sonatype-nexus-community / chelsea Goto Github PK
View Code? Open in Web Editor NEWDependency vulnerability auditor for Ruby
License: Apache License 2.0
Dependency vulnerability auditor for Ruby
License: Apache License 2.0
Based on user testing, we saw a need for a quick lil table that shows you how many dependencies were scanned and how many are vulnerable
This just gives someone a bit more digestable information given we'd like to quiet the output of the tool quite a bit
It looks like @TheCodinator19 has this more or less working in #28 , so that!
Have a blast!
cc @bhamail / @DarthHater / @brittanybelle / @gmohre
Lettuce sort the output by CVSS score.
Create a Ruby OSS Index client, with the following features:
From user testing, we heard that it would be nice to only show vulnerable dependencies found, which is similar to how bundler-audit
and other tools function.
This just makes the tool more like other unix tooling, giving only actionable information to someone
It still makes sense to have a mode that outputs the non vulnerable dependencies, I would introduce a flag like --loud
where you can get the full output!
In the other tools, we also grouped the dependencies such that it was:
Non Vulnerable Dependencies
....list
Vulnerable Dependencies
....list
SUMMARY TABLE
I think it makes sense to do the same thing here!
Have a blast! Hit me up if you need any questions answered!
cc @bhamail / @DarthHater / @brittanybelle / @gmohre
Building off of #12 , the next logical step would be to take that SBOM and send it to Nexus IQ Server.
The API we would use is:
https://help.sonatype.com/iqserver/automating/rest-apis/third-party-scan-rest-api---v2
Generally the flow is:
Voila!
So that someone can provide their server url, username and token for communicating with Nexus IQ Server, we could create a way for someone to set a more persistent config.
In the other tools we have worked on we created an interactive experience on the command line for setting config.
We ask for:
We save this by default to:
~/.iqserver/.iq-config
As yaml, with the keys: Server
, Username
and Token
, as this config can be shared amongst all the tools.
This work could also add command line flags for server, username and token for Nexus IQ Server.
Describe the bug
When running version 0.0.18 of Chelsea, I get a Pastel-related error triggered by _color_based_on_cvss_score
which uses a pastel color of orange
that doesn't seem to exist in Pastel (v0.7.2 as specified in Chelsea gemspec, v0.7.4, or latest at time of writing).
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Would expect Pastel colors of cyan, yellow, red, etc. to be used, but not yellow.
Error Trace
# bundle exec chelsea --file Gemfile.lock
_____ _ _
/ __ \| | | |
| / \/| |__ ___ | | ___ ___ __ _
| | | '_ \ / _ \| |/ __| / _ \ / _` |
| \__/\| | | || __/| |\__ \| __/| (_| |
\____/|_| |_| \___||_||___/ \___| \__,_|
Version: 0.0.18
[+] Parsing dependencies ...done.
[+] Parsing Versions ...done.
[+] Making request to OSS Index server ...done.
bundler: failed to load command: chelsea ([REDACTED]/gems/ruby-2.5.5/bin/chelsea)
Pastel::InvalidAttributeNameError: Bad style or unintialized constant, valid styles are: clear, reset, bold, dark, dim, italic, underline, underscore, inverse, hidden, strikethrough, black, red, green, yellow, blue, magenta, cyan, white, on_black, on_red, on_green, on_yellow, on_blue, on_magenta, on_cyan, on_white, bright_black, bright_red, bright_green, bright_yellow, bright_blue, bright_magenta, bright_cyan, bright_white, on_bright_black, on_bright_red, on_bright_green, on_bright_yellow, on_bright_blue, on_bright_magenta, on_bright_cyan, on_bright_white.
[REDACTED]/gems/ruby-2.5.5/gems/pastel-0.7.4/lib/pastel/color.rb:237:in `validate'
[REDACTED]/gems/ruby-2.5.5/gems/pastel-0.7.4/lib/pastel/color.rb:158:in `block in code'
[REDACTED]/gems/ruby-2.5.5/gems/pastel-0.7.4/lib/pastel/color.rb:153:in `each'
[REDACTED]/gems/ruby-2.5.5/gems/pastel-0.7.4/lib/pastel/color.rb:153:in `code'
[REDACTED]/gems/ruby-2.5.5/gems/pastel-0.7.4/lib/pastel/color.rb:141:in `block in lookup'
[REDACTED]/gems/ruby-2.5.5/gems/pastel-0.7.4/lib/pastel/color.rb:140:in `fetch'
[REDACTED]/gems/ruby-2.5.5/gems/pastel-0.7.4/lib/pastel/color.rb:140:in `lookup'
[REDACTED]/gems/ruby-2.5.5/gems/pastel-0.7.4/lib/pastel/color.rb:60:in `decorate'
[REDACTED]/gems/ruby-2.5.5/gems/pastel-0.7.4/lib/pastel/color_resolver.rb:32:in `resolve'
[REDACTED]/gems/ruby-2.5.5/gems/pastel-0.7.4/lib/pastel/delegator.rb:76:in `method_missing'
[REDACTED]/gems/ruby-2.5.5/gems/chelsea-0.0.18/lib/chelsea/formatters/text.rb:88:in `_color_based_on_cvss_score'
[REDACTED]/gems/ruby-2.5.5/gems/chelsea-0.0.18/lib/chelsea/formatters/text.rb:71:in `_format_vuln'
[REDACTED]/gems/ruby-2.5.5/gems/chelsea-0.0.18/lib/chelsea/formatters/text.rb:51:in `block (2 levels) in get_results'
[REDACTED]/gems/ruby-2.5.5/gems/chelsea-0.0.18/lib/chelsea/formatters/text.rb:50:in `each'
[REDACTED]/gems/ruby-2.5.5/gems/chelsea-0.0.18/lib/chelsea/formatters/text.rb:50:in `block in get_results'
[REDACTED]/gems/ruby-2.5.5/gems/chelsea-0.0.18/lib/chelsea/formatters/text.rb:39:in `each'
[REDACTED]/gems/ruby-2.5.5/gems/chelsea-0.0.18/lib/chelsea/formatters/text.rb:39:in `get_results'
[REDACTED]/gems/ruby-2.5.5/gems/chelsea-0.0.18/lib/chelsea/gems.rb:64:in `execute'
[REDACTED]/gems/ruby-2.5.5/gems/chelsea-0.0.18/lib/chelsea/cli.rb:84:in `_process_file'
[REDACTED]/gems/ruby-2.5.5/gems/chelsea-0.0.18/lib/chelsea/cli.rb:48:in `process!'
[REDACTED]/gems/ruby-2.5.5/gems/chelsea-0.0.18/bin/chelsea:55:in `<top (required)>'
[REDACTED]/gems/ruby-2.5.5/bin/chelsea:23:in `load'
[REDACTED]/gems/ruby-2.5.5/bin/chelsea:23:in `<top (required)>'
Desktop (please complete the following information):
Additional context
I'm assuming this Pastel gem, and the colors defined in this file. There's no mention of orange in the repo.
I'll happily do a PR, but wanted to sanity check I'm not missing something (as I can't see how it could work for anyone, so maybe I have the wrong Pastel gem or version or something). It would also require discussion around what to use (to differentiate scoring of 4-5 and 6-7 in _color_based_on_cvss_score
.
Much as we've done in the other tools, allow a user to exclude specific vulnerabilities so that they can be ignored from OSS Index.
Suggestions are to allow someone to have a .chelsea.json
or .chelsea.yaml
file in their repo, which would have a list of vulnerabilities they want ignored by chelsea
.
This functionality could ignore off of:
As well, as an extra mile type of step, you could allow someone to ignore the vuln for only a specific period of time. We did that on Nancy, so that people could exclude something if there was no way to upgrade that dependency, and then have it fail at a later date to remind them to check back in on it.
By default you'd check the repository for the file, but also allow someone to pass in a file via the command line from an alternative location.
If someone has ignored a vuln, it should not show up in the audit results, or specifically say it was ignored, and also not cause the application to exit with a non zero code (if it's the only vulnerability found).
Do not use the term whitelist
related to this code.
Add a couple of features to the MVP client
What are you trying to do?
I want to use a stage
different from the default IQ stage of build
.
What feature or behavior is this required for?
Using policy defined for other stages (valid stages: develop, build, stage-release, release, and operate).
How could we solve this issue? (Not knowing is okay!)
Add new flag, -s, --stage perhaps
Anything else?
Nope
cc @bhamail / @DarthHater / @brittanybelle / @gmohre
Right now Chelsea does not have a logger! It could use one!
Basically, if something breaks in Chelsea, we don't have a way to ask users for more information without some painful steps, adding a logger will help us avoid this.
Solving this technically, more or less find a good Ruby logger library (whatever is standard may work, more or less, but if you find something cool that makes sense, go for it)
The only hard requirements are:
~/.ossindex/chelsea.combined.log
-v -vv -vvv
is more or less what we use in the other tools) that will bump the logging from ERROR -> INFO -> DEBUG -> TRACEAs well, make the logger single use, as in rewrite it on each use (truncate existing file, start writing to it again). Other wise, you will need to think about log rotation, and potentially created large amounts of logs that need cleaned up. Single use I believe makes sense since these tools are largely single use tools, rather than services.
This will be super helpful! Have fun!
cc @bhamail / @DarthHater / @brittanybelle / @gmohre
Test verbose option.
Test JSON Formatter output option.
Describe the bug
Trying to follow the README ends in a failed include error.
To Reproduce
Steps to reproduce the behavior:
chelsea --file ./Gemfile.lock
cannot load such file -- ox/ox (LoadError)
Expected behavior
I was hoping to see a report, as documented in the README.
Desktop (please complete the following information):
Additional context
This happens whether the ox and chelsea gems are in the bundle, and chelsea is invoked with bundle exec
or not.
Here is a trace of the error:
waldavis@PMACS-DEV-134 mannequin % chelsea --file ./Gemfile.lock
Traceback (most recent call last):
19: from /Users/waldavis/.rvm/gems/ruby-2.7.8/bin/ruby_executable_hooks:22:in `<main>'
18: from /Users/waldavis/.rvm/gems/ruby-2.7.8/bin/ruby_executable_hooks:22:in `eval'
17: from /Users/waldavis/.rvm/gems/ruby-2.7.8/bin/chelsea:25:in `<main>'
16: from /Users/waldavis/.rvm/gems/ruby-2.7.8/bin/chelsea:25:in `load'
15: from /Users/waldavis/.rvm/gems/ruby-2.7.8/gems/chelsea-0.0.35/bin/chelsea:20:in `<top (required)>'
14: from /Users/waldavis/.rvm/gems/ruby-2.7.8/gems/chelsea-0.0.35/bin/chelsea:20:in `require_relative'
13: from /Users/waldavis/.rvm/gems/ruby-2.7.8/gems/chelsea-0.0.35/lib/chelsea.rb:20:in `<top (required)>'
12: from /Users/waldavis/.rvm/gems/ruby-2.7.8/gems/chelsea-0.0.35/lib/chelsea.rb:20:in `require_relative'
11: from /Users/waldavis/.rvm/gems/ruby-2.7.8/gems/chelsea-0.0.35/lib/chelsea/cli.rb:24:in `<top (required)>'
10: from /Users/waldavis/.rvm/gems/ruby-2.7.8/gems/chelsea-0.0.35/lib/chelsea/cli.rb:24:in `require_relative'
9: from /Users/waldavis/.rvm/gems/ruby-2.7.8/gems/chelsea-0.0.35/lib/chelsea/gems.rb:26:in `<top (required)>'
8: from /Users/waldavis/.rvm/gems/ruby-2.7.8/gems/chelsea-0.0.35/lib/chelsea/gems.rb:26:in `require_relative'
7: from /Users/waldavis/.rvm/gems/ruby-2.7.8/gems/chelsea-0.0.35/lib/chelsea/formatters/factory.rb:20:in `<top (required)>'
6: from /Users/waldavis/.rvm/gems/ruby-2.7.8/gems/chelsea-0.0.35/lib/chelsea/formatters/factory.rb:20:in `require_relative'
5: from /Users/waldavis/.rvm/gems/ruby-2.7.8/gems/chelsea-0.0.35/lib/chelsea/formatters/xml.rb:19:in `<top (required)>'
4: from /Users/waldavis/.rvm/rubies/ruby-2.7.8/lib/ruby/site_ruby/2.7.0/rubygems/core_ext/kernel_require.rb:85:in `require'
3: from /Users/waldavis/.rvm/rubies/ruby-2.7.8/lib/ruby/site_ruby/2.7.0/rubygems/core_ext/kernel_require.rb:85:in `require'
2: from /Users/waldavis/.rvm/gems/ruby-2.7.8/gems/ox-2.13.4/lib/ox.rb:79:in `<top (required)>'
1: from /Users/waldavis/.rvm/rubies/ruby-2.7.8/lib/ruby/site_ruby/2.7.0/rubygems/core_ext/kernel_require.rb:85:in `require'
/Users/waldavis/.rvm/rubies/ruby-2.7.8/lib/ruby/site_ruby/2.7.0/rubygems/core_ext/kernel_require.rb:85:in `require': cannot load such file -- ox/ox (LoadError)
waldavis@PMACS-DEV-134 mannequin % gem info ox
*** LOCAL GEMS ***
ox (2.13.4)
Author: Peter Ohler
Homepage: http://www.ohler.com/ox
License: MIT
Installed at: /Users/waldavis/.rvm/gems/ruby-2.7.8
A fast XML parser and object serializer.
waldavis@PMACS-DEV-134 mannequin % gem info chelsea
*** LOCAL GEMS ***
chelsea (0.0.35)
Author: Allister Beharry
Homepage: https://github.com/sonatype-nexus-community/chelsea
License: Apache-2.0
Installed at: /Users/waldavis/.rvm/gems/ruby-2.7.8
Audit Ruby package dependencies for security vulnerabilities.
Describe the bug
Currently right now the IQ default public application ID is being set to testapp, we shouldn't default this at all, and just if someone hasn't provided an application ID (and is using the --iq flag), give them a friendly error message that they need to set the public application ID
To Reproduce
chelsea --iq --file Gemfile.lock
will work, but it shouldn't (and it will only work if you have a testapp application setup in Nexus IQ)
Should be:
chelsea --iq --file Gemfile.lock --application whatever_your_public_application_id_is
Expected behavior
chelsea --iq --file Gemfile.lock --application whatever_your_public_application_id_is
If a application doesn't exist in Nexus IQ Server, give a friendly error message that no public application ID was found (an empty response will be given back I believe from Nexus IQ Server)
chelsea --iq --file Gemfile.lock --application whatever_your_public_application_id_is
If a application does exist, then the scan should occur
chelsea --iq --file Gemfile.lock
A message akin to You need to provide a public application ID using the '--application' flag to run a Nexus IQ Server scan
, you can likely show the user the chelsea usage as well
In order to allow chelsea
to ultimately work with Nexus IQ Server, we would need to output an SBOM that we can send to the Nexus IQ Third Party API.
Steps in this work are largely to see if we could use this library:
https://github.com/CycloneDX/cyclonedx-ruby-gem
If we can't, then we can take what we need and craft our own, but we should definitely take a look at this lib first.
From there, we'd want likely a new method off of deps.rb
to "craftSBOM` or something akin, that would give us the XML to send to IQ Server.
So that someone can provide their username and token for communicating with OSS Index (so that they can get a higher rate limit), we could create a way for someone to set a more persistent config.
In the other tools we have worked on we created an interactive experience on the command line for setting config.
We ask for:
We save this by default to:
~/.ossindex/.oss-index-config
As yaml, with the keys: Username
and Token
, as this config can be shared amongst all the tools.
This work could also add command line flags for a username and token for OSS Index, and implement the POST request to use those as basic auth, as well as if someone has provided config, command line flags should override it.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.