Community Updates: Nancy Has a New Ship, and Found oysteRs

March 16, 2020 By DJ Schleen

3 minute read time

The community team at Sonatype has been working hard on upgrading docker-nancy from a Post Panamax cargo ship to a new and improved Triple E vessel. (See the diagram below). As a result, the docker-nancy project on github that we announced earlier is being archived. Now, docker-nancy has moved to the main repository.

biggest-container-ship-evolution

The Triple E is the largest container ship to-date. (Image Source)

Who is Nancy?

Nancy is a tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index. docker-nancy wraps the nancy executable in a Docker image.

Nancy checks for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index and Nexus IQ Server. This gives you a smooth sailing experience as a Golang developer, using the best tools in the market!

Nancy currently works for projects that use dep or go mod for dependencies.

To see how Nancy will output when finding vulnerabilities, use our intentionally vulnerable repo. Check out this build on Travis-CI or this build on CircleCI.

Bon Voyage, docker-nancy!

Ahoy! oysteR

Also new to the community is the ability to create purls from the filtered sands of your dependencies, powered by Sonatype OSS Index.

If this project is run independently, one can run:

Rscript R/main.R

main.R has a call to audit_deps_with_oss_index() by default, as a convenience.

If installed, you can do:

library(oysteR)
oysteR::audit_deps_with_oss_index()

This will accomplish the same behavior as running main.R.


Reminder: Neither Are Officially Supported by Sonatype (And More Contributions Are Available)

It is worth noting that oysteR and Nancy are NOT SUPPORTED by Sonatype. Both are contributions to the open source community (read: you!).

Remember:

  • Use these contribution at the risk tolerance that you have
  • Do NOT file Sonatype support tickets related to oysteR or docker-nancy
  • DO file issues here on GitHub, so that the community can pitch in

Phew, that was easier than I thought. Last but not least of all:

Have fun creating and using this extension and the Sonatype OSS Index, we are glad to have you here! Find more community contributions at my.sonatype.com/exchange.

Tags: Docker, Everything Open Source, nexus exchange, Nexus Repository OSS, Post developers/devops, Nancy

Written by DJ Schleen

DJ is a DevSecOps Advocate