loading...
Sonatype

Secure Your Golang Projects Using Nancy

bhamail profile image Dan Rollo ・5 min read

nancy

Who is Nancy?

Nancy is a command line application, written in Golang by the Golang community and sponsored by Sonatype. It uses Sonatype’s OSS Index to check your dependencies for publicly filed vulnerabilities.

You can get more information about Nancy by going to the GitHub repository for it at:
https://github.com/sonatype-nexus-community/nancy or on https://pkg.go.dev/github.com/sonatype-nexus-community/nancy?tab=doc

Why would I use Nancy?

Nancy can take dependency results from your go mod powered or dep powered projects and scan them for vulnerabilities. This is quite handy, as you’ll see that vulnerabilities pop up in libraries, like golang/x/crypto:

https://ossindex.sonatype.org/component/pkg:golang/golang.org/x/crypto@v0.0.0-20190227175134-215aa809caaf

Vulnerabilities in these third party or even standard lib libraries (x/crypto is a part of Golang itself!) can sneak up on you, if, for example, you are using a framework that uses them, or using them directly yourself. It’s never a good feeling getting pwned because of someone else’s code, and Nancy is here to help you!

How do I use Nancy?

Nancy is quite easy to use, and the Community/Sonatype have gone to great lengths to make it as easy as possible.

Installing Nancy

Nancy is distributed as an executable built with Golang and each executable is available on it’s release from multiple repositories:
GitHub

https://github.com/sonatype-nexus-community/nancy/releases

Docker

nancy-docker

For ease of use a Docker image has been created, as well as a homebrew tap for OS X users that love brew!

To run it with Docker one need only follow the instructions available here: https://github.com/sonatype-nexus-community/nancy#docker-usage or for ease of use in this post:

go list -m all | docker run -i sonatypecommunity/nancy:latest

Homebrew

homebrew
To install with homebrew, instructions are available here: https://github.com/sonatype-nexus-community/nancy#homebrew-usage, and for ease of use, here you go:

brew tap sonatype-nexus-community/homebrew-nancy-tap
brew install nancy

Ok I installed it, now what!?

For a go mod powered project, one need only do:

go list -m all | nancy

For a dep powered project:

nancy /path/to/your/Gopkg.lock

The beauty of Nancy is Nancy tries to meet you where you are. It cares about securing all projects. If you use a package manager that it doesn’t support, it is Open Source and the community is more than willing to help you change that!

What do results look like?

If you run Nancy and find nothing wrong with your dependencies you’ll see something akin to the following:
results-novuln

Nancy will exit with a zero code in this case, and all is good in the world!

If Nancy finds a vulnerability in one of your dependencies it will exit with a non zero code, allowing you to use Nancy as a tool in your CI/CD process, and fail builds, if you’d like.

Output when it finds a vulnerability looks like:
results-vuln

You are given the information on what the vulnerability is, and how to get more info on the OSS Index site about it!

What do I do if the vulnerability doesn’t apply to me?

Since Nancy is checking the dependencies for vulnerabilities, sometimes you’ll run into one where you are not using the affected code path. The community has built functionality to let you exclude the vulnerability from being reported.

The information on how to do this is available here: https://github.com/sonatype-nexus-community/nancy#exclude-vulnerabilities and for ease of use:

nancy -exclude-vulnerability CVE-789,bcb0c38d-0d35-44ee-b7a7-8f77183d1ae2

You can also use an exclusion file to keep better track of them and avoid passing in long lists via the command line. The default file name, if you check this in to your repo, would be: .nancy-ignore and an example looks like this:

# This vulnerability is coming from package xyz, we are ok with this for now
CVN-111 
CVN-123 # Mitigated the risk of this since we only use one method in this package and the affected code doesn't matter
CVN-543

If you want to temporarily exclude a vulnerability, the community has provided functionality for that as well:

CVN-111 until=2021-01-01
CVN-543 until=2018-02-12 #Waiting on release from third party. Should be out before this date but gives us a little time to fix it.

This can be handy if you are waiting for the upstream library to get fixed, and want to just exclude the vulnerability until a new version has been released, or just a specific time frame to remind yourself.

I love this! How do I use Nancy in CI/CD so that it runs for everything on my repo?

We got you, fam!

You can take a look at how we have used Nancy in CI/CD at the following repo: https://github.com/sonatype-nexus-community/intentionally-vulnerable-golang-project

There are examples for TravisCI and CircleCI.

There are also BitBucket pipes for Nancy, and community willing GitHub actions :)

What else?

Nancy works with Sonatype’s OSS Index by default, but also will work with Nexus Lifecycle, for improved policy driven auditing. You can get information on that here: https://github.com/sonatype-nexus-community/nancy#nexus-iq-server-options

A couple notes:

OSS Index usage is prone to rate limiting, the community goes out of their way to make sure you won’t run into this however, Nancy caches results from OSS Index for a period of 12 hours, ensuring that you only run checks against dependencies you change the version for, or results that have expired from it’s cache.

OSS Index account registration

If you register for Sonatype’s OSS Index, your rate limiting gets substantially upgraded which can be very nice if you are using Nancy in a CI/CD pipeline.

You can register for a free OSS Index account here: https://ossindex.sonatype.org/user/register

To see how to use your new registered user with Nancy, check out this portion of Nancy’s documentation. If you are reading along in this post, it’s pretty easy:

nancy config

From there decide on if you are setting OSS Index or Nexus IQ Server config, and Nancy will save it for you.

NOTE: A good portion of the OSS Index tools (jake, AuditJS, chelsea, etc…) will pick up this config if you set it once, allowing all of the tools you use to benefit from this!

Feedback

If you end up using Nancy, the community and Sonatype would love to hear your feedback, we actively work on this project, and we love to help the Golang community shift security further left!

If you run into an issue with Nancy, go ahead and file an issue on the GitHub repo, here: https://github.com/sonatype-nexus-community/nancy/issues

If you’d like to give us just general feedback, reach out to me! You can leave a comment on this article or reach out otherwise.

I want to work on this too!

Nancy is open source, and we love getting new contributors. Interested in working on Nancy with the community? Pop in to their gitter: https://gitter.im/sonatype-nexus-community/nancy or just send us a PR. Nancy is powered by community contributors, and we are all very proud of their contributions that make this tool even better!

Thanks for reading this article, and we hope you get a ton of value out of using Nancy!

Posted on by:

Sonatype

We believe developers should spend time innovating—not jumping through security hoops. That’s why we designed Nexus to work the way you do. Intelligent open source security integrated with preferred dev tools to easily find and fix vulnerabilities.

Discussion

markdown guide