False positive due to circular dependency

Question

False positive due to circular dependency

harishkumarbalaji opened this issue 3 years ago · 4 comments

What are you trying to do?
I am using prometheus/client_golang library in my project and nancy found a critical vulnerability due to circular dependency. For more information please check the issue that I raised there prometheus/client_golang/issues/916#issue-1009583963.
What feature or behaviour is this required for?
This false positive means we simply have to exclude a CVE, but I suspect that this situation might arise with other repositories and result in nancy yielding incorrect results.
Anything else?
Issue link : prometheus/client_golang/issues/916#issue-1009583963

Answer 1 · 2021-10-01T19:04:34.000Z

@harishkumarbalaji have you tried scanning using go list -json -deps | nancy sleuth, we just released that about a week ago and MIGHT remove this situation, since it's using the deps that go is actually using for your end binary. If you can give it a try and let me know that would be helpful, I'd sort of assume it would do better than go list -m all (which is still useful, since you are scanning the breadth of dependencies that you might encounter, testing, etc...)

Answer 2 · 2021-10-01T19:14:01.000Z

It's in this release, if you want to take a gander, I noticed you are using 1.0.22 in the linked issue: https://github.com/sonatype-nexus-community/nancy/releases/tag/v1.0.23

Answer 3 · 2021-11-01T19:36:26.000Z

@harishkumarbalaji ok if we close this?

Answer 4 · 2021-11-18T16:28:29.000Z

closing due to no response. feel free to reopen if needed.