Use nancy on actually included dependencies (#9046)

* Use nancy on actually included dependencies

Signed-off-by: Marcel Müller <marcel.mueller1@rwth-aachen.de>

* Update nancy-ignore to only match true dependencies

Signed-off-by: Marcel Müller <marcel.mueller1@rwth-aachen.de>

---------

Signed-off-by: Marcel Müller <marcel.mueller1@rwth-aachen.de>

.github/workflows/nancy.yaml

@@ -30,6 +30,6 @@ jobs:
         uses: ./.github/actions/setup-build-env
         timeout-minutes: 10
       - name: WriteGoList
-        run: go list -json -m all > go.list
+        run: go list -json -deps ./... > go.list
       - name: Nancy SAST Scan
         uses: sonatype-nexus-community/nancy-github-action@726e338312e68ecdd4b4195765f174d3b3ce1533 # v1.0.3

.nancy-ignore

@@ -1,28 +1,2 @@
-# golang/github.com/hashicorp/consul/api@v1.20.0
-# golang/github.com/hashicorp/consul/sdk@v0.3.0
-CVE-2022-29153 until=2023-11-30
-# golang/github.com/nats-io/jwt@v0.3.2
-# golang/github.com/nats-io/nats-server/v2@v2.1.2
-# golang/github.com/nats-io/nkeys@v0.4.5
-CVE-2020-26892 until=2023-11-30
-CVE-2021-3127 until=2023-11-30
-CVE-2022-24450 until=2023-11-30
-CVE-2020-26521 until=2023-11-30
-CVE-2020-28466 until=2023-11-30
-CVE-2022-29946 until=2023-11-30
-CVE-2022-42709 until=2023-11-30
-CVE-2022-42708 until=2023-11-30
-CVE-2021-32026 until=2023-11-30
-CVE-2023-46129 until=2023-11-30
-# golang/github.com/tektoncd/pipeline@v0.49.0
-CVE-2023-37264 until=2023-11-30
 # golang/k8s.io/apiserver@v0.28.1
-CVE-2020-8561 until=2023-11-30
-# golang/go.etcd.io/etcd/v3@v3.5.8
-CVE-2023-0296 until=2023-11-30
-CVE-2023-32082 until=2023-11-30
-CVE-2022-34038 until=2023-11-30
-# golang/github.com/jinzhu/gorm@v1.9.1
-CVE-2019-15562 until=2023-11-30
-# golang/github.com/gofiber/fiber/v2@v2.43.0
-CVE-2023-41338 until=2023-11-30
+CVE-2020-8561 until=2023-11-30