docs: update readme example (#262)

* docs: update readme example * use wildcard pattern suggested by #262 in all places where we call/document 'go list -json -deps' Co-authored-by: Dan Rollo <danrollo@gmail.com>
sonatype-nexus-community · Sep 7, 2022 · 847ab73 · 847ab73
1 parent 6712987
commit 847ab73
Show file tree

Hide file tree

Showing 6 changed files with 42 additions and 40 deletions.
diff --git a/Makefile b/Makefile
@@ -53,9 +53,11 @@ test: build
 integration-test: build
 	mkdir -p dist
 	cd packages/testdata && GOPATH=. ../../$(BINARY_NAME) sleuth -p Gopkg.lock && cd -
+	go list -json -deps ./... | ./$(BINARY_NAME) sleuth
 	go list -json -deps | ./$(BINARY_NAME) sleuth
 	go list -json -m all | ./$(BINARY_NAME) sleuth --exclude-vulnerability $(IT_EXCLUDED_VULNS)
 	go list -m all | ./$(BINARY_NAME) sleuth --exclude-vulnerability $(IT_EXCLUDED_VULNS)
+	go list -json -deps ./... > dist/deps.out && ./$(BINARY_NAME) sleuth < dist/deps.out
 	go list -json -deps > dist/deps.out && ./$(BINARY_NAME) sleuth < dist/deps.out
 	go list -json -m all > dist/deps.out && ./$(BINARY_NAME) sleuth --exclude-vulnerability $(IT_EXCLUDED_VULNS) < dist/deps.out
 	go list -m all > dist/deps.out && ./$(BINARY_NAME) sleuth --exclude-vulnerability $(IT_EXCLUDED_VULNS) < dist/deps.out
@@ -72,7 +74,7 @@ docker-alpine-integration-test: build-linux
     # 2. passes it to the next step that is using this container that only has nancy in it
     # 3. runs nancy using the contents of the exported file with the deps in it. Also assumes that
     #    in ci its likely you have the codebase (thus .nancy-ignore) in the same location you run nancy sleuth
-	go list -json -deps > dist/deps.out
+	go list -json -deps ./... > dist/deps.out
 	echo "cd /tmp && cat /tmp/dist/deps.out | nancy sleuth" > dist/ci.sh
 	echo "cd /tmp && cat /tmp/dist/deps.out | nancy sleuth --output=json && > nancy-result.json && cat nancy-result.json | jq '.'" > dist/ci-json.sh
 	chmod +x dist/ci.sh
@@ -92,7 +94,7 @@ docker-goreleaser-integration-test: build-linux
 	# NANCY_IGNORE is more tomfoolery b/c circleci cant do volume mounts. Use the non-file ignore version but with the contents of
     # the .nancy-ignore. If you were to do this for real you would likely volume mount to your local and it
     # would just use whatever file you actually had.
-	go list -json -deps | $(DOCKER_CMD) run --rm -i sonatypecommunity/nancy:goreleaser-integration-test sleuth -e $(NANCY_IGNORE)
+	go list -json -deps ./... | $(DOCKER_CMD) run --rm -i sonatypecommunity/nancy:goreleaser-integration-test sleuth -e $(NANCY_IGNORE)
 
 docker-integration-tests: docker-alpine-integration-test docker-goreleaser-integration-test
 

diff --git a/README.md b/README.md
@@ -44,8 +44,8 @@ Usage:
 
 Examples:
   Typical usage will pipe the output of 'go list -json -deps' to 'nancy':
-  go list -json -deps | nancy sleuth [flags]
-  go list -json -deps | nancy iq [flags]
+  go list -json -deps ./... | nancy sleuth [flags]
+  go list -json -deps ./... | nancy iq [flags]
 
   If using dep typical usage is as follows :
   nancy sleuth -p Gopkg.lock [flags]
@@ -62,7 +62,7 @@ Available Commands:
 Flags:
   -v, -- count                 Set log level, multiple v's is more verbose
   -c, --clean-cache            Deletes local cache directory
-  -d, --db-cache-path string   Specify an alternate path for caching responses from OSS Inde, example: '/tmp'
+  -d, --db-cache-path string   Specify an alternate path for caching responses from OSS Inde, example: /tmp
   -h, --help                   help for nancy
       --loud                   indicate output should include non-vulnerable packages
   -p, --path string            Specify a path to a dep Gopkg.lock file for scanning
@@ -82,7 +82,7 @@ Usage:
   nancy sleuth [flags]
 
 Examples:
-  go list -json -deps | nancy sleuth --username your_user --token your_token
+  go list -json -deps ./... | nancy sleuth --username your_user --token your_token
   nancy sleuth -p Gopkg.lock --username your_user --token your_token
 
 Flags:
@@ -95,7 +95,7 @@ Flags:
 
 Global Flags:
   -v, -- count                 Set log level, multiple v's is more verbose
-  -d, --db-cache-path string   Specify an alternate path for caching responses from OSS Inde, example: '/tmp'
+  -d, --db-cache-path string   Specify an alternate path for caching responses from OSS Inde, example: /tmp
       --loud                   indicate output should include non-vulnerable packages
   -p, --path string            Specify a path to a dep Gopkg.lock file for scanning
   -q, --quiet                  indicate output should contain only packages with vulnerabilities (default true)
@@ -111,7 +111,7 @@ Usage:
   nancy iq [flags]
 
 Examples:
-  go list -json -deps | nancy iq --iq-application your_public_application_id --iq-server-url http://your_iq_server_url:port --iq-username your_user --iq-token your_token --iq-stage develop
+  go list -json -deps ./... | nancy iq --iq-application your_public_application_id --iq-server-url http://your_iq_server_url:port --iq-username your_user --iq-token your_token --iq-stage develop
   nancy iq -p Gopkg.lock --iq-application your_public_application_id --iq-server-url http://your_iq_server_url:port --iq-username your_user --iq-token your_token --iq-stage develop
 
 Flags:
@@ -124,7 +124,7 @@ Flags:
 
 Global Flags:
   -v, -- count                 Set log level, multiple v's is more verbose
-  -d, --db-cache-path string   Specify an alternate path for caching responses from OSS Inde, example: '/tmp'
+  -d, --db-cache-path string   Specify an alternate path for caching responses from OSS Inde, example: /tmp
       --loud                   indicate output should include non-vulnerable packages
   -p, --path string            Specify a path to a dep Gopkg.lock file for scanning
   -q, --quiet                  indicate output should contain only packages with vulnerabilities (default true)
@@ -138,7 +138,7 @@ Global Flags:
 
 The preferred way to use Nancy is:
 
-- `go list -json -deps | nancy sleuth`
+- `go list -json -deps ./... | nancy sleuth`
 - `nancy sleuth -p /path/to/Gopkg.lock`
 
 If you would like to scan all dependencies, including those that do not end up in the final binary, you can use
@@ -161,7 +161,7 @@ Here are some additional tools to simplify using Nancy in your CI environment:
 
 `nancy` now comes in a boat! For ease of use, we've dockerized `nancy`. To use our Dockerfile:
 
-`go list -json -deps | docker run --rm -i sonatypecommunity/nancy:latest sleuth`
+`go list -json -deps ./... | docker run --rm -i sonatypecommunity/nancy:latest sleuth`
 
 We publish a few different flavors for convenience:
 
@@ -235,7 +235,7 @@ As of Nancy v1.0.17, you can also specify configuration values using environment
 ```shell
 export OSSI_USERNAME=auser@anemailaddress.com
 export OSSI_TOKEN=A4@k3@p1T0k3n
-go list -json -deps | ./nancy sleuth
+go list -json -deps ./... | ./nancy sleuth
 ...
 ```
 
@@ -245,7 +245,7 @@ By default, `nancy` runs in a "quiet" mode, only displaying a list of vulnerable
 You can run `nancy` in a loud manner, showing all components by running:
 
 - `nancy sleuth --loud -p /path/to/your/Gopkg.lock`
-- `go list -json -deps | nancy sleuth --loud`
+- `go list -json -deps ./... | nancy sleuth --loud`
 
 #### Exclude vulnerabilities
 
@@ -259,7 +259,7 @@ We support exclusion of vulnerability either by CVE-ID (ex: `CVE-2018-20303`) or
 ##### Via CLI flag
 
 - `nancy sleuth --exclude-vulnerability CVE-789,bcb0c38d-0d35-44ee-b7a7-8f77183d1ae2 -p /path/to/your/Gopkg.lock`
-- `go list -json -deps | nancy sleuth --exclude-vulnerability CVE-789,bcb0c38d-0d35-44ee-b7a7-8f77183d1ae2`
+- `go list -json -deps ./... | nancy sleuth --exclude-vulnerability CVE-789,bcb0c38d-0d35-44ee-b7a7-8f77183d1ae2`
 
 ##### Via file
 
@@ -268,7 +268,7 @@ By default, if a file named `.nancy-ignore` exists in the same directory that na
 If you would like to define the path to the file you can use the following
 
 - `nancy sleuth --exclude-vulnerability-file=/path/to/your/exclude-file -p /path/to/your/Gopkg.lock`
-- `go list -json -deps | nancy sleuth --exclude-vulnerability-file=/path/to/your/exclude-file`
+- `go list -json -deps ./... | nancy sleuth --exclude-vulnerability-file=/path/to/your/exclude-file`
 
 If you would like to split up your excludes into multiple files besides your root `.nancy-ignore` you can pass them via the `-a` or `--additional-exclude-vulnerability-files` flags.
 
@@ -475,13 +475,13 @@ Count,Package,Is Vulnerable,Num Vulnerabilities,Vulnerabilities
 
 By default, assuming you have an out of the box Nexus IQ Server running, you can run `nancy` like so:
 
-`go list -json -deps | nancy iq --iq-application public-application-id`
+`go list -json -deps ./... | nancy iq --iq-application public-application-id`
 
 It is STRONGLY suggested that you do not do this, and we will warn you on output if you are.
 
 A more logical use of `nancy` against Nexus IQ Server will look like so:
 
-`go list -json -deps | nancy iq --iq-application public-application-id --iq-username nondefaultuser --iq-token yourtoken --iq-server-url http://adifferentserverurl:port --iq-stage develop`
+`go list -json -deps ./... | nancy iq --iq-application public-application-id --iq-username nondefaultuser --iq-token yourtoken --iq-server-url http://adifferentserverurl:port --iq-stage develop`
 
 Options for stage are as follows:
 
@@ -529,7 +529,7 @@ export OSSI_TOKEN=A4@k3@p1T0k3n
 export IQ_USERNAME=nondefaultuser
 export IQ_TOKEN=yourtoken
 export IQ_SERVER=http://adifferentserverurl:port
-go list -json -deps | ./nancy iq --iq-application public-application-id
+go list -json -deps ./... | ./nancy iq --iq-application public-application-id
 ...
 ```
 
@@ -628,7 +628,7 @@ probably make sure all the tests are passing before making any dependency change
   <summary>Click to expand output of command:
 
 ```shell
-$ go test ./... 
+$ go test ./...
 ```
   </summary>
 
@@ -649,7 +649,7 @@ ok      github.com/sonatype-nexus-community/nancy/update        (cached)
 </details>
 
 We now know the vulnerable component is pulled in by `github.com/spf13/viper@v1.7.1` (among others). Ideally, we could
-upgrade the direct dependency (`github.com/spf13/viper`) to a version that does not depend on a vulnerable version of 
+upgrade the direct dependency (`github.com/spf13/viper`) to a version that does not depend on a vulnerable version of
 the transitive dependency (`github.com/gogo/protobuf`).
 
 In some cases, no such upgrade of the direct dependency exists that avoids a dependence on the vulnerable component.
@@ -659,16 +659,16 @@ a `SECURITY.md` file, or other instructions on how to report vulnerabilities. So
 the vulnerability publicly. Here's an example of such a bug report: [Issue #1066](https://github.com/spf13/viper/pull/1066)
 
 #### Avoid use of `replace` command to permit use of new `go install` command.
-  
-  * The section below describing the use of the `replace` directive is no longer ideal due to changes in how the 
-    `go install` command behaves with projects containing `replace` directives. 
+
+  * The section below describing the use of the `replace` directive is no longer ideal due to changes in how the
+    `go install` command behaves with projects containing `replace` directives.
      See [Deprecation of 'go get' for installing executables](https://go.dev/doc/go-get-install-deprecation).
 
-     Here's an example of the issue: 
+     Here's an example of the issue:
      [cmd/go: go install cmd@version errors out when module with main package has replace directive](https://github.com/golang/go/issues/44840)
-   
-    
-  * Instead of `replace`, you can update the `// indirect` dependency version to a non-vulnerable version. e.g.: In the second 
+
+
+  * Instead of `replace`, you can update the `// indirect` dependency version to a non-vulnerable version. e.g.: In the second
     `require` stanza of `go.mod` where all the `indirect` dependencies are listed, update the dependency version:
 
         require (
@@ -689,15 +689,15 @@ See [replace directive](https://golang.org/ref/mod#go-mod-file-replace).
 To avoid semver issues, you probably want to use a newer dependency version that is in the same "major.minor" version
 as the vulnerable dependency version.
 
-(*Deprecated* see above) You can add the following `replace` directive to your `go.mod` file to us a newer version of 
+(*Deprecated* see above) You can add the following `replace` directive to your `go.mod` file to us a newer version of
 `github.com/gogo/protobuf`:
 
 ```
 // fix vulnerability: CVE-2021-3121 in github.com/gogo/protobuf v1.2.1
 replace github.com/gogo/protobuf => github.com/gogo/protobuf v1.3.2
 ```
 
-Be aware that even after you add a `replace` directive, `go mod graph` will still show the old dependency version. 
+Be aware that even after you add a `replace` directive, `go mod graph` will still show the old dependency version.
 You can verify the new version is actually used via the `go list` command:
 ```shell
 $ go mod tidy
@@ -707,10 +707,10 @@ github.com/gogo/protobuf v1.2.1 => github.com/gogo/protobuf v1.3.2
 You can see the v1.2.1 is replaced with v1.3.2.
 
 Finally, you may want to submit a PR to the project with the vulnerable dependency (to fix the issues you reported
-earlier) in a new release of the direct dependency. Even better, also tell them about `nancy` and maybe they will add 
+earlier) in a new release of the direct dependency. Even better, also tell them about `nancy` and maybe they will add
 `nancy` to their own CI system.
 
-Yet another resolution, if no other options make sense, is to knowingly ignore the vulnerability. This may be the best 
+Yet another resolution, if no other options make sense, is to knowingly ignore the vulnerability. This may be the best
 option if you know the application does not use the vulnerable code path and no upgraded/non-vulnerable versions are
 available. See: [Exclude vulnerabilities](#exclude-vulnerabilities)
 

diff --git a/internal/cmd/iq.go b/internal/cmd/iq.go
@@ -83,15 +83,15 @@ var (
 
 var iqCmd = &cobra.Command{
 	Use: "iq",
-	Example: `  go list -json -deps | nancy iq --` + flagNameIqApplication + ` your_public_application_id --` + flagNameIqServerUrl + ` http://your_iq_server_url:port --` + flagNameIqUsername + ` your_user --` + flagNameIqToken + ` your_token --` + flagNameIqStage + ` develop
+	Example: `  go list -json -deps ./... | nancy iq --` + flagNameIqApplication + ` your_public_application_id --` + flagNameIqServerUrl + ` http://your_iq_server_url:port --` + flagNameIqUsername + ` your_user --` + flagNameIqToken + ` your_token --` + flagNameIqStage + ` develop
   nancy iq -p Gopkg.lock --` + flagNameIqApplication + ` your_public_application_id --` + flagNameIqServerUrl + ` http://your_iq_server_url:port --` + flagNameIqUsername + ` your_user --` + flagNameIqToken + ` your_token --` + flagNameIqStage + ` develop`,
 	Short:  "Check for vulnerabilities in your Golang dependencies using 'Sonatype's Nexus IQ IQServer'",
 	Long:   `'nancy iq' is a command to check for vulnerabilities in your Golang dependencies, powered by 'Sonatype's Nexus IQ IQServer', allowing you a smooth experience as a Golang developer, using the best tools in the market!`,
 	PreRun: func(cmd *cobra.Command, args []string) { bindViperIq(cmd) },
 	RunE:   doIQ,
 }
 
-//noinspection GoUnusedParameter
+// noinspection GoUnusedParameter
 func doIQ(cmd *cobra.Command, args []string) (err error) {
 	defer func() {
 		if r := recover(); r != nil {

diff --git a/internal/cmd/iq_test.go b/internal/cmd/iq_test.go
@@ -47,7 +47,7 @@ func TestIqApplicationFlagMissing(t *testing.T) {
 
 func TestIqHelp(t *testing.T) {
 	output, err := executeCommand(rootCmd, iqCmd.Use, "--help")
-	assert.Contains(t, output, "go list -json -deps | nancy iq --"+flagNameIqApplication+" your_public_application_id --"+flagNameIqServerUrl+" ")
+	assert.Contains(t, output, "go list -json -deps ./... | nancy iq --"+flagNameIqApplication+" your_public_application_id --"+flagNameIqServerUrl+" ")
 	assert.Nil(t, err)
 }
 
@@ -182,12 +182,12 @@ type mockIqServer struct {
 	auditPackagesErr             error
 }
 
-//noinspection GoUnusedParameter
+// noinspection GoUnusedParameter
 func (s mockIqServer) AuditPackages(purls []string) (iq.StatusURLResult, error) {
 	return s.auditPackagesStatusURLResult, s.auditPackagesErr
 }
 
-//noinspection GoUnusedParameter
+// noinspection GoUnusedParameter
 func (s mockIqServer) AuditWithSbom(sbom string) (iq.StatusURLResult, error) {
 	return iq.StatusURLResult{}, fmt.Errorf("mock AuditWithSbom not implemented")
 }

diff --git a/internal/cmd/root.go b/internal/cmd/root.go
@@ -122,8 +122,8 @@ var rootCmd = &cobra.Command{
 	Version: buildversion.BuildVersion,
 	Use:     "nancy",
 	Example: `  Typical usage will pipe the output of 'go list -json -deps' to 'nancy':
-  go list -json -deps | nancy sleuth [flags]
-  go list -json -deps | nancy iq [flags]
+  go list -json -deps ./... | nancy sleuth [flags]
+  go list -json -deps ./... | nancy iq [flags]
 
   If using dep typical usage is as follows :
   nancy sleuth -p Gopkg.lock [flags]

diff --git a/internal/cmd/sleuth.go b/internal/cmd/sleuth.go
@@ -37,15 +37,15 @@ func init() {
 
 var sleuthCmd = &cobra.Command{
 	Use: "sleuth",
-	Example: `  go list -json -deps | nancy sleuth --` + flagNameOssiUsername + ` your_user --` + flagNameOssiToken + ` your_token
+	Example: `  go list -json -deps ./... | nancy sleuth --` + flagNameOssiUsername + ` your_user --` + flagNameOssiToken + ` your_token
   nancy sleuth -p Gopkg.lock --` + flagNameOssiUsername + ` your_user --` + flagNameOssiToken + ` your_token`,
 	Short:  "Check for vulnerabilities in your Golang dependencies using Sonatype's OSS Index",
 	Long:   `'nancy sleuth' is a command to check for vulnerabilities in your Golang dependencies, powered by the 'Sonatype OSS Index'.`,
 	PreRun: func(cmd *cobra.Command, args []string) { bindViperRootCmd() },
 	RunE:   doOSSI,
 }
 
-//noinspection GoUnusedParameter
+// noinspection GoUnusedParameter
 func doOSSI(cmd *cobra.Command, args []string) (err error) {
 	defer func() {
 		if r := recover(); r != nil {