sonatype-nexus-community / chelsea Goto Github PK

• What are you trying to do?

Based on user testing, we saw a need for a quick lil table that shows you how many dependencies were scanned and how many are vulnerable

• What feature or behavior is this required for?

This just gives someone a bit more digestable information given we'd like to quiet the output of the tool quite a bit

• How could we solve this issue? (Not knowing is okay!)

It looks like @TheCodinator19 has this more or less working in #28 , so that!

• Anything else?

Have a blast!

cc @bhamail / @DarthHater / @brittanybelle / @gmohre

Lettuce sort the output by CVSS score.

Create a Ruby OSS Index client, with the following features:

• Command line tool
• Written in Ruby

Basic Features

• Reads package dependencies from the appropriate Ruby package file(s)
  • Preferably determines transitive dependencies
• Request known vulnerabilities for the dependencies from OSS Index.
  • Use the POST API at OSS Index
  • Note the maximum of 128 packages per request
• Report to console the packages scanned and detected vulnerabilities, in the style of other OSS Index command line auditing tools

• What are you trying to do?

From user testing, we heard that it would be nice to only show vulnerable dependencies found, which is similar to how bundler-audit and other tools function.

• What feature or behavior is this required for?

This just makes the tool more like other unix tooling, giving only actionable information to someone

• How could we solve this issue? (Not knowing is okay!)

It still makes sense to have a mode that outputs the non vulnerable dependencies, I would introduce a flag like --loud where you can get the full output!

In the other tools, we also grouped the dependencies such that it was:

Non Vulnerable Dependencies

....list

Vulnerable Dependencies

....list

SUMMARY TABLE

I think it makes sense to do the same thing here!

• Anything else?

Have a blast! Hit me up if you need any questions answered!

cc @bhamail / @DarthHater / @brittanybelle / @gmohre

Building off of #12 , the next logical step would be to take that SBOM and send it to Nexus IQ Server.

The API we would use is:

https://help.sonatype.com/iqserver/automating/rest-apis/third-party-scan-rest-api---v2

Generally the flow is:

• You need to provide a valid application ID, server URL, username, and auth token
• Provided these are ok, then get the SBOM
• Ask IQ Server for an internal application ID based on the public ID provided
• If we get a valid ID back, then send the SBOM to Nexus IQ Server
• If we get a valid response from Nexus IQ Server with a status URL, then we would poll that status URL for a period of time (poll interval of 1 second, for likely a default of 300 tries)
• Once we recieve a response, indicate to the user if the scan passes (the response will have an indicator of if policy failed or not), if policy fails, exit with a non zero code so someone can fail a build, and provide the report URL for them to go check the results, if it passes, exit with zero, and also provide the URL because there still could be things they could clean up, they just didn't fail their orgs policy

Voila!

So that someone can provide their server url, username and token for communicating with Nexus IQ Server, we could create a way for someone to set a more persistent config.

In the other tools we have worked on we created an interactive experience on the command line for setting config.

We ask for:

• Server URL
• Username
• Token (and we emphasize token, not password)

We save this by default to:
~/.iqserver/.iq-config

As yaml, with the keys: Server, Username and Token, as this config can be shared amongst all the tools.

This work could also add command line flags for server, username and token for Nexus IQ Server.

Describe the bug
When running version 0.0.18 of Chelsea, I get a Pastel-related error triggered by _color_based_on_cvss_score which uses a pastel color of orange that doesn't seem to exist in Pastel (v0.7.2 as specified in Chelsea gemspec, v0.7.4, or latest at time of writing).

To Reproduce
Steps to reproduce the behavior:

1. Run 'bundle exec chelsea --file Gemfile.lock'
2. See error "bundler: failed to load command: chelsea ([REDACTED]/bin/chelsea)"

Expected behavior
Would expect Pastel colors of cyan, yellow, red, etc. to be used, but not yellow.

Error Trace

# bundle exec chelsea  --file Gemfile.lock
 _____  _            _
/  __ \| |          | |
| /  \/| |__    ___ | | ___   ___   __ _
| |    | '_ \  / _ \| |/ __| / _ \ / _` |
| \__/\| | | ||  __/| |\__ \|  __/| (_| |
 \____/|_| |_| \___||_||___/ \___| \__,_|


Version: 0.0.18
[+] Parsing dependencies ...done.
[+] Parsing Versions ...done.
[+] Making request to OSS Index server ...done.
bundler: failed to load command: chelsea ([REDACTED]/gems/ruby-2.5.5/bin/chelsea)
Pastel::InvalidAttributeNameError: Bad style or unintialized constant,  valid styles are: clear, reset, bold, dark, dim, italic, underline, underscore, inverse, hidden, strikethrough, black, red, green, yellow, blue, magenta, cyan, white, on_black, on_red, on_green, on_yellow, on_blue, on_magenta, on_cyan, on_white, bright_black, bright_red, bright_green, bright_yellow, bright_blue, bright_magenta, bright_cyan, bright_white, on_bright_black, on_bright_red, on_bright_green, on_bright_yellow, on_bright_blue, on_bright_magenta, on_bright_cyan, on_bright_white.
  [REDACTED]/gems/ruby-2.5.5/gems/pastel-0.7.4/lib/pastel/color.rb:237:in `validate'
  [REDACTED]/gems/ruby-2.5.5/gems/pastel-0.7.4/lib/pastel/color.rb:158:in `block in code'
  [REDACTED]/gems/ruby-2.5.5/gems/pastel-0.7.4/lib/pastel/color.rb:153:in `each'
  [REDACTED]/gems/ruby-2.5.5/gems/pastel-0.7.4/lib/pastel/color.rb:153:in `code'
  [REDACTED]/gems/ruby-2.5.5/gems/pastel-0.7.4/lib/pastel/color.rb:141:in `block in lookup'
  [REDACTED]/gems/ruby-2.5.5/gems/pastel-0.7.4/lib/pastel/color.rb:140:in `fetch'
  [REDACTED]/gems/ruby-2.5.5/gems/pastel-0.7.4/lib/pastel/color.rb:140:in `lookup'
  [REDACTED]/gems/ruby-2.5.5/gems/pastel-0.7.4/lib/pastel/color.rb:60:in `decorate'
  [REDACTED]/gems/ruby-2.5.5/gems/pastel-0.7.4/lib/pastel/color_resolver.rb:32:in `resolve'
  [REDACTED]/gems/ruby-2.5.5/gems/pastel-0.7.4/lib/pastel/delegator.rb:76:in `method_missing'
  [REDACTED]/gems/ruby-2.5.5/gems/chelsea-0.0.18/lib/chelsea/formatters/text.rb:88:in `_color_based_on_cvss_score'
  [REDACTED]/gems/ruby-2.5.5/gems/chelsea-0.0.18/lib/chelsea/formatters/text.rb:71:in `_format_vuln'
  [REDACTED]/gems/ruby-2.5.5/gems/chelsea-0.0.18/lib/chelsea/formatters/text.rb:51:in `block (2 levels) in get_results'
  [REDACTED]/gems/ruby-2.5.5/gems/chelsea-0.0.18/lib/chelsea/formatters/text.rb:50:in `each'
  [REDACTED]/gems/ruby-2.5.5/gems/chelsea-0.0.18/lib/chelsea/formatters/text.rb:50:in `block in get_results'
  [REDACTED]/gems/ruby-2.5.5/gems/chelsea-0.0.18/lib/chelsea/formatters/text.rb:39:in `each'
  [REDACTED]/gems/ruby-2.5.5/gems/chelsea-0.0.18/lib/chelsea/formatters/text.rb:39:in `get_results'
  [REDACTED]/gems/ruby-2.5.5/gems/chelsea-0.0.18/lib/chelsea/gems.rb:64:in `execute'
  [REDACTED]/gems/ruby-2.5.5/gems/chelsea-0.0.18/lib/chelsea/cli.rb:84:in `_process_file'
  [REDACTED]/gems/ruby-2.5.5/gems/chelsea-0.0.18/lib/chelsea/cli.rb:48:in `process!'
  [REDACTED]/gems/ruby-2.5.5/gems/chelsea-0.0.18/bin/chelsea:55:in `<top (required)>'
  [REDACTED]/gems/ruby-2.5.5/bin/chelsea:23:in `load'
  [REDACTED]/gems/ruby-2.5.5/bin/chelsea:23:in `<top (required)>'

Desktop (please complete the following information):

• OS: OS X 10.15.7
• Ruby Version: 2.5.5
• Bundler Version: 2.1.4
• chelsea Version 0.0.18

Additional context
I'm assuming this Pastel gem, and the colors defined in this file. There's no mention of orange in the repo.

I'll happily do a PR, but wanted to sanity check I'm not missing something (as I can't see how it could work for anyone, so maybe I have the wrong Pastel gem or version or something). It would also require discussion around what to use (to differentiate scoring of 4-5 and 6-7 in _color_based_on_cvss_score.

Much as we've done in the other tools, allow a user to exclude specific vulnerabilities so that they can be ignored from OSS Index.

Suggestions are to allow someone to have a .chelsea.json or .chelsea.yaml file in their repo, which would have a list of vulnerabilities they want ignored by chelsea.

This functionality could ignore off of:

• The OSS Index ID for the vuln
• The CVE title for the vuln
• The CWE title for the vuln

As well, as an extra mile type of step, you could allow someone to ignore the vuln for only a specific period of time. We did that on Nancy, so that people could exclude something if there was no way to upgrade that dependency, and then have it fail at a later date to remind them to check back in on it.

By default you'd check the repository for the file, but also allow someone to pass in a file via the command line from an alternative location.

If someone has ignored a vuln, it should not show up in the audit results, or specifically say it was ignored, and also not cause the application to exit with a non zero code (if it's the only vulnerability found).

Do not use the term whitelist related to this code.

Add a couple of features to the MVP client

Caching

• Cache results to disk for 12 hours, so if the same package is scanned more than once it does not check OSS Index
• Before requesting results from OSS Index for a package, see if the cached results are valid
• If a plug-and-play caching algorithm cannot be found, do not implement caching

Rate limits

• Reads an optional username/token from a configuration file on disk which is passed via the OSS Index API to allow use of an authenticated request which has a less restrictive rate limit
• Gracefully handles a rate limit by informing the user that it has be exceeded
  • If the user is unauthenticated, mention that authenticated users have a higher rate limit

• What are you trying to do?
  I want to use a stage different from the default IQ stage of build.

• What feature or behavior is this required for?
  Using policy defined for other stages (valid stages: develop, build, stage-release, release, and operate).

• How could we solve this issue? (Not knowing is okay!)
  Add new flag, -s, --stage perhaps

• Anything else?
  Nope

cc @bhamail / @DarthHater / @brittanybelle / @gmohre

• What are you trying to do?

Right now Chelsea does not have a logger! It could use one!

• What feature or behavior is this required for?

Basically, if something breaks in Chelsea, we don't have a way to ask users for more information without some painful steps, adding a logger will help us avoid this.

• How could we solve this issue? (Not knowing is okay!)

Solving this technically, more or less find a good Ruby logger library (whatever is standard may work, more or less, but if you find something cool that makes sense, go for it)

The only hard requirements are:

• Write logs to ~/.ossindex/chelsea.combined.log
• Logging by default should be at ERROR level
• Introduce a command line flag ( -v -vv -vvv is more or less what we use in the other tools) that will bump the logging from ERROR -> INFO -> DEBUG -> TRACE
• Introduce some amount of logging (that we can continue to add to) that logs:
  • ERRORS as ERROR
  • INFO (stuff like I'm about to do this thing!)
  • DEBUG (stuff like I'm doing this thing and I sent this/recieved this)
  • TRACE (very fine grained, maybe I'm in a loop and I'm doing x with y type things)

As well, make the logger single use, as in rewrite it on each use (truncate existing file, start writing to it again). Other wise, you will need to think about log rotation, and potentially created large amounts of logs that need cleaned up. Single use I believe makes sense since these tools are largely single use tools, rather than services.

• Anything else?

This will be super helpful! Have fun!

cc @bhamail / @DarthHater / @brittanybelle / @gmohre

Test verbose option.
Test JSON Formatter output option.

Describe the bug
Trying to follow the README ends in a failed include error.

To Reproduce
Steps to reproduce the behavior:

1. Run chelsea --file ./Gemfile.lock
2. See error: cannot load such file -- ox/ox (LoadError)

Expected behavior
I was hoping to see a report, as documented in the README.

Desktop (please complete the following information):

• OS: Mac OS 13.3 (22E252)
• Ruby Version: 2.7.8
• Bundler Version: 2.4.10
• chelsea Version 0.0.35

Additional context
This happens whether the ox and chelsea gems are in the bundle, and chelsea is invoked with bundle exec or not.

Here is a trace of the error:

waldavis@PMACS-DEV-134 mannequin % chelsea --file ./Gemfile.lock
Traceback (most recent call last):
	19: from /Users/waldavis/.rvm/gems/ruby-2.7.8/bin/ruby_executable_hooks:22:in `<main>'
	18: from /Users/waldavis/.rvm/gems/ruby-2.7.8/bin/ruby_executable_hooks:22:in `eval'
	17: from /Users/waldavis/.rvm/gems/ruby-2.7.8/bin/chelsea:25:in `<main>'
	16: from /Users/waldavis/.rvm/gems/ruby-2.7.8/bin/chelsea:25:in `load'
	15: from /Users/waldavis/.rvm/gems/ruby-2.7.8/gems/chelsea-0.0.35/bin/chelsea:20:in `<top (required)>'
	14: from /Users/waldavis/.rvm/gems/ruby-2.7.8/gems/chelsea-0.0.35/bin/chelsea:20:in `require_relative'
	13: from /Users/waldavis/.rvm/gems/ruby-2.7.8/gems/chelsea-0.0.35/lib/chelsea.rb:20:in `<top (required)>'
	12: from /Users/waldavis/.rvm/gems/ruby-2.7.8/gems/chelsea-0.0.35/lib/chelsea.rb:20:in `require_relative'
	11: from /Users/waldavis/.rvm/gems/ruby-2.7.8/gems/chelsea-0.0.35/lib/chelsea/cli.rb:24:in `<top (required)>'
	10: from /Users/waldavis/.rvm/gems/ruby-2.7.8/gems/chelsea-0.0.35/lib/chelsea/cli.rb:24:in `require_relative'
	 9: from /Users/waldavis/.rvm/gems/ruby-2.7.8/gems/chelsea-0.0.35/lib/chelsea/gems.rb:26:in `<top (required)>'
	 8: from /Users/waldavis/.rvm/gems/ruby-2.7.8/gems/chelsea-0.0.35/lib/chelsea/gems.rb:26:in `require_relative'
	 7: from /Users/waldavis/.rvm/gems/ruby-2.7.8/gems/chelsea-0.0.35/lib/chelsea/formatters/factory.rb:20:in `<top (required)>'
	 6: from /Users/waldavis/.rvm/gems/ruby-2.7.8/gems/chelsea-0.0.35/lib/chelsea/formatters/factory.rb:20:in `require_relative'
	 5: from /Users/waldavis/.rvm/gems/ruby-2.7.8/gems/chelsea-0.0.35/lib/chelsea/formatters/xml.rb:19:in `<top (required)>'
	 4: from /Users/waldavis/.rvm/rubies/ruby-2.7.8/lib/ruby/site_ruby/2.7.0/rubygems/core_ext/kernel_require.rb:85:in `require'
	 3: from /Users/waldavis/.rvm/rubies/ruby-2.7.8/lib/ruby/site_ruby/2.7.0/rubygems/core_ext/kernel_require.rb:85:in `require'
	 2: from /Users/waldavis/.rvm/gems/ruby-2.7.8/gems/ox-2.13.4/lib/ox.rb:79:in `<top (required)>'
	 1: from /Users/waldavis/.rvm/rubies/ruby-2.7.8/lib/ruby/site_ruby/2.7.0/rubygems/core_ext/kernel_require.rb:85:in `require'
/Users/waldavis/.rvm/rubies/ruby-2.7.8/lib/ruby/site_ruby/2.7.0/rubygems/core_ext/kernel_require.rb:85:in `require': cannot load such file -- ox/ox (LoadError)
waldavis@PMACS-DEV-134 mannequin % gem info ox

*** LOCAL GEMS ***

ox (2.13.4)
    Author: Peter Ohler
    Homepage: http://www.ohler.com/ox
    License: MIT
    Installed at: /Users/waldavis/.rvm/gems/ruby-2.7.8

    A fast XML parser and object serializer.
waldavis@PMACS-DEV-134 mannequin % gem info chelsea

*** LOCAL GEMS ***

chelsea (0.0.35)
    Author: Allister Beharry
    Homepage: https://github.com/sonatype-nexus-community/chelsea
    License: Apache-2.0
    Installed at: /Users/waldavis/.rvm/gems/ruby-2.7.8

    Audit Ruby package dependencies for security vulnerabilities.

Describe the bug
Currently right now the IQ default public application ID is being set to testapp, we shouldn't default this at all, and just if someone hasn't provided an application ID (and is using the --iq flag), give them a friendly error message that they need to set the public application ID

To Reproduce
chelsea --iq --file Gemfile.lock will work, but it shouldn't (and it will only work if you have a testapp application setup in Nexus IQ)

Should be:

chelsea --iq --file Gemfile.lock --application whatever_your_public_application_id_is

Expected behavior
chelsea --iq --file Gemfile.lock --application whatever_your_public_application_id_is

If a application doesn't exist in Nexus IQ Server, give a friendly error message that no public application ID was found (an empty response will be given back I believe from Nexus IQ Server)

chelsea --iq --file Gemfile.lock --application whatever_your_public_application_id_is

If a application does exist, then the scan should occur

chelsea --iq --file Gemfile.lock

A message akin to You need to provide a public application ID using the '--application' flag to run a Nexus IQ Server scan, you can likely show the user the chelsea usage as well

In order to allow chelsea to ultimately work with Nexus IQ Server, we would need to output an SBOM that we can send to the Nexus IQ Third Party API.

Steps in this work are largely to see if we could use this library:

https://github.com/CycloneDX/cyclonedx-ruby-gem

If we can't, then we can take what we need and craft our own, but we should definitely take a look at this lib first.

From there, we'd want likely a new method off of deps.rb to "craftSBOM` or something akin, that would give us the XML to send to IQ Server.

So that someone can provide their username and token for communicating with OSS Index (so that they can get a higher rate limit), we could create a way for someone to set a more persistent config.

In the other tools we have worked on we created an interactive experience on the command line for setting config.

We ask for:

• Username
• Token (and we emphasize token, not password)

We save this by default to:
~/.ossindex/.oss-index-config

As yaml, with the keys: Username and Token, as this config can be shared amongst all the tools.

This work could also add command line flags for a username and token for OSS Index, and implement the POST request to use those as basic auth, as well as if someone has provided config, command line flags should override it.