Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    islippers
    @islippers
    Hey Nancy people (tried a pun there, not sure if it worked) Soooo. I have found some Vulnerabilities in our projects! Shocking! I Know! Most of them I could fix by just updating the dependencies to a higher version.. Except this one, so Consul is required by go-kit, which is required by godror which is required by my unit tests.. And I am stuck with this pkg:golang/github.com/hashicorp/consul/api@1.3.0 [Vulnerable] My humble question is , since this is not used in the build (unit tests only) I would like to exclude this.. I have tried various combinations of this go list -m all | nancy -exclude-vulnerability=golang/github.com/hashicorp/consul/api@1.3.0
    But it still reports the Vulnerabilities
    I am guessing the package must be listed slightly different or something..
    I am planing on using a file to exclude false positives like this one..
    Nathan Zender
    @zendern
    @islippers You exclude by cve or oss index id.
    We support exclusion of vulnerability either by CVE-ID (ex: CVE-2018-20303) or via the OSS Index ID (ex: a8c20c84-1f6a-472a-ba1b-3eaedb2a2a14) as not all vulnerabilities have a CVE-ID.
    Jeffry Hesse
    @DarthHater
    Yep, just gotta use the CVE title or the OSS Index ID
    Jeffry Hesse
    @DarthHater
    You do raise a bit of a good point though, ignoring a CVE is a bit nuclear at the moment. It might be cool to allow someone to only ignore it if it's in a certain package? I've never been clear myself if CVE is 1:1 with a library or if it can be applied to multiple libraries.
    Go mod also doesn't give incredible insight into if something is a dev Dependency at the moment (I think it would be neat if it did)
    Nathan Zender
    @zendern
    Might be a decent thought to add to Nancy. A shortcut of I know this is a test dep only so exclude everything forever
    Go mod will probably give us a way eventually to only scan prod deps but until then
    islippers
    @islippers
    Thanks for the quick response guys. Ahh, monkey see.. But then ALL my external dependencies would be excluded for that particular CVE-ID?
    Jeffry Hesse
    @DarthHater
    Yeah, that's the caveat @islippers
    Which I think is more or less ok?
    We have paid tooling that let's you get more granular (Nexus IQ Server)
    Where you wouldn't exclude by CVE, you'd get a waiver for a specific library/version
    Jeffry Hesse
    @DarthHater
    @fitzoh 386 happens to the best of us
    Andrew Fitzgerald
    @fitzoh
    /giphy shame
    Nathan Zender
    @zendern
    :wink:
    Andrew Fitzgerald
    @fitzoh
    :point_up:
    So I've got a WIP version that replaces badger with SQLite
    Biggest question mark is cross-compilation, not sure if the C stuff makes that any trickier: http://mattn.github.io/go-sqlite3/
    (see FAQ on cross-compilation)
    Jeffry Hesse
    @DarthHater
    @fitzoh that rules
    Jeffry Hesse
    @DarthHater
    @zendern this went live today, props to @bhamail https://dev.to/sonatype/secure-your-golang-projects-using-nancy-5fk5
    Nathan Zender
    @zendern
    ❤️❤️❤️
    Andrew Fitzgerald
    @fitzoh
    So what are y'all's preferences regarding check granularity
    For instance, @DarthHater 's license check PR is failing with this message:ci/circleci: build — Your tests failed on CircleCI
    Nathan Zender
    @zendern
    @fitzoh eh.... I'd ask how easy is it to do in circleci first. Like if we wanted lint, test, license, integration test , etc.... are we just talking individual jobs unlike our one big one now??
    Jeffry Hesse
    @DarthHater
    It would be nice if it gave more useful feedback, for sure
    Jeffry Hesse
    @DarthHater
    Also welcome @protoworlock69 to gitter! This is one of my interns I'm teaching Golang too. @zendern thanks for getting Dahlia the approval on that PR!
    Dahlia (and a slew of others) are learning to code from me right now (big mistake, right?) so if any of you want to help out, I figured I'd intro them as they join
    @zendern @fitzoh , I've been talking with @nblair and when I looked deeper at Google's Addlicense, it actually doesn't have a pattern google/addlicense#38
    Which means, dun dun dun, we could go implement it!
    It's funny that it's in the docs
    Jeffry Hesse
    @DarthHater
    @fitzoh @zendern I'm gonna kill badger today
    Or attempt to
    I seem to remember @fitzoh saying he had a branch in motion to do that?
    Jeffry Hesse
    @DarthHater
    LOL I kinda wanna use this:
    Just because it says this in the README
    Author of project don't work at Google or Facebook and his name not Howard Chu or Brad Fitzpatrick. But I'm open for issue or contributions.
    Nathan Zender
    @zendern
    lol...but thats in the Disadvantages :laughing: :laughing:
    Andrew Fitzgerald
    @fitzoh
    nice
    Nathan Zender
    @zendern
    I'm fine with whatever but if @fitzoh is already deep into sqllite....id say kind up to him
    I'm not attached to anything
    Jeffry Hesse
    @DarthHater
    Lemme see if I can latch on to what you did
    Andrew Fitzgerald
    @fitzoh
    there are still open questions on how the cgo stuff looks w/ multi-platform