a, --additional-exclude-vulnerability-files strings   Path to additional files containing newline separated CVEs or OSS Index IDs to be excluded
  -e, --exclude-vulnerability CveListFlag                Comma separated list of CVEs or OSS Index IDs to exclude (default [])
  -x, --exclude-vulnerability-file string                Path to a file containing newline separated CVEs or OSS Index IDs to be excluded (default "./.nancy-ignore")
  -h, --help                                             help for sleuth
  -n, --no-color                                         indicate output should not be colorized
  -o, --output string                                    Styling for output format. json, json-pretty, text, csv (default "text")

Global Flags:
  -v, -- count                 Set log level, multiple v's is more verbose
  -d, --db-cache-path string   Specify an alternate path for caching responses from OSS Inde, example: /tmp
      --loud                   indicate output should include non-vulnerable packages
  -p, --path string            Specify a path to a dep Gopkg.lock file for scanning
  -q, --quiet                  indicate output should contain only packages with vulnerabilities (default true)
      --skip-update-check      Skip the check for updates.
  -t, --token string           Specify OSS Index API token for request
  -u, --username string        Specify OSS Index username for request
  -V, --version                Get the version

$ > nancy iq --help
'nancy iq' is a command to check for vulnerabilities in your Golang dependencies, powered by 'Sonatype's Nexus IQ IQServer', allowing you a smooth experience as a Golang developer, using the best tools in the market!

Usage:
  nancy iq [flags]

Examples:
  go list -json -deps ./... | nancy iq --iq-application your_public_application_id --iq-server-url http://your_iq_server_url:port --iq-username your_user --iq-token your_token --iq-stage develop
  nancy iq -p Gopkg.lock --iq-application your_public_application_id --iq-server-url http://your_iq_server_url:port --iq-username your_user --iq-token your_token --iq-stage develop

Flags:
  -h, --help                    help for iq
  -a, --iq-application string   Specify Nexus IQ public application ID for request
  -x, --iq-server-url string    Specify Nexus IQ server url for request (default "http://localhost:8070")
  -s, --iq-stage string         Specify Nexus IQ stage for request (default "develop")
  -k, --iq-token string         Specify Nexus IQ token for request (default "admin123")
  -l, --iq-username string      Specify Nexus IQ username for request (default "admin")

Global Flags:
  -v, -- count                 Set log level, multiple v's is more verbose
  -d, --db-cache-path string   Specify an alternate path for caching responses from OSS Inde, example: /tmp
      --loud                   indicate output should include non-vulnerable packages
  -p, --path string            Specify a path to a dep Gopkg.lock file for scanning
  -q, --quiet                  indicate output should contain only packages with vulnerabilities (default true)
      --skip-update-check      Skip the check for updates.
  -t, --token string           Specify OSS Index API token for request
  -u, --username string        Specify OSS Index username for request
  -V, --version                Get the version

What is the best usage of Nancy?

The preferred way to use Nancy is:

• go list -json -deps ./... | nancy sleuth
• nancy sleuth -p /path/to/Gopkg.lock

If you would like to scan all dependencies, including those that do not end up in the final binary, you can use go list -json -m all instead:

• go list -json -m all | nancy sleuth

CI Usage

Here are some additional tools to simplify using Nancy in your CI environment:

• Nancy CircleCI Orb
• Nancy GitHub Action

Docker usage

<p align="center"> <img src="https://github.com/sonatype-nexus-community/nancy/blob/main/docs/images/nancy_docker.png" width="350" alt="nancy docker logo"/> </p>

nancy now comes in a boat! For ease of use, we've dockerized nancy. To use our Dockerfile:

go list -json -deps ./... | docker run --rm -i sonatypecommunity/nancy:latest sleuth

We publish a few different flavors for convenience:

• Latest if you want to be on the bleeding edge ex: latest
• The full tag for those concerned with 100% reliability of underlying Nancy ex: v0.1.1
• The major version (we respect semver) ex: v0
• The major/minor version (seriously, we respect semver) ex: v0.1

Want to build them locally??

1. Install goreleaser or use their provided docker image (https://goreleaser.com/install/)

2. Run goreleaser with the following options

   goreleaser release --skip-publish --snapshot --rm-dist
   

   or docker version of goreleaser

   docker run --privileged \
     -v $PWD:/go/src/github.com/user/repo \
     -v /var/run/docker.sock:/var/run/docker.sock \
     -w /go/src/github.com/user/repo \
     goreleaser/goreleaser release --skip-publish --snapshot --rm-dist
   

3. Once complete you will have the images now built locally. Use docker images to see them

   > docker images                                                                                                                                                                [789c9df]
   REPOSITORY                TAG                           IMAGE ID            CREATED             SIZE
   sonatypecommunity/nancy   alpine                        f966c833c762        52 seconds ago      19.9MB
   sonatypecommunity/nancy   v1-alpine                     f966c833c762        52 seconds ago      19.9MB
   sonatypecommunity/nancy   v1.0-alpine                   f966c833c762        52 seconds ago      19.9MB
   sonatypecommunity/nancy   v1.0.0-alpine                 f966c833c762        52 seconds ago      19.9MB
   sonatypecommunity/nancy   latest                        7cb89e362115        53 seconds ago      14.1MB
   sonatypecommunity/nancy   v1                            7cb89e362115        53 seconds ago      14.1MB
   sonatypecommunity/nancy   v1.0                          7cb89e362115        53 seconds ago      14.1MB
   sonatypecommunity/nancy   v1.0.0                        7cb89e362115        53 seconds ago      14.1MB
   

OSS Index Options

Rate limiting / Setti