go/lint: remove nancy since it's too unstable, run govulncheck instead

Issue: sonatype-nexus-community/nancy#263 Issue: sonatype-nexus-community/nancy#271
moov-io · Jul 27, 2023 · d324466 · d324466
1 parent 5b7da88
commit d324466
Show file tree

Hide file tree

Showing 2 changed files with 0 additions and 53 deletions.
diff --git a/go/README.md b/go/README.md
@@ -1,9 +1,5 @@
 ## Golang Linter Script
 
-### Dependency CVE Checking
-
-- `IGNORED_CVES`: List of [CVEs to ignore in dependencies](https://github.com/sonatype-nexus-community/nancy#via-file). (Example: `CVE-2020-26160,CVE-2022-0001`)
-
 ### Experiments
 
 - `EXPERIMENTAL`: List of additional checks to perform. (Example: `gitleaks,...`)
@@ -14,7 +10,6 @@
 - `DISABLED_GOLANGCI_LINTERS`: Linters to disable in golangci-lint
 - `GOLANGCI_LINTERS`: List of additional [Go linters to run with golangci-lint](https://golangci-lint.run/usage/linters/). (Example: `gosec`)
 - `SKIP_GOLANGCI`: Don't run the golangci-lint checks
-- `SKIP_NANCY`: Don't run the nancy checks
 - `STRICT_GOLANGCI_LINTERS`: Enable more linters packaged with golangci-lint
 
 ### Testing

diff --git a/go/lint-project.sh b/go/lint-project.sh
@@ -3,7 +3,6 @@ set -e
 
 gitleaks_version=8.17.0
 golangci_version=v1.53.3
-nancy_version=v1.0.42
 sqlvet_version=v1.1.5
 
 # Set these to any non-blank value to disable the linter
@@ -12,11 +11,6 @@ if [[ "$SKIP_GOLANGCI" != "" ]];
 then
     disable_golangci="$SKIP_GOLANGCI"
 fi
-disable_nancy=""
-if [[ "$SKIP_NANCY" != "" ]];
-then
-    disable_nancy="$SKIP_NANCY"
-fi
 
 mkdir -p ./bin/
 
@@ -127,48 +121,6 @@ if [[ "$run_gitleaks" == "true" ]]; then
     echo "FINISHED gitleaks check"
 fi
 
-# nancy (vulnerable dependencies)
-if [[ "$disable_nancy" != "" ]];
-then
-    echo "SKIPPING nancy check"
-else
-    # Download nancy
-    if [[ "$OS_NAME" == "linux" ]]; then wget -q -O ./bin/nancy https://github.com/sonatype-nexus-community/nancy/releases/download/"$nancy_version"/nancy-"$nancy_version"-linux-amd64; fi
-    if [[ "$OS_NAME" == "osx" ]]; then wget -q -O ./bin/nancy https://github.com/sonatype-nexus-community/nancy/releases/download/"$nancy_version"/nancy-"$nancy_version"-darwin-amd64; fi
-    if [[ "$OS_NAME" != "windows" ]]; then
-        chmod +x ./bin/nancy
-        echo "STARTING nancy check"
-        ./bin/nancy --version
-
-        ignored_deps=(
-            # hashicorp/vault enterprise issues
-            CVE-2022-36129
-            CVE-2022-36129
-            # CWE-190: Integer Overflow or Wraparound
-            sonatype-2021-3619
-            # CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
-            sonatype-2022-1745
-        )
-        ignored=$(printf ",%s" "${ignored_deps[@]}")
-        ignored=${ignored:1}
-
-        # Append additional CVEs
-        if [ -n "$IGNORED_CVES" ];
-        then
-            ignored="$ignored"",""$IGNORED_CVES"
-        fi
-
-        # Clean nancy cache
-        ./bin/nancy --clean-cache
-
-        # Ignore Consul and Vault Enterprise, they need a gocloud.dev release
-        go list -deps -f '{{with .Module}}{{.Path}} {{.Version}}{{end}}' ./... | ./bin/nancy --skip-update-check --loud sleuth --exclude-vulnerability "$ignored"
-
-        echo "" # newline
-        echo "FINISHED nancy check"
-    fi
-fi
-
 ## Run govulncheck which parses the compiled/used code for known vulnerabilities.
 run_govulncheck=false
 if [[ "$org" == "moov-io" ]]; then