Golangci-lint: Addition of nancy for checking vulnerable dependencies

Created on 27 Jun 2020  Â·  2Comments  Â·  Source: golangci/golangci-lint

I would like to have nancy integrated as part of golangci-lint. Nancy is a a tool to check for vulnerabilities in Golang dependencies, powered by Sonatype OSS Index

blocked enhancement no decision
Source
picture kishaningithub
👎2 👍1

Most helpful comment

I think it's not a good idea, because Nancy does a lot of http requests, and it will be very very slow process. Of course the cache will reduce the wait time, but anyway it requires an internet connectivity, when all other linters work locally.

✅ I think it's a good idea to integrate the nancy tool into PR workflow for golangci-lint development process, but not as a linter

picture SVilgelm on 12 Jul 2020
👍3

All 2 comments

This tool didn't seems to implement go analysis, so it will be hard to integrate to golangci-lint. Moreover, I just have quick look on nancy repo, I don't think it's designed to use as library either.

I could be wrong though, let's wait for response from @golangci/core-team

sayboras picture sayboras on 5 Jul 2020

I think it's not a good idea, because Nancy does a lot of http requests, and it will be very very slow process. Of course the cache will reduce the wait time, but anyway it requires an internet connectivity, when all other linters work locally.

✅ I think it's a good idea to integrate the nancy tool into PR workflow for golangci-lint development process, but not as a linter

SVilgelm picture SVilgelm on 12 Jul 2020
👍3
Was this page helpful?
0 / 5 - 0 ratings

Related issues

simonpasquier picture simonpasquier  Â·  4Comments
lnshi picture lnshi  Â·  4Comments
jirfag picture jirfag  Â·  3Comments
anuaimi picture anuaimi  Â·  4Comments
nektro picture nektro  Â·  3Comments