• Stars
    star
    560
  • Rank 79,541 (Top 2 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created almost 6 years ago
  • Updated 7 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index

nancy logo

Circle CI Build Status Gitter

Nancy

nancy is a tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index, and as well, works with Nexus IQ Server, allowing you a smooth experience as a Golang developer, using the best tools in the market!

Usage

nancy currently works for projects that use dep or go mod for dependencies.

 ~ > nancy --help
nancy is a tool to check for vulnerabilities in your Golang dependencies,
powered by the 'Sonatype OSS Index', and as well, works with Nexus IQ Server, allowing you
a smooth experience as a Golang developer, using the best tools in the market!

Usage:
  nancy [flags]
  nancy [command]

Examples:
  Typical usage will pipe the output of 'go list -json -deps' to 'nancy':
  go list -json -deps ./... | nancy sleuth [flags]
  go list -json -deps ./... | nancy iq [flags]

  If using dep typical usage is as follows :
  nancy sleuth -p Gopkg.lock [flags]
  nancy iq -p Gopkg.lock [flags]


Available Commands:
  config      Setup credentials to use when connecting to services
  help        Help about any command
  iq          Check for vulnerabilities in your Golang dependencies using 'Sonatype's Nexus IQ IQServer'
  sleuth      Check for vulnerabilities in your Golang dependencies using Sonatype's OSS Index
  update      Check if there are any updates available

Flags:
  -v, -- count                 Set log level, multiple v's is more verbose
  -c, --clean-cache            Deletes local cache directory
  -d, --db-cache-path string   Specify an alternate path for caching responses from OSS Inde, example: /tmp
  -h, --help                   help for nancy
      --loud                   indicate output should include non-vulnerable packages
  -p, --path string            Specify a path to a dep Gopkg.lock file for scanning
  -q, --quiet                  indicate output should contain only packages with vulnerabilities (default true)
      --skip-update-check      Skip the check for updates.
  -t, --token string           Specify OSS Index API token for request
  -u, --username string        Specify OSS Index username for request
  -V, --version                Get the version

Use "nancy [command] --help" for more information about a command.


$ > nancy sleuth --help
'nancy sleuth' is a command to check for vulnerabilities in your Golang dependencies, powered by the 'Sonatype OSS Index'.

Usage:
  nancy sleuth [flags]

Examples:
  go list -json -deps ./... | nancy sleuth --username your_user --token your_token
  nancy sleuth -p Gopkg.lock --username your_user --token your_token

Flags:
  -a, --additional-exclude-vulnerability-files strings   Path to additional files containing newline separated CVEs or OSS Index IDs to be excluded
  -e, --exclude-vulnerability CveListFlag                Comma separated list of CVEs or OSS Index IDs to exclude (default [])
  -x, --exclude-vulnerability-file string                Path to a file containing newline separated CVEs or OSS Index IDs to be excluded (default "./.nancy-ignore")
  -h, --help                                             help for sleuth
  -n, --no-color                                         indicate output should not be colorized
  -o, --output string                                    Styling for output format. json, json-pretty, text, csv (default "text")

Global Flags:
  -v, -- count                 Set log level, multiple v's is more verbose
  -d, --db-cache-path string   Specify an alternate path for caching responses from OSS Inde, example: /tmp
      --loud                   indicate output should include non-vulnerable packages
  -p, --path string            Specify a path to a dep Gopkg.lock file for scanning
  -q, --quiet                  indicate output should contain only packages with vulnerabilities (default true)
      --skip-update-check      Skip the check for updates.
  -t, --token string           Specify OSS Index API token for request
  -u, --username string        Specify OSS Index username for request
  -V, --version                Get the version

$ > nancy iq --help
'nancy iq' is a command to check for vulnerabilities in your Golang dependencies, powered by 'Sonatype's Nexus IQ IQServer', allowing you a smooth experience as a Golang developer, using the best tools in the market!

Usage:
  nancy iq [flags]

Examples:
  go list -json -deps ./... | nancy iq --iq-application your_public_application_id --iq-server-url http://your_iq_server_url:port --iq-username your_user --iq-token your_token --iq-stage develop
  nancy iq -p Gopkg.lock --iq-application your_public_application_id --iq-server-url http://your_iq_server_url:port --iq-username your_user --iq-token your_token --iq-stage develop

Flags:
  -h, --help                    help for iq
  -a, --iq-application string   Specify Nexus IQ public application ID for request
  -x, --iq-server-url string    Specify Nexus IQ server url for request (default "http://localhost:8070")
  -s, --iq-stage string         Specify Nexus IQ stage for request (default "develop")
  -k, --iq-token string         Specify Nexus IQ token for request (default "admin123")
  -l, --iq-username string      Specify Nexus IQ username for request (default "admin")

Global Flags:
  -v, -- count                 Set log level, multiple v's is more verbose
  -d, --db-cache-path string   Specify an alternate path for caching responses from OSS Inde, example: /tmp
      --loud                   indicate output should include non-vulnerable packages
  -p, --path string            Specify a path to a dep Gopkg.lock file for scanning
  -q, --quiet                  indicate output should contain only packages with vulnerabilities (default true)
      --skip-update-check      Skip the check for updates.
  -t, --token string           Specify OSS Index API token for request
  -u, --username string        Specify OSS Index username for request
  -V, --version                Get the version

What is the best usage of Nancy?

The preferred way to use Nancy is:

  • go list -json -deps ./... | nancy sleuth
  • nancy sleuth -p /path/to/Gopkg.lock

If you would like to scan all dependencies, including those that do not end up in the final binary, you can use go list -json -m all instead:

  • go list -json -m all | nancy sleuth

CI Usage

Here are some additional tools to simplify using Nancy in your CI environment:

Docker usage

nancy docker logo

nancy now comes in a boat! For ease of use, we've dockerized nancy. To use our Dockerfile:

go list -json -deps ./... | docker run --rm -i sonatypecommunity/nancy:latest sleuth

We publish a few different flavors for convenience:

  • Latest if you want to be on the bleeding edge ex: latest
  • The full tag for those concerned with 100% reliability of underlying Nancy ex: v0.1.1
  • The major version (we respect semver) ex: v0
  • The major/minor version (seriously, we respect semver) ex: v0.1
Want to build them locally??
  1. Install goreleaser or use their provided docker image (https://goreleaser.com/install/)

  2. Run goreleaser with the following options

    goreleaser release --skip-publish --snapshot --rm-dist
    

    or docker version of goreleaser

    docker run --privileged \
      -v $PWD:/go/src/github.com/user/repo \
      -v /var/run/docker.sock:/var/run/docker.sock \
      -w /go/src/github.com/user/repo \
      goreleaser/goreleaser release --skip-publish --snapshot --rm-dist
    
  3. Once complete you will have the images now built locally. Use docker images to see them

    > docker images                                                                                                                                                                [789c9df]
    REPOSITORY                TAG                           IMAGE ID            CREATED             SIZE
    sonatypecommunity/nancy   alpine                        f966c833c762        52 seconds ago      19.9MB
    sonatypecommunity/nancy   v1-alpine                     f966c833c762        52 seconds ago      19.9MB
    sonatypecommunity/nancy   v1.0-alpine                   f966c833c762        52 seconds ago      19.9MB
    sonatypecommunity/nancy   v1.0.0-alpine                 f966c833c762        52 seconds ago      19.9MB
    sonatypecommunity/nancy   latest                        7cb89e362115        53 seconds ago      14.1MB
    sonatypecommunity/nancy   v1                            7cb89e362115        53 seconds ago      14.1MB
    sonatypecommunity/nancy   v1.0                          7cb89e362115        53 seconds ago      14.1MB
    sonatypecommunity/nancy   v1.0.0                        7cb89e362115        53 seconds ago      14.1MB
    

OSS Index Options

Rate limiting / Setting OSS Index config

NOTE: New as of Nancy v0.1.17

If you start using Nancy extensively, you might run into Rate Limiting from OSS Index! Don't worry, we've got your back!

If you run into Rate Limiting you should receive an error that will give you instructions on how to register on OSS Index:

You have been rate limited by OSS Index.
If you do not have a OSS Index account, please visit https://ossindex.sonatype.org/user/register to register an account.
After registering and verifying your account, you can retrieve your username (Email Address), and API Token
at https://ossindex.sonatype.org/user/settings. Upon retrieving those, run 'nancy config', set your OSS Index
settings, and rerun Nancy.

After setting this config, you'll be gifted a nice new higher rate limit. If you escape this limit, you might take a look at using Nexus IQ Server, or reach out to the friendly people at OSS Index for partnership opportunities.

You can also set the user and token via the command line like so:

nancy sleuth --username [email protected] --token A4@k3@p1T0k3n

This can be handy for testing your account out, or if you want to override your set config with a different user.

As of Nancy v1.0.17, you can also specify configuration values using environment variables:

export [email protected]
export OSSI_TOKEN=A4@k3@p1T0k3n
go list -json -deps ./... | ./nancy sleuth
...

Loud mode

By default, nancy runs in a "quiet" mode, only displaying a list of vulnerable components. You can run nancy in a loud manner, showing all components by running:

  • nancy sleuth --loud -p /path/to/your/Gopkg.lock
  • go list -json -deps ./... | nancy sleuth --loud

Exclude vulnerabilities

Sometimes you'll run into a dependency that after taking a look at, you either aren't affected by, or cannot resolve for some reason. Nancy understands, and will let you exclude these vulnerabilities, so you can get back to a passing build:

Vulnerabilities excluded will then be silenced and not show up in the output or fail your build.

We support exclusion of vulnerability either by CVE-ID (ex: CVE-2018-20303) or via the OSS Index ID (ex: a8c20c84-1f6a-472a-ba1b-3eaedb2a2a14) as not all vulnerabilities have a CVE-ID.

Via CLI flag
  • nancy sleuth --exclude-vulnerability CVE-789,bcb0c38d-0d35-44ee-b7a7-8f77183d1ae2 -p /path/to/your/Gopkg.lock
  • go list -json -deps ./... | nancy sleuth --exclude-vulnerability CVE-789,bcb0c38d-0d35-44ee-b7a7-8f77183d1ae2
Via file

By default, if a file named .nancy-ignore exists in the same directory that nancy is run it will use it - no other options need to be passed.

If you would like to define the path to the file you can use the following

  • nancy sleuth --exclude-vulnerability-file=/path/to/your/exclude-file -p /path/to/your/Gopkg.lock
  • go list -json -deps ./... | nancy sleuth --exclude-vulnerability-file=/path/to/your/exclude-file

If you would like to split up your excludes into multiple files besides your root .nancy-ignore you can pass them via the -a or --additional-exclude-vulnerability-files flags.

  • nancy sleuth --additional-exclude-vulnerability-files=/path/to/first,/path/to/second
  • nancy sleuth -a /path/to/first -a /path/to/second

You can also combine it with the -x / --exclude-vulnerability-file flag. Nancy merges the additional files on top of the root .nancy-ignore.

  • nancy sleuth -x .nancy-ignore.global -a .nancy-ignore.local

The file format requires each vulnerability that you want to exclude to be on a separate line. Comments are allowed in the file as well to help provide context when needed. See an example file below.

# This vulnerability is coming from package xyz, we are ok with this for now
CVN-111
CVN-123 # Mitigated the risk of this since we only use one method in this package and the affected code doesn't matter
CVN-543

It's also possible to define expiring ignores. Meaning that if you define a date on a vulnerability ignore until that date it will be ignored and once that date is passed it will now be reported by nancy if it's still an issue. Format to add an expiring ignore looks as follows. They can also be followed up by comments to provide context as to why it's been ignored until that date.

CVN-111 until=2021-01-01
CVN-543 until=2018-02-12 #Waiting on release from third party. Should be out before this date but gives us a little time to fix it.

Output

We support multiple different output formats. Examples can be found below for each. This intentionally vulnerable repo was used to generate the example output. Quiet option is supported in text and csv. json formatting will ignore the Quiet option and output the same values if it's passed or not.

text (default)

Nancy version: development
!!!!! WARNING !!!!!
Scanning cannot be completed on the following package(s) since they do not use semver.
[1/1]pkg:golang/github.com/go-gitea/[email protected]

------------------------------------------------------------
[1/10]pkg:golang/github.com/bitly/[email protected]  [Vulnerable]   1 known vulnerabilities affecting installed version

[CVE-2017-1000070]  URL Redirection to Untrusted Site ("Open Redirect")
The Bitly oauth2_proxy in version 2.1 and earlier was affected by an open redirect vulnerability during the start and termination of the 2-legged OAuth flow. This issue was caused by improper input validation and a violation of RFC-6819

ID:9eb9a5bc-8310-4104-bf85-3a820d28ba79
Details:https://ossindex.sonatype.org/vuln/9eb9a5bc-8310-4104-bf85-3a820d28ba79
[2/10]pkg:golang/github.com/cockroachdb/[email protected]   No known vulnerabilities against package/version
------------------------------------------------------------
[3/10]pkg:golang/github.com/ethereum/[email protected]  [Vulnerable]   1 known vulnerabilities affecting installed version

CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.

...

Audited dependencies:10,Vulnerable:6

json

{"audited":[{"Coordinates":"pkg:golang/github.com/bitly/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/bitly/[email protected]","Vulnerabilities":[{"Id":"9eb9a5bc-8310-4104-bf85-3a820d28ba79","Title":"[CVE-2017-1000070]  URL Redirection to Untrusted Site (\"Open Redirect\")","Description":"The Bitly oauth2_proxy in version 2.1 and earlier was affected by an open redirect vulnerability during the start and termination of the 2-legged OAuth flow. This issue was caused by improper input validation and a violation of RFC-6819","CvssScore":"6.1","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","Cve":"CVE-2017-1000070","Reference":"https://ossindex.sonatype.org/vuln/9eb9a5bc-8310-4104-bf85-3a820d28ba79","Excluded":false}],"InvalidSemVer":false},{"Coordinates":"pkg:golang/github.com/cockroachdb/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/cockroachdb/[email protected]","Vulnerabilities":[],"InvalidSemVer":false},{"Coordinates":"pkg:golang/github.com/ethereum/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/ethereum/[email protected]","Vulnerabilities":[{"Id":"4efaed86-e62e-4c0c-b812-36c07e61ede4","Title":"CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')","Description":"The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.","CvssScore":"7.5","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","Cve":"","Reference":"https://ossindex.sonatype.org/vuln/4efaed86-e62e-4c0c-b812-36c07e61ede4","Excluded":false}],"InvalidSemVer":false},{"Coordinates":"pkg:golang/github.com/elastic/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/elastic/[email protected]","Vulnerabilities":[{"Id":"8e4d562d-517b-4d00-a845-a7a3e2be41db","Title":"[CVE-2017-11480]  Improper Access Control","Description":"Packetbeat versions prior to 5.6.4 are affected by a denial of service flaw in the PostgreSQL protocol handler. If Packetbeat is listening for PostgreSQL traffic and a user is able to send arbitrary network traffic to the monitored port, the attacker could prevent Packetbeat from properly logging other PostgreSQL traffic.","CvssScore":"7.5","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","Cve":"CVE-2017-11480","Reference":"https://ossindex.sonatype.org/vuln/8e4d562d-517b-4d00-a845-a7a3e2be41db","Excluded":false}],"InvalidSemVer":false},{"Coordinates":"pkg:golang/github.com/etcd-io/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/etcd-io/[email protected]","Vulnerabilities":[{"Id":"5c876f5e-2814-4822-baf0-1092fc63ec25","Title":"[CVE-2018-1098]  Cross-Site Request Forgery (CSRF)","Description":"A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. An attacker can set up a website that tries to send a POST request to the etcd server and modify a key. Adding a key is done with PUT so it is theoretically safe (can't PUT from an HTML form or such) but POST allows creating in-order keys that an attacker can send.","CvssScore":"8.8","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","Cve":"CVE-2018-1098","Reference":"https://ossindex.sonatype.org/vuln/5c876f5e-2814-4822-baf0-1092fc63ec25","Excluded":false},{"Id":"8a190129-526c-4ee0-b663-92f38139c165","Title":"[CVE-2018-1099]  Improper Input Validation","Description":"DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An attacker can control his DNS records to direct to localhost, and trick the browser into sending requests to localhost (or any other address).","CvssScore":"5.5","CvssVector":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","Cve":"CVE-2018-1099","Reference":"https://ossindex.sonatype.org/vuln/8a190129-526c-4ee0-b663-92f38139c165","Excluded":false},{"Id":"69b9f08b-8eda-4125-8e84-b7d67a7c9ee5","Title":"[CVE-2018-16886]  Improper Authentication","Description":"etcd versions 3.2.x before 3.2.26 and 3.3.x before 3.3.11 are vulnerable to an improper authentication issue when role-based access control (RBAC) is used and client-cert-auth is enabled. If an etcd client server TLS certificate contains a Common Name (CN) which matches a valid RBAC username, a remote attacker may authenticate as that user with any valid (trusted) client certificate in a REST API request to the gRPC-gateway.","CvssScore":"8.1","CvssVector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","Cve":"CVE-2018-16886","Reference":"https://ossindex.sonatype.org/vuln/69b9f08b-8eda-4125-8e84-b7d67a7c9ee5","Excluded":false}],"InvalidSemVer":false},{"Coordinates":"pkg:golang/github.com/github/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/github/[email protected]","Vulnerabilities":[],"InvalidSemVer":false},{"Coordinates":"pkg:golang/github.com/gogs/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/gogs/[email protected]","Vulnerabilities":[{"Id":"a4c682fa-9c9f-4e9e-b218-720d5125b17f","Title":"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","Description":"The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.","CvssScore":"9.9","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","Cve":"","Reference":"https://ossindex.sonatype.org/vuln/a4c682fa-9c9f-4e9e-b218-720d5125b17f","Excluded":false},{"Id":"304fa9e0-012e-4385-88b2-88c0c5ec3247","Title":"[CVE-2018-15192] An SSRF vulnerability in webhooks in Gitea through 1.5.0-rc2 and Gogs through 0....","Description":"An SSRF vulnerability in webhooks in Gitea through 1.5.0-rc2 and Gogs through 0.11.53 allows remote attackers to access intranet services.","CvssScore":"8.6","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","Cve":"CVE-2018-15192","Reference":"https://ossindex.sonatype.org/vuln/304fa9e0-012e-4385-88b2-88c0c5ec3247","Excluded":false},{"Id":"a8c20c84-1f6a-472a-ba1b-3eaedb2a2a14","Title":"[CVE-2018-20303]  Improper Limitation of a Pathname to a Restricted Directory (\"Path Traversal\")","Description":"In pkg/tool/path.go in Gogs before 0.11.82.1218, a directory traversal in the file-upload functionality can allow an attacker to create a file under data/sessions on the server, a similar issue to CVE-2018-18925.","CvssScore":"7.5","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","Cve":"CVE-2018-20303","Reference":"https://ossindex.sonatype.org/vuln/a8c20c84-1f6a-472a-ba1b-3eaedb2a2a14","Excluded":false},{"Id":"bcb0c38d-0d35-44ee-b7a7-8f77183d1ae2","Title":"[CVE-2018-18925] Gogs 0.11.66 allows remote code execution because it does not properly validate ...","Description":"Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a \"..\" session-file forgery in the file session provider in file.go. This is related to session ID handling in the go-macaron/session code for Macaron.","CvssScore":"9.8","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","Cve":"CVE-2018-18925","Reference":"https://ossindex.sonatype.org/vuln/bcb0c38d-0d35-44ee-b7a7-8f77183d1ae2","Excluded":false},{"Id":"bbbdbb94-f65a-475c-9e9f-6793778fbd9b","Title":"[CVE-2018-15178]  URL Redirection to Untrusted Site (\"Open Redirect\")","Description":"Open redirect vulnerability in Gogs before 0.12 allows remote attackers to redirect users to arbitrary websites and conduct phishing attacks via an initial /\\ substring in the user/login redirect_to parameter, related to the function isValidRedirect in routes/user/auth.go.","CvssScore":"6.1","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","Cve":"CVE-2018-15178","Reference":"https://ossindex.sonatype.org/vuln/bbbdbb94-f65a-475c-9e9f-6793778fbd9b","Excluded":false},{"Id":"fc70a115-52cc-44ea-a33d-793267f860dd","Title":"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","Description":"The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.","CvssScore":"6.1","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","Cve":"","Reference":"https://ossindex.sonatype.org/vuln/fc70a115-52cc-44ea-a33d-793267f860dd","Excluded":false}],"InvalidSemVer":false},{"Coordinates":"pkg:golang/github.com/goharbor/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/goharbor/[email protected]","Vulnerabilities":[],"InvalidSemVer":false},{"Coordinates":"pkg:golang/github.com/gophish/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/gophish/[email protected]","Vulnerabilities":[{"Id":"0416e202-2705-431d-9915-8ed93334ca58","Title":"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","Description":"The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.","CvssScore":"6.1","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","Cve":"","Reference":"https://ossindex.sonatype.org/vuln/0416e202-2705-431d-9915-8ed93334ca58","Excluded":false}],"InvalidSemVer":false},{"Coordinates":"pkg:golang/github.com/ipfs/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/ipfs/[email protected]","Vulnerabilities":[],"InvalidSemVer":false}],"exclusions":[],"invalid":[{"Coordinates":"pkg:golang/github.com/go-gitea/[email protected]","Reference":"","Vulnerabilities":null,"InvalidSemVer":true}],"num_audited":10,"num_vulnerable":6,"version":"development","vulnerable":[{"Coordinates":"pkg:golang/github.com/bitly/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/bitly/[email protected]","Vulnerabilities":[{"Id":"9eb9a5bc-8310-4104-bf85-3a820d28ba79","Title":"[CVE-2017-1000070]  URL Redirection to Untrusted Site (\"Open Redirect\")","Description":"The Bitly oauth2_proxy in version 2.1 and earlier was affected by an open redirect vulnerability during the start and termination of the 2-legged OAuth flow. This issue was caused by improper input validation and a violation of RFC-6819","CvssScore":"6.1","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","Cve":"CVE-2017-1000070","Reference":"https://ossindex.sonatype.org/vuln/9eb9a5bc-8310-4104-bf85-3a820d28ba79","Excluded":false}],"InvalidSemVer":false},{"Coordinates":"pkg:golang/github.com/ethereum/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/ethereum/[email protected]","Vulnerabilities":[{"Id":"4efaed86-e62e-4c0c-b812-36c07e61ede4","Title":"CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')","Description":"The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.","CvssScore":"7.5","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","Cve":"","Reference":"https://ossindex.sonatype.org/vuln/4efaed86-e62e-4c0c-b812-36c07e61ede4","Excluded":false}],"InvalidSemVer":false},{"Coordinates":"pkg:golang/github.com/elastic/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/elastic/[email protected]","Vulnerabilities":[{"Id":"8e4d562d-517b-4d00-a845-a7a3e2be41db","Title":"[CVE-2017-11480]  Improper Access Control","Description":"Packetbeat versions prior to 5.6.4 are affected by a denial of service flaw in the PostgreSQL protocol handler. If Packetbeat is listening for PostgreSQL traffic and a user is able to send arbitrary network traffic to the monitored port, the attacker could prevent Packetbeat from properly logging other PostgreSQL traffic.","CvssScore":"7.5","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","Cve":"CVE-2017-11480","Reference":"https://ossindex.sonatype.org/vuln/8e4d562d-517b-4d00-a845-a7a3e2be41db","Excluded":false}],"InvalidSemVer":false},{"Coordinates":"pkg:golang/github.com/etcd-io/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/etcd-io/[email protected]","Vulnerabilities":[{"Id":"5c876f5e-2814-4822-baf0-1092fc63ec25","Title":"[CVE-2018-1098]  Cross-Site Request Forgery (CSRF)","Description":"A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. An attacker can set up a website that tries to send a POST request to the etcd server and modify a key. Adding a key is done with PUT so it is theoretically safe (can't PUT from an HTML form or such) but POST allows creating in-order keys that an attacker can send.","CvssScore":"8.8","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","Cve":"CVE-2018-1098","Reference":"https://ossindex.sonatype.org/vuln/5c876f5e-2814-4822-baf0-1092fc63ec25","Excluded":false},{"Id":"8a190129-526c-4ee0-b663-92f38139c165","Title":"[CVE-2018-1099]  Improper Input Validation","Description":"DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An attacker can control his DNS records to direct to localhost, and trick the browser into sending requests to localhost (or any other address).","CvssScore":"5.5","CvssVector":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","Cve":"CVE-2018-1099","Reference":"https://ossindex.sonatype.org/vuln/8a190129-526c-4ee0-b663-92f38139c165","Excluded":false},{"Id":"69b9f08b-8eda-4125-8e84-b7d67a7c9ee5","Title":"[CVE-2018-16886]  Improper Authentication","Description":"etcd versions 3.2.x before 3.2.26 and 3.3.x before 3.3.11 are vulnerable to an improper authentication issue when role-based access control (RBAC) is used and client-cert-auth is enabled. If an etcd client server TLS certificate contains a Common Name (CN) which matches a valid RBAC username, a remote attacker may authenticate as that user with any valid (trusted) client certificate in a REST API request to the gRPC-gateway.","CvssScore":"8.1","CvssVector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","Cve":"CVE-2018-16886","Reference":"https://ossindex.sonatype.org/vuln/69b9f08b-8eda-4125-8e84-b7d67a7c9ee5","Excluded":false}],"InvalidSemVer":false},{"Coordinates":"pkg:golang/github.com/gogs/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/gogs/[email protected]","Vulnerabilities":[{"Id":"a4c682fa-9c9f-4e9e-b218-720d5125b17f","Title":"CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","Description":"The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.","CvssScore":"9.9","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","Cve":"","Reference":"https://ossindex.sonatype.org/vuln/a4c682fa-9c9f-4e9e-b218-720d5125b17f","Excluded":false},{"Id":"304fa9e0-012e-4385-88b2-88c0c5ec3247","Title":"[CVE-2018-15192] An SSRF vulnerability in webhooks in Gitea through 1.5.0-rc2 and Gogs through 0....","Description":"An SSRF vulnerability in webhooks in Gitea through 1.5.0-rc2 and Gogs through 0.11.53 allows remote attackers to access intranet services.","CvssScore":"8.6","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","Cve":"CVE-2018-15192","Reference":"https://ossindex.sonatype.org/vuln/304fa9e0-012e-4385-88b2-88c0c5ec3247","Excluded":false},{"Id":"a8c20c84-1f6a-472a-ba1b-3eaedb2a2a14","Title":"[CVE-2018-20303]  Improper Limitation of a Pathname to a Restricted Directory (\"Path Traversal\")","Description":"In pkg/tool/path.go in Gogs before 0.11.82.1218, a directory traversal in the file-upload functionality can allow an attacker to create a file under data/sessions on the server, a similar issue to CVE-2018-18925.","CvssScore":"7.5","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","Cve":"CVE-2018-20303","Reference":"https://ossindex.sonatype.org/vuln/a8c20c84-1f6a-472a-ba1b-3eaedb2a2a14","Excluded":false},{"Id":"bcb0c38d-0d35-44ee-b7a7-8f77183d1ae2","Title":"[CVE-2018-18925] Gogs 0.11.66 allows remote code execution because it does not properly validate ...","Description":"Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a \"..\" session-file forgery in the file session provider in file.go. This is related to session ID handling in the go-macaron/session code for Macaron.","CvssScore":"9.8","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","Cve":"CVE-2018-18925","Reference":"https://ossindex.sonatype.org/vuln/bcb0c38d-0d35-44ee-b7a7-8f77183d1ae2","Excluded":false},{"Id":"bbbdbb94-f65a-475c-9e9f-6793778fbd9b","Title":"[CVE-2018-15178]  URL Redirection to Untrusted Site (\"Open Redirect\")","Description":"Open redirect vulnerability in Gogs before 0.12 allows remote attackers to redirect users to arbitrary websites and conduct phishing attacks via an initial /\\ substring in the user/login redirect_to parameter, related to the function isValidRedirect in routes/user/auth.go.","CvssScore":"6.1","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","Cve":"CVE-2018-15178","Reference":"https://ossindex.sonatype.org/vuln/bbbdbb94-f65a-475c-9e9f-6793778fbd9b","Excluded":false},{"Id":"fc70a115-52cc-44ea-a33d-793267f860dd","Title":"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","Description":"The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.","CvssScore":"6.1","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","Cve":"","Reference":"https://ossindex.sonatype.org/vuln/fc70a115-52cc-44ea-a33d-793267f860dd","Excluded":false}],"InvalidSemVer":false},{"Coordinates":"pkg:golang/github.com/gophish/[email protected]","Reference":"https://ossindex.sonatype.org/component/pkg:golang/github.com/gophish/[email protected]","Vulnerabilities":[{"Id":"0416e202-2705-431d-9915-8ed93334ca58","Title":"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","Description":"The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.","CvssScore":"6.1","CvssVector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","Cve":"","Reference":"https://ossindex.sonatype.org/vuln/0416e202-2705-431d-9915-8ed93334ca58","Excluded":false}],"InvalidSemVer":false}]}

json-pretty

{
  "audited": [
    {
      "Coordinates": "pkg:golang/github.com/bitly/[email protected]",
      "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/bitly/[email protected]",
      "Vulnerabilities": [
        {
          "Id": "9eb9a5bc-8310-4104-bf85-3a820d28ba79",
          "Title": "[CVE-2017-1000070]  URL Redirection to Untrusted Site (\"Open Redirect\")",
          "Description": "The Bitly oauth2_proxy in version 2.1 and earlier was affected by an open redirect vulnerability during the start and termination of the 2-legged OAuth flow. This issue was caused by improper input validation and a violation of RFC-6819",
          "CvssScore": "6.1",
          "CvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "Cve": "CVE-2017-1000070",
          "Reference": "https://ossindex.sonatype.org/vuln/9eb9a5bc-8310-4104-bf85-3a820d28ba79",
          "Excluded": false
        }
      ],
      "InvalidSemVer": false
    },
    {
      "Coordinates": "pkg:golang/github.com/cockroachdb/[email protected]",
      "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/cockroachdb/[email protected]",
      "Vulnerabilities": [],
      "InvalidSemVer": false
    },
    {
      "Coordinates": "pkg:golang/github.com/ethereum/[email protected]",
      "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/ethereum/[email protected]",
      "Vulnerabilities": [
        {
          "Id": "4efaed86-e62e-4c0c-b812-36c07e61ede4",
          "Title": "CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')",
          "Description": "The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.",
          "CvssScore": "7.5",
          "CvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "Cve": "",
          "Reference": "https://ossindex.sonatype.org/vuln/4efaed86-e62e-4c0c-b812-36c07e61ede4",
          "Excluded": false
        }
      ],
      "InvalidSemVer": false
    },
    ...
  ],
  "exclusions": [],
  "invalid": [
    {
      "Coordinates": "pkg:golang/github.com/go-gitea/[email protected]",
      "Reference": "",
      "Vulnerabilities": null,
      "InvalidSemVer": true
    }
  ],
  "num_audited": 10,
  "num_vulnerable": 6,
  "version": "development",
  "vulnerable": [
    {
      "Coordinates": "pkg:golang/github.com/bitly/[email protected]",
      "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/bitly/[email protected]",
      "Vulnerabilities": [
        {
          "Id": "9eb9a5bc-8310-4104-bf85-3a820d28ba79",
          "Title": "[CVE-2017-1000070]  URL Redirection to Untrusted Site (\"Open Redirect\")",
          "Description": "The Bitly oauth2_proxy in version 2.1 and earlier was affected by an open redirect vulnerability during the start and termination of the 2-legged OAuth flow. This issue was caused by improper input validation and a violation of RFC-6819",
          "CvssScore": "6.1",
          "CvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "Cve": "CVE-2017-1000070",
          "Reference": "https://ossindex.sonatype.org/vuln/9eb9a5bc-8310-4104-bf85-3a820d28ba79",
          "Excluded": false
        }
      ],
      "InvalidSemVer": false
    },
    {
      "Coordinates": "pkg:golang/github.com/ethereum/[email protected]",
      "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/ethereum/[email protected]",
      "Vulnerabilities": [
        {
          "Id": "4efaed86-e62e-4c0c-b812-36c07e61ede4",
          "Title": "CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')",
          "Description": "The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.",
          "CvssScore": "7.5",
          "CvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "Cve": "",
          "Reference": "https://ossindex.sonatype.org/vuln/4efaed86-e62e-4c0c-b812-36c07e61ede4",
          "Excluded": false
        }
      ],
      "InvalidSemVer": false
    },
    {
      "Coordinates": "pkg:golang/github.com/elastic/[email protected]",
      "Reference": "https://ossindex.sonatype.org/component/pkg:golang/github.com/elastic/[email protected]",
      "Vulnerabilities": [
        {
          "Id": "8e4d562d-517b-4d00-a845-a7a3e2be41db",
          "Title": "[CVE-2017-11480]  Improper Access Control",
          "Description": "Packetbeat versions prior to 5.6.4 are affected by a denial of service flaw in the PostgreSQL protocol handler. If Packetbeat is listening for PostgreSQL traffic and a user is able to send arbitrary network traffic to the monitored port, the attacker could prevent Packetbeat from properly logging other PostgreSQL traffic.",
          "CvssScore": "7.5",
          "CvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "Cve": "CVE-2017-11480",
          "Reference": "https://ossindex.sonatype.org/vuln/8e4d562d-517b-4d00-a845-a7a3e2be41db",
          "Excluded": false
        }
      ],
      "InvalidSemVer": false
    },
    ...
  ]
}

csv

Summary
Audited Count,Vulnerable Count,Build Version
10,6,development

Invalid Package(s)
Count,Package,Reason
[1/1],pkg:golang/github.com/go-gitea/[email protected],Does not use SemVer

Audited Package(s)
Count,Package,Is Vulnerable,Num Vulnerabilities,Vulnerabilities
[1/10],pkg:golang/github.com/bitly/[email protected],true,1,"[{""Id"":""9eb9a5bc-8310-4104-bf85-3a820d28ba79"",""Title"":""[CVE-2017-1000070]  URL Redirection to Untrusted Site (\""Open Redirect\"")"",""Description"":""The Bitly oauth2_proxy in version 2.1 and earlier was affected by an open redirect vulnerability during the start and termination of the 2-legged OAuth flow. This issue was caused by improper input validation and a violation of RFC-6819"",""CvssScore"":""6.1"",""CvssVector"":""CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"",""Cve"":""CVE-2017-1000070"",""Reference"":""https://ossindex.sonatype.org/vuln/9eb9a5bc-8310-4104-bf85-3a820d28ba79"",""Excluded"":false}]"
[2/10],pkg:golang/github.com/cockroachdb/[email protected],false,0,[]
[3/10],pkg:golang/github.com/ethereum/[email protected],true,1,"[{""Id"":""4efaed86-e62e-4c0c-b812-36c07e61ede4"",""Title"":""CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')"",""Description"":""The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended."",""CvssScore"":""7.5"",""CvssVector"":""CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"",""Cve"":"""",""Reference"":""https://ossindex.sonatype.org/vuln/4efaed86-e62e-4c0c-b812-36c07e61ede4"",""Excluded"":false}]"
...

Nexus IQ Server Options

By default, assuming you have an out-of-the-box Nexus IQ Server running, you can run nancy like so:

go list -json -deps ./... | nancy iq --iq-application public-application-id

It is STRONGLY suggested that you do not do this, and we will warn you on output if you are.

A more logical use of nancy against Nexus IQ Server will look like so:

go list -json -deps ./... | nancy iq --iq-application public-application-id --iq-username nondefaultuser --iq-token yourtoken --iq-server-url http://adifferentserverurl:port --iq-stage develop

Options for stage are as follows:

build, develop, stage-release, release

By default --iq-stage will be develop.

Successful submissions to Nexus IQ Server will result in either an OS exit of 0, meaning all is clear and a response akin to:

Wonderbar! No policy violations reported for this audit!
Report URL:  http://reportURL

Failed submissions will either indicate failure because of an issue with processing the request, or a policy violation. Both will exit with a code of 1, allowing you to fail your build in CI. Policy Violation failures will include a report URL where you can learn more about why you encountered a failure.

Policy violations will look like:

Hi, Nancy here, you have some policy violations to clean up!
Report URL:  http://reportURL

Errors processing in Nexus IQ Server will look like:

Uh oh! There was an error with your request to Nexus IQ Server: <error>

Persistent Nexus IQ Server Config

Nancy lets you set the Nexus IQ Server Address, User and Token as persistent config (application and stage are generally per project, so we do not let you set these globally).

To set your Nexus IQ Server config run:

nancy config

Choose iq as an option and run through the rest of the config. Once you are done, Nancy should use this config for communicating with Nexus IQ, simplifying your use of the tool.

As of Nancy v1.0.17, you can also specify configuration values using environment variables:

export [email protected]
export OSSI_TOKEN=A4@k3@p1T0k3n
export IQ_USERNAME=nondefaultuser
export IQ_TOKEN=yourtoken
export IQ_SERVER=http://adifferentserverurl:port
go list -json -deps ./... | ./nancy iq --iq-application public-application-id
...

Usage in CI

You can see an example of using nancy in Travis-CI at this intentionally vulnerable repo we made.

Nancy as well runs on itself (delicious dog food!) in CircleCI, in a myriad of fashions. You can see how we do that here in our repo's CircleCI config.

Big CI Note:

Nancy will automatically check for newer releases of Nancy, and will prompt you when updates are detected. The automatic update check will only occur once every 28 hours, and the date stamp of the last update check is stored in the file: ~/.ossindex/.nancy-config/update_check.yml.

If you have a huge CI matrix build, and want to avoid all the builds performing the automatic update check, you may want to configure your CI build to cache the above directory.

DISCLAIMER

A portion of the golang ecosystem doesn't use proper versions, and instead uses a commit hash to resolve your dependency. Dependencies like this will not work with nancy quite yet, as we don't have a mechanism on OSS Index to lookup vulnerabilities in that manner.

Why Nancy?

Nancy Drew was the first female detective used extensively in literature, and gave women across the world a new hero.

This project is called nancy as like the great detective herself, it looks for problems you might not be aware of, and gives you the information to help put them to an end!

Installation

At the current time you have a few options:

  • Build from source
  • Download release binary from here on GitHub
  • Install via Homebrew (macOS)
  • Install from the AUR (Arch Linux)

Build from source

  • Clone the project git clone github.com/sonatype-nexus-community/nancy
  • In the root of the project run make
    • This will execute multiple targets so if you want to short circuit some of that process you can also just run make build to get the binary without running tests, linting, etc
  • Use that binary wherever your heart so desires!

Download release binary

Each tag pushed to this repo creates a new release binary, and if you'd like to skip building from source, you can download a binary similar to:

$ curl -o /path/where/you/want/nancy \
  https://github.com/sonatype-nexus-community/nancy/releases/download/v0.0.44/nancy-darwin.amd64-v0.0.44

Install via Homebrew (macOS)

On macOS, nancy can be installed using brew:

  • brew install sonatype-nexus-community/nancy-tap/nancy

brew formulae are created and published to that tap with each new release, so you can use brew to upgrade, etc... as you wish.

You can see more about the formulae, etc... at this repo.

Install from the AUR (Arch Linux)

On Arch Linux, nancy can be installed using the AUR:

$ yay -S nancy-bin

How to Fix Vulnerabilities

So you've found a vulnerability. Now what? The best case is to upgrade the vulnerable component to a newer/non-vulnerable version. However, it is likely the vulnerable component is not a direct dependency, but instead is a transitive dependency (a dependency of a dependency, of a dependency, wash-rinse-repeat). In such a case, the first step is to figure out which direct dependency (and sub-dependencies) depend on the vulnerable component.

The command go mod graph | grep my/vulnerable will show which module(s) pulls in the my/vulnerable package.

As an example, suppose we've learned that component github.com/gogo/protobuf, version 1.2.1 is vulnerable (CVE-2021-3121). Use the following command to determine which components depend on github.com/gogo/protobuf.

$ go mod graph | grep github.com/gogo/protobuf
github.com/gogo/[email protected] github.com/kisielk/[email protected]
github.com/spf13/[email protected] github.com/gogo/[email protected]
github.com/prometheus/[email protected] github.com/gogo/[email protected]
github.com/prometheus/[email protected] github.com/gogo/[email protected]
github.com/spf13/[email protected] github.com/gogo/[email protected]

There are a number of approaches to resolving the vulnerability, but no matter which approach you choose, you should probably make sure all the tests are passing before making any dependency changes.

Click to expand output of command:
$ go test ./...
$ go test ./...
?       github.com/sonatype-nexus-community/nancy       [no test files]
ok      github.com/sonatype-nexus-community/nancy/buildversion  (cached)
ok      github.com/sonatype-nexus-community/nancy/internal/audit        (cached)
ok      github.com/sonatype-nexus-community/nancy/internal/cmd  0.206s
ok      github.com/sonatype-nexus-community/nancy/internal/customerrors (cached)
?       github.com/sonatype-nexus-community/nancy/internal/logger       [no test files]
ok      github.com/sonatype-nexus-community/nancy/packages      (cached)
ok      github.com/sonatype-nexus-community/nancy/parse (cached)
?       github.com/sonatype-nexus-community/nancy/settings      [no test files]
ok      github.com/sonatype-nexus-community/nancy/types (cached)
ok      github.com/sonatype-nexus-community/nancy/update        (cached)

We now know the vulnerable component is pulled in by github.com/spf13/[email protected] (among others). Ideally, we could upgrade the direct dependency (github.com/spf13/viper) to a version that does not depend on a vulnerable version of the transitive dependency (github.com/gogo/protobuf).

In some cases, no such upgrade of the direct dependency exists that avoids a dependence on the vulnerable component. In such a case, the next step is to file an issue with the direct dependency project for them to update the vulnerable sub-dependencies. Be sure to read and follow any vulnerability reporting instructions published by the project: Look for a SECURITY.md file, or other instructions on how to report vulnerabilities. Some projects may prefer you not report the vulnerability publicly. Here's an example of such a bug report: Issue #1066

Avoid use of replace command to permit use of new go install command.

  • The section below describing the use of the replace directive is no longer ideal due to changes in how the go install command behaves with projects containing replace directives. See Deprecation of 'go get' for installing executables.

    Here's an example of the issue: cmd/go: go install cmd@version errors out when module with main package has replace directive

  • Instead of replace, you can update the // indirect dependency version to a non-vulnerable version. e.g.: In the second require stanza of go.mod where all the indirect dependencies are listed, update the dependency version:

    require (
        ... <first require stanza - direct dependencies listed here>
    )
    
    require (
        ... <second require stanza - indirect dependencies listed here>
        // fix vulnerability: CVE-2021-38561 in golang.org/x/text v0.3.5
        golang.org/x/text v0.3.7 // indirect
        ...
    )
    

(Deprecated see above) Until the direct dependency is updated, the next best solution is to use a replace directive in the go.mod file to use a newer version of the transitive dependency. See replace directive.

To avoid semver issues, you probably want to use a newer dependency version that is in the same "major.minor" version as the vulnerable dependency version.

(Deprecated see above) You can add the following replace directive to your go.mod file to us a newer version of github.com/gogo/protobuf:

// fix vulnerability: CVE-2021-3121 in github.com/gogo/protobuf v1.2.1
replace github.com/gogo/protobuf => github.com/gogo/protobuf v1.3.2

Be aware that even after you add a replace directive, go mod graph will still show the old dependency version. You can verify the new version is actually used via the go list command:

$ go mod tidy -compat=1.17
$ go list -deps | grep github.com/gogo/protobuf
github.com/gogo/protobuf v1.2.1 => github.com/gogo/protobuf v1.3.2

You can see the v1.2.1 is replaced with v1.3.2.

Finally, you may want to submit a PR to the project with the vulnerable dependency (to fix the issues you reported earlier) in a new release of the direct dependency. Even better, also tell them about nancy and maybe they will add nancy to their own CI system.

Yet another resolution, if no other options make sense, is to knowingly ignore the vulnerability. This may be the best option if you know the application does not use the vulnerable code path and no upgraded/non-vulnerable versions are available. See: Exclude vulnerabilities

Development

nancy is written using Golang 1.13, so it is best you start there.

Tests can be run like this make test

Adding new files? Get the license header correct with:

go get -u github.com/google/addlicense addlicense -v -f ./header.txt .

Release Process

Follow the steps below to release a new version of Nancy. You need to be part of the deploy from circle ci group for this to work.

  1. Checkout/pull the latest main branch, and create a new tag with the desired semantic version and a helpful note:

    $ git tag -a v1.0.x -m "Helpful message in tag"
  2. Push the tag up:

    $ git push origin v1.0.x
  3. There is no step 3.

Contributing

We care a lot about making the world a safer place, and that's why we created nancy. If you as well want to speed up the pace of software development by working on this project, jump on in! Before you start work, create a new issue, or comment on an existing issue, to let others know you are!

Acknowledgements

The nancy logo was created using a combo of Gopherize.me and good ole Photoshop. Thanks to the creators of Gopherize for an easy way to make a fun Gopher :)

Original Gopher designed by Renee French.

The Fine Print

Remember:

  • If you are a Sonatype customer, you may file Sonatype support tickets related to nancy support in regard to this project
    • We suggest you file issues here on GitHub as well, so that the community can pitch in
  • If you are not a Sonatype customer, Do NOT file Sonatype support tickets related to nancy support in regard to this project, file an issue here on GitHub

Have fun creating and using nancy and the Sonatype OSS Index, we are glad to have you here!

Getting help

Looking to contribute to our code but need some help? There's a few ways to get information:

More Repositories

1

search-maven-org

TypeScript
478
star
2

DevAudit

Open-source, cross-platform, multi-purpose security auditing tool
C#
360
star
3

auditjs

Audits an NPM package.json file to identify known vulnerabilities.
TypeScript
223
star
4

nexus-repository-composer

Composer support for the Nexus Repository Manager (work in progress!)
Java
215
star
5

nexus-repository-import-scripts

A few scripts for importing artifacts into Nexus Repository
Shell
200
star
6

jake

Check your Python environments for vulnerable Open Source packages with OSS Index or Sonatype Nexus Lifecycle.
Python
111
star
7

nexus-repository-apt

A Nexus Repository 3 plugin that allows usage of apt repositories
Java
105
star
8

nexus-repository-helm

At the Helm, Helm Yeah, v k8s
Java
97
star
9

nexus-scripting-examples

Sample scripts that use NXRM's scripting interface
HTML
85
star
10

scan-gradle-plugin

Gradle plugin that scans the dependencies of a Gradle project using Sonatype platforms: OSS Index and Nexus IQ Server.
Java
77
star
11

nexus-repository-cargo

Nexus Repository Cargo Format
Java
69
star
12

ahab

ahab is a tool to check for vulnerabilities in your apt, apk, or yum powered operating systems, powered by Sonatype OSS Index.
Go
66
star
13

repo-diff

Compare the contents of your hosted and proxy repositories for coordinate collisions
Python
60
star
14

audit.net

Identify known vulnerabilities in .net nuget dependencies
C#
55
star
15

gonexus

Go API for provisioning and interacting with Sonatype's Nexus Repository Manager and Nexus IQ Server
Go
44
star
16

helm-nexus-push

A plugin for helm that will push a chart to a Nexus Hosted Repository
Shell
43
star
17

nexus-repository-apk

Java
42
star
18

ossindex-gradle-plugin

Dependency audit plugin for gradle
Java
40
star
19

oysteR

Create purls from the filtered sands of your dependencies, powered by OSS Index
R
40
star
20

nexus-blobstore-google-cloud

Nexus Repository Manager Blobstore backed by Google Cloud Storage
Java
39
star
21

nexus-repository-conan

Conan the Barbarian, C packaging, fun times
Java
39
star
22

docker-nginx-nexus-repository

This is a template for deploying Nexus Repository Manager behind an NGINX reverse proxy.
Shell
36
star
23

nexus-repo-github-action

Nexus Repository for GitHub Actions
Dockerfile
36
star
24

nexus-repository-installer

Installer for Nexus Repository Manager 3
Dockerfile
32
star
25

nexus-repository-r

R, v data science, much functional programming, doge
Java
31
star
26

cargo-pants

Rust
28
star
27

cheque

Audit C/C++ projects (make, cmake, command line, etc.)
Go
23
star
28

nexus-cli

A Go based CLI for the Nexus platform
Go
22
star
29

nexus-repository-cpan

Much regex, v perl, super excite
Java
22
star
30

nexus-repository-p2

V Eclipse, hella P2, much OSGi
Java
21
star
31

iq-config-as-code

Python
20
star
32

nexus-iq-chrome-extension

Chrome extension for use with Sonatype Nexus Lifecycle - IQ server
CSS
20
star
33

copy-modules-webpack-plugin

A Webpack plugin which copies module sources to a separate directory
JavaScript
18
star
34

vscode-iq-plugin

Visual Studio Code plugin for Nexus IQ
TypeScript
18
star
35

nexusiq-successmetrics

An application for retrieving and viewing success metrics from Sonatype Nexus IQ
Java
15
star
36

chelsea

Dependency vulnerability auditor for Ruby
Ruby
14
star
37

bach

Dependency vulnerability auditor for PHP
PHP
14
star
38

nexus-repository-puppet

Java
13
star
39

nexus-blobstore-azure-cloud

Nexus Repository Manager Blobstore backed by Azure Blob Cloud Storage
Java
13
star
40

nexus-repository-terraform

12
star
41

nancy-github-action

Sonatype Nancy for GitHub Actions
Shell
11
star
42

iq-success-metrics2

10
star
43

nexus-format-archetype

Archetype for creating Nexus format plugin
Java
10
star
44

nexus-repository-vgo

Experimental repo for a vgo proxy and maybe more
Java
10
star
45

iq-fortify-parser

Deprecated Sonatype IQ Fortify SSC Community Integration 18.x to 20.x (replaced by Partner Integration version 4.x)
Java
10
star
46

iq-github-action

Sonatype Lifecycle GitHub Action
Shell
9
star
47

nexus-iq-server-installer

Installer for Nexus IQ Server
Dockerfile
9
star
48

nexus-repository-elpa

Java
9
star
49

deployment-reference-architecture

References for deploying Nexus products.
Mustache
9
star
50

nexus-repository-microsoft-symbol-server

Java
8
star
51

cs-auth-proxy

SAML SSO for Sonatype Nexus IQ
Shell
8
star
52

nexus-kubernetes-openshift

A Plugin for Sonatype Nexus to allow for automatic provisioning via K8s/OpenShift ConfigMaps and Secrets
Groovy
7
star
53

nexus-repository-conda

Java
7
star
54

iq-success-metrics

Python
7
star
55

intentionally-vulnerable-golang-project

This is a project we created that has dependencies with vulnerabilities, for us to test out nancy
Shell
7
star
56

nexus-iq-webhook-reference-implementation

A reference implementation for consuming webhooks via serverless.
JavaScript
7
star
57

nexus-development-guides

7
star
58

iq-webhook-listener

Shell
6
star
59

cyclonedx-sbom-examples

This repo has example CycloneDx xml formatted SBOMs for popular components across multiple ecosystems. Also, instructions for building and generating the sboms in the readme. If you add or update components, commit back up to the repo.
Java
6
star
60

nexus-platform-reference

Docker-compose project for demo's / testing / training
HTML
5
star
61

nexus-ci-examples

CI example builds and Sonatype Lifecycle analysis for different languages
Groovy
5
star
62

iq-api-examples

Repository for API example scripts for IQ Server.
Python
5
star
63

nexus-webhook-publish

A lil Golang app that takes Nexus Repo webhooks and uses them to publish components to other repos such as npmjs
Go
4
star
64

go-sona-types

Common utility packages for working with OSS Index, Nexus IQ Server, CycloneDX sboms or getting a....user-agent
Go
4
star
65

docker-nancy

nancy wrapped up as a Docker image for execution in a pipeline or via an alias in a terminal
Dockerfile
4
star
66

circleci-maven-release-orb

3
star
67

nexus-repository-cabal

Java
3
star
68

nexus-repository-chef

Java
3
star
69

circleci-nancy-orb

A CircleCI orb for using Nancy to scan your Golang projects
Go
3
star
70

hazelcast-swarm

Docker swarm discovery plugin for hazelcast
Java
3
star
71

terraform-provider-sonatyperepo

Terraform Provider for configuring Sonatype Nexus Repository Manager
Go
2
star
72

homebrew-nancy-tap

Ruby
2
star
73

hashbrowns

Go
2
star
74

DevAudit-Chocolatey-package

Chocolatey package configuration for DevAudit
PowerShell
2
star
75

devsecops-community-survey

The question set used for the DevSecOps Community Survey
2
star
76

circleci-nexus-orb

2
star
77

sonatype-platform-browser-extension

The Sonatype Platform Browser Extension
TypeScript
2
star
78

sonatype-field-workshop

Examples and docs for Sonatype field workshops
Java
2
star
79

nexus-hipchat-notifier

HipChat Connect Addon to notify a chat room when a component or asset is cached in a Nexus Repository
JavaScript
2
star
80

nexus-monitoring

Shell
2
star
81

nexus-lifecycle-gitlab

Creates image to use as a GitLab runner to perform Lifecycle Evaluations
Shell
2
star
82

the-cla

Sonatype's CLA bot - affectionally known as Paul Botsco
Go
2
star
83

nexus-repository-labrat2

Another place to test things, likely to be removed soon.
Java
2
star
84

terraform-provider-sonatypeiq

Terraform Provider for configuring Sonatype IQ Server
Go
2
star
85

nexus-iq-api-client

Generated API Clients for Nexus IQ Server
Python
2
star
86

nexus-community-it-support

Library that offers support for booting NXRM + community plugin for integration testing
Java
2
star
87

iq-fortify-ssc-integration

Integration service to pass data from IQ to SSC (deprecated in favor of iq-fortify-parser)
Java
2
star
88

codetocloud-workshop

JavaScript
1
star
89

nexus-repository-labrat

Test of custom Nexus Format, created using the Nexus Format Archetype
Java
1
star
90

speedbump

Swift
1
star
91

ossindex-python

Python library for querying OSS Index
Python
1
star
92

nexus-iq-api-client-go

Generated API Client in Go for Sonatype IQ Server
Shell
1
star
93

nexus-groovy-scripts

A collection of groovy scripts for Nexus Repository Manager 3
1
star
94

js-sona-types

Like go-sona-types, but for Javascript!
TypeScript
1
star
95

log4j-hackapp

Hackable applicaiton
Java
1
star
96

example-auditjs-repo

1
star
97

example-ahab-repo

Dockerfile
1
star
98

nexus-it-script-client

Java
1
star
99

jake-github-action

Sonatype Jake for GitHub Actions
Dockerfile
1
star
100

commercial-contributions

1
star