Nancy is a command line application, written in Golang by the Golang community and sponsored by Sonatype. It uses Sonatype’s OSS Index to check your dependencies for publicly filed vulnerabilities.
You can get more information about Nancy by going to the GitHub repository for it at:
https://github.com/sonatype-nexus-community/nancy or on https://pkg.go.dev/github.com/sonatype-nexus-community/nancy?tab=doc
Nancy can take dependency results from your go mod powered or dep powered projects and scan them for vulnerabilities. This is quite handy, as you’ll see that vulnerabilities pop up in libraries, like golang/x/crypto:
Vulnerabilities in these third party or even standard lib libraries (x/crypto is a part of Golang itself!) can sneak up on you, if, for example, you are using a framework that uses them, or using them directly yourself. It’s never a good feeling getting pwned because of someone else’s code, and Nancy is here to help you!
Nancy is quite easy to use, and the Community/Sonatype have gone to great lengths to make it as easy as possible.
Nancy is distributed as an executable built with Golang and each executable is available on it’s release from multiple repositories:
For ease of use a Docker image has been created, as well as a homebrew tap for OS X users that love brew!
To run it with Docker one need only follow the instructions available here: https://github.com/sonatype-nexus-community/nancy#docker-usage or for ease of use in this post:
go list -m all | docker run -i sonatypecommunity/nancy:latest
To install with homebrew, instructions are available here: https://github.com/sonatype-nexus-community/nancy#homebrew-usage, and for ease of use, here you go:
brew tap sonatype-nexus-community/homebrew-nancy-tap brew install nancy
For a go mod powered project, one need only do:
go list -m all | nancy
For a dep powered project:
The beauty of Nancy is Nancy tries to meet you where you are. It cares about securing all projects. If you use a package manager that it doesn’t support, it is Open Source and the community is more than willing to help you change that!
Nancy will exit with a zero code in this case, and all is good in the world!
If Nancy finds a vulnerability in one of your dependencies it will exit with a non zero code, allowing you to use Nancy as a tool in your CI/CD process, and fail builds, if you’d like.
You are given the information on what the vulnerability is, and how to get more info on the OSS Index site about it!
Since Nancy is checking the dependencies for vulnerabilities, sometimes you’ll run into one where you are not using the affected code path. The community has built functionality to let you exclude the vulnerability from being reported.
The information on how to do this is available here: https://github.com/sonatype-nexus-community/nancy#exclude-vulnerabilities and for ease of use:
nancy -exclude-vulnerability CVE-789,bcb0c38d-0d35-44ee-b7a7-8f77183d1ae2
You can also use an exclusion file to keep better track of them and avoid passing in long lists via the command line. The default file name, if you check this in to your repo, would be:
.nancy-ignore and an example looks like this:
# This vulnerability is coming from package xyz, we are ok with this for now CVN-111 CVN-123 # Mitigated the risk of this since we only use one method in this package and the affected code doesn't matter CVN-543
If you want to temporarily exclude a vulnerability, the community has provided functionality for that as well:
CVN-111 until=2021-01-01 CVN-543 until=2018-02-12 #Waiting on release from third party. Should be out before this date but gives us a little time to fix it.
This can be handy if you are waiting for the upstream library to get fixed, and want to just exclude the vulnerability until a new version has been released, or just a specific time frame to remind yourself.
We got you, fam!
You can take a look at how we have used Nancy in CI/CD at the following repo: https://github.com/sonatype-nexus-community/intentionally-vulnerable-golang-project
There are examples for TravisCI and CircleCI.
Nancy works with Sonatype’s OSS Index by default, but also will work with Nexus Lifecycle, for improved policy driven auditing. You can get information on that here: https://github.com/sonatype-nexus-community/nancy#nexus-iq-server-options
A couple notes:
OSS Index usage is prone to rate limiting, the community goes out of their way to make sure you won’t run into this however, Nancy caches results from OSS Index for a period of 12 hours, ensuring that you only run checks against dependencies you change the version for, or results that have expired from it’s cache.
If you register for Sonatype’s OSS Index, your rate limiting gets substantially upgraded which can be very nice if you are using Nancy in a CI/CD pipeline.
You can register for a free OSS Index account here: https://ossindex.sonatype.org/user/register
To see how to use your new registered user with Nancy, check out this portion of Nancy’s documentation. If you are reading along in this post, it’s pretty easy:
From there decide on if you are setting OSS Index or Nexus IQ Server config, and Nancy will save it for you.
NOTE: A good portion of the OSS Index tools (jake, AuditJS, chelsea, etc…) will pick up this config if you set it once, allowing all of the tools you use to benefit from this!
If you end up using Nancy, the community and Sonatype would love to hear your feedback, we actively work on this project, and we love to help the Golang community shift security further left!
If you run into an issue with Nancy, go ahead and file an issue on the GitHub repo, here: https://github.com/sonatype-nexus-community/nancy/issues
If you’d like to give us just general feedback, reach out to me! You can leave a comment on this article or reach out otherwise.
Nancy is open source, and we love getting new contributors. Interested in working on Nancy with the community? Pop in to their gitter: https://gitter.im/sonatype-nexus-community/nancy or just send us a PR. Nancy is powered by community contributors, and we are all very proud of their contributions that make this tool even better!
Thanks for reading this article, and we hope you get a ton of value out of using Nancy!