docs: update readme example

[adamdecaf]

The example in the readme doesn't work. It skips over all dependencies.

$ go list -json -deps | nancy sleuth
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Summary                     ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━┫
┃ Audited Dependencies    ┃ 0 ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━┫
┃ Vulnerable Dependencies ┃ 0 ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━┻━━━┛

However, this command works. It's not pretty, but works for us.

$ go list -deps -f '{{with .Module}}{{.Path}} {{.Version}}{{end}}' ./... | ./bin/nancy sleuth
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Summary                      ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━┫
┃ Audited Dependencies    ┃ 50 ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━━┫
┃ Vulnerable Dependencies ┃ 0  ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━┻━━━━┛

These are both ran over moov-io/watchman
Example: https://github.com/moov-io/infra/blob/master/go/lint-project.sh#L124

cc @bhamail / @DarthHater

[bhamail]

@adamdecaf Thanks for the PR. I'd like to know more about why you say the command "skips deps". It used to work, so I'm wondering if this is something new. e.g., running nancy on the nancy project itself shows deps being audited:

$ go list -json -deps | ./nancy sleuth
Checking for updates...
You are running 0.0.0-dev
A new release is available (1.0.33)
You can visit the Github releases page for the CLI to manually download and install:
https://github.com/sonatype-nexus-community/nancy/releases


┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Summary                      ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━┫
┃ Audited Dependencies    ┃ 49 ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━━┫
┃ Vulnerable Dependencies ┃ 0  ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━┻━━━━┛

$ go version
go version go1.18.1 darwin/amd64

What version of go are you using? Any other info about the "why" of this would be great.

[adamdecaf]

It might be the fact that nancy's repository has a main.go which imports the rest of the codebase. Watchman's main method is in ./cmd/server.

Here's what go list -json -deps produces from the root of moov-io/watchman:

√ moov-io/watchman %  go list -json -deps                     
{
	"Dir": "/Users/adam/code/src/github.com/moov-io/watchman",
	"ImportPath": "github.com/moov-io/watchman",
	"Name": "watchman",
	"Target": "/Users/adam/code/pkg/darwin_amd64/github.com/moov-io/watchman.a",
	"Root": "/Users/adam/code/src/github.com/moov-io/watchman",
	"Module": {
		"Path": "github.com/moov-io/watchman",
		"Main": true,
		"Dir": "/Users/adam/code/src/github.com/moov-io/watchman",
		"GoMod": "/Users/adam/code/src/github.com/moov-io/watchman/go.mod",
		"GoVersion": "1.18"
	},
	"Match": [
		"."
	],
	"Stale": true,
	"StaleReason": "not installed but available in build cache",
	"GoFiles": [
		"version.go"
	]
}

[adamdecaf]

$ go list -json -deps ./cmd/server | ./bin/nancy sleuth
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Summary                      ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━┫
┃ Audited Dependencies    ┃ 48 ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━━┫
┃ Vulnerable Dependencies ┃ 0  ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━┻━━━━┛

[adamdecaf]

Adding ./... to the example commands works in both repositories. I've updated the docs to reflect that.

I think the format requirements (of go list) was required with an older version of nancy, but it's not required anymore.

[bhamail]

I don't see any reason not to include your fix everywhere. I plan to push a few additional changes that include the wildcard pattern momentarily.

[bhamail]

Thanks again @adamdecaf !

[adamdecaf]

Thank you!