Have you seen: https://github.com/sonatype-nexus-community/nancy
"A tool to check for vulnerabilities in your Golang dependencies, powered
by Sonatype OSS Index"
On Wednesday, August 14, 2019 at 1:02:03 AM UTC-4, Eric Johnson wrote:
>
> And then, it also occurs to me that perhaps I can answer
And then, it also occurs to me that perhaps I can answer my own question.
Taking advantage of three aspects of the ecosystem.
#1) Most open source Go libraries are on GitHub
#2) Many (most?) CVEs for open source projects will include a reference
back to the project, and these references can be
It would be great to hear of an answer to this question. I suspect there
isn't one, though.
The trouble is, one of the first hurdles is to identify Go libraries that
have CVEs against them. It is very easy to find CVEs for the Go standard
library, but I cannot see any easy way to scan the
