Readme: Relation to govulncheck #271
Comments
|
govulncheck looks at the AST (compiled code) to determine call paths which have known vulnerabilities. This involves compiling with a vulnerable Go's standard library or imported libraries. govulncheck uses the Go project's vulnerability database while Nancy uses Sonatype's and the open source index. Nancy inspects dependency files to look at all possible vulnerable library usage. |
|
It would be great if this was documented in the README |
adamdecaf
added a commit
to moov-io/infra
that referenced
this issue
Jul 27, 2023
|
Explained it in README here #277 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
A new tool was released by go developers this month:
https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
And I'm trying to decide how this tool is different from Nancy and if I should use both of them, or if one fully replaces the other?
What feature or behavior is this required for?
Reduced time and complexity of CI-chain.
How could we solve this issue? (Not knowing is okay!)
Could you include a section in your readme how Nancy differs from the standard-tool govulncheck ? e.g. what does Nancy do more/less/different. So people can easily decide which tool to use, or if both tools solve different problems.
cc @bhamail / @DarthHater
The text was updated successfully, but these errors were encountered: