chelsea 0.0.11 → 0.0.12

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2c64fc1b71e170403212d48a6882293c42c80b4d034e06fe4968736ec5256e84
-  data.tar.gz: a65ca2fbfb43e9f9e82b0c3e0c6ffcd42d220dee77642078c49de18a2c71e0bf
+  metadata.gz: 51aa180ab06d876ef21c119a2127745fb903c219c812e314cb526cc686b765fd
+  data.tar.gz: 279d57c44b27fefb84815357e31db7b0ff2cbdbb0a65ffcd8c1332dc8bacd60e
 SHA512:
-  metadata.gz: acaeebea469ad89aae49bdbf0cb3c89f34e2c8b83b0fbdd184d90997459c8a94a35e6575d072ec5b6eacecede3a5ebffeccee4b710d2751c6d16d17c9acdc67f
-  data.tar.gz: 85123d9942b78903df70fba3bb51288b0dc40a24e2cba7c83c43c027bc00c4948a906568b17b9ec24edbf17d27627d381b6f64e1127bdc861ac5236d29d5274b
+  metadata.gz: 4839db5a475789889a93a0e0f7e3e9ef79800dbdfee4b04001e0054607fa85127ebec6eadbb23d8870b217437559cc2c756c764a0f4993eb62831619c71002f2
+  data.tar.gz: 8905197d67b7909227c64fb943425e1493287bf60568a78aa4a0124c0e05e7bb1433744defde88934608e6476c781669567bb84166c558a59f38e67c95def91b

data/.circleci/config.yml

@@ -36,6 +36,9 @@ jobs:
       - run:
           name: Install gem
           command: gem install ./chelsea-*.gem
+      - run:
+          name: Clear cache
+          command: chelsea --clear
       - run:
           name: Dogfood
           command: chelsea --file Gemfile.lock

data/.gitignore

@@ -10,3 +10,4 @@
 
 # rspec failure tracking
 .rspec_status
+.byebug_history

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    chelsea (0.0.10)
+    chelsea (0.0.11)
       bundler (>= 1.2.0, < 3)
       ox (~> 2.13.2)
       pastel (~> 0.7.2)
@@ -15,6 +15,7 @@ GEM
   specs:
     addressable (2.7.0)
       public_suffix (>= 2.0.2, < 5.0)
+    byebug (11.1.2)
     crack (0.4.3)
       safe_yaml (~> 1.0.0)
     diff-lcs (1.3)
@@ -33,7 +34,7 @@ GEM
       equatable (~> 0.6)
       tty-color (~> 0.5)
     public_suffix (4.0.3)
-    rake (10.5.0)
+    rake (12.3.3)
     rest-client (2.0.2)
       http-cookie (>= 1.0.2, < 2.0)
       mime-types (>= 1.16, < 4.0)
@@ -72,8 +73,9 @@ PLATFORMS
   ruby
 
 DEPENDENCIES
+  byebug (~> 11.1.2)
   chelsea!
-  rake (~> 10.0)
+  rake (~> 12.3)
   rspec (~> 3.0)
   rspec_junit_formatter (~> 0.4.1)
   webmock (~> 3.8.3)

data/bin/chelsea

@@ -6,6 +6,7 @@ opts =
   begin
     Slop.parse do |o|
       o.string '-f', '--file', 'Path to your Gemfile.lock'
+      o.bool '-x', '--clear', 'Clear OSS Index cache'
       o.bool '-c', '--config', 'Set persistent config for OSS Index'
       o.string '-u', '--user', 'Specify OSS Index Username'
       o.string '-p', '--token', 'Specify OSS Index API Token'

data/chelsea.gemspec

@@ -43,8 +43,9 @@ Gem::Specification.new do |spec|
   spec.add_dependency "bundler", ">= 1.2.0", "< 3"
   spec.add_dependency "ox", "~> 2.13.2"
 
-  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rake", "~> 12.3"
   spec.add_development_dependency "rspec", "~> 3.0"
   spec.add_development_dependency "rspec_junit_formatter", "~> 0.4.1"
   spec.add_development_dependency "webmock", "~> 3.8.3"
+  spec.add_development_dependency "byebug", "~> 11.1.2"
 end

data/lib/chelsea/bom.rb

@@ -4,16 +4,23 @@ require 'securerandom'
 require 'ox'
 
 module Chelsea
-  # Class to convext dependencies to BOM xml
+  # Class to convert dependencies to SBOM xml
   class Bom
-    attr_accessor :xml
     def initialize(dependencies)
       @dependencies = dependencies
-      @xml = _get_xml
+    end
+
+    def collect
+      xml
+      to_s
+    end
+
+    def xml
+      @xml ||= _get_xml
     end
 
     def to_s
-      Ox.dump(@xml).to_s
+      Ox.dump(@xml)
     end
 
     def random_urn_uuid

data/lib/chelsea/cli.rb

@@ -21,9 +21,15 @@ module Chelsea
     def process!
       if @opts.config?
         _set_config # move to init
-      elsif @opts.file? # don't process unless there was a file
-        gems = _process_file
-        _submit_sbom(gems) if @opts.sbom?
+      elsif @opts.clear?
+        require_relative 'db'
+        Chelsea::DB.new().clear_cache
+        puts "OSS Index cache cleared"
+      elsif @opts.file? && @opts.iq?
+        dependencies = _process_file_iq
+        _submit_sbom(dependencies)
+      elsif @opts.file?
+        _process_file
       elsif @opts.help? # quit on opts.help earlier
         puts _cli_flags # this doesn't exist
       end
@@ -44,8 +50,13 @@ module Chelsea
           auth_token: @opts[:iqpass]
         }
       )
-      bom = Chelsea::Bom.new(gems.deps.dependencies)
-      iq.submit_sbom(bom)
+      bom = Chelsea::Bom.new(gems.deps.dependencies).collect
+
+      status_url = iq.post_sbom(bom)
+      
+      return unless status_url
+
+      iq.poll_status(status_url)
     end
 
     def _process_file
@@ -54,7 +65,16 @@ module Chelsea
         quiet: @opts[:quiet],
         options: @opts
       )
-      gems.execute # should be more like collect
+      gems.execute ? (exit 1) : (exit 0)
+    end
+
+    def _process_file_iq
+      gems = Chelsea::Gems.new(
+        file: @opts[:file],
+        quiet: @opts[:quiet],
+        options: @opts
+      )
+      gems.collect_iq
       gems
     end
 

data/lib/chelsea/config.rb

@@ -12,11 +12,13 @@ module Chelsea
   def self.config(options = {})
     if !options[:user].nil? && !options[:token].nil?
       Chelsea::OSSIndex.new(
-        oss_index_user_name: options[:user],
-        oss_index_user_token: options[:token]
+        options: {
+          oss_index_user_name: options[:user],
+          oss_index_user_token: options[:token]
+        }
       )
     else
-      Chelsea::OSSIndex.new(oss_index_config)
+      Chelsea::OSSIndex.new(options: oss_index_config)
     end
   end
 

data/lib/chelsea/db.rb

@@ -20,6 +20,15 @@ module Chelsea
       end
     end
 
+    # This method will delete all values in the pstore db
+    def clear_cache
+      @store.transaction do
+        @store.roots.each do |root|
+          @store.delete(root)
+        end
+      end
+    end
+
     def _get_db_store_location()
       initial_path = File.join(Dir.home.to_s, '.ossindex')
       Dir.mkdir(initial_path) unless File.exist? initial_path

data/lib/chelsea/deps.rb

@@ -5,9 +5,6 @@ require 'rubygems/commands/dependency_command'
 require 'json'
 require 'rest-client'
 
-require_relative 'dependency_exception'
-require_relative 'oss_index'
-
 module Chelsea
   class Deps
     def initialize(path:, quiet: false)
@@ -38,11 +35,17 @@ module Chelsea
       reverse = Gem::Commands::DependencyCommand.new
       reverse.options[:reverse_dependencies] = true
       # We want to filter the reverses dependencies by specs in lockfile
-      spec_names = @lockfile.specs.map { |i| i.to_s.split }.map { |n, _| "#{n}" }
-      reverse.reverse_dependencies(@lockfile.specs).to_h.transform_values do |reverse_dep|
-        # Add filtering if version meets range
-        reverse_dep.select { |name, dep, req, _| spec_names.include?(name.split("-")[0]) }
+      spec_names = @lockfile.specs.map { |i| i.to_s.split }.map do |n, _v|
+        n.to_s
       end
+      reverse
+        .reverse_dependencies(@lockfile.specs)
+        .to_h
+        .transform_values do |reverse_dep|
+          reverse_dep.select do |name, _dep, _req, _|
+            spec_names.include?(name.split('-')[0])
+          end
+        end
     end
 
     # Iterates over all dependencies and stores them

data/lib/chelsea/formatters/text.rb

@@ -18,6 +18,8 @@ module Chelsea
 
       i = 0
       count = server_response.count()
+      server_response.sort! {|x| x['vulnerabilities'].count}
+
       server_response.each do |r|
         i += 1
         package = r['coordinates']
@@ -29,8 +31,8 @@ module Chelsea
         if vulnerable
           response += @pastel.red("[#{i}/#{count}] - #{package} ") + @pastel.red.bold("Vulnerable.\n")
           response += _get_reverse_deps(reverse_deps, name) if reverse_deps
-          r['vulnerabilities'].each do |k, v|
-            response += _format_vuln(v)
+          r['vulnerabilities'].each do |k, _|
+            response += _format_vuln(k)
           end
         else
           if !@quiet
@@ -48,7 +50,29 @@ module Chelsea
     end
 
     def _format_vuln(vuln)
-      @pastel.red.bold("\n#{vuln}\n")
+      cvssScore = vuln['cvssScore']
+      vuln_response = "\n\tVulnerability Details:\n"
+      vuln_response += _color_based_on_cvss_score(cvssScore, "\n\tID: #{vuln['id']}\n")
+      vuln_response += _color_based_on_cvss_score(cvssScore, "\n\tTitle: #{vuln['title']}\n")
+      vuln_response += _color_based_on_cvss_score(cvssScore, "\n\tDescription: #{vuln['description']}\n")
+      vuln_response += _color_based_on_cvss_score(cvssScore, "\n\tCVSS Score: #{vuln['cvssScore']}\n")
+      vuln_response += _color_based_on_cvss_score(cvssScore, "\n\tCVSS Vector: #{vuln['cvssVector']}\n")
+      vuln_response += _color_based_on_cvss_score(cvssScore, "\n\tCVE: #{vuln['cve']}\n")
+      vuln_response += _color_based_on_cvss_score(cvssScore, "\n\tReference: #{vuln['reference']}\n\n")
+      vuln_response
+    end
+
+    def _color_based_on_cvss_score(cvssScore, text)
+      case cvssScore
+      when 0..3
+        @pastel.cyan.bold(text)    
+      when 4..5
+        @pastel.yellow.bold(text)
+      when 6..7
+        @pastel.orange.bold(text)
+      else
+        @pastel.red.bold(text)
+      end
     end
 
     def _get_reverse_deps(coords, name)

data/lib/chelsea/gems.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 require 'pastel'
-require 'tty-spinner'
 require 'bundler'
 require 'bundler/lockfile_parser'
 require 'rubygems'
@@ -10,21 +9,27 @@ require_relative 'version'
 require_relative 'formatters/factory'
 require_relative 'deps'
 require_relative 'bom'
+require_relative 'spinner'
 
 module Chelsea
+  # Class to collect and audit packages from a Gemfile.lock
   class Gems
     attr_accessor :deps
-    def initialize(file:, quiet: false, options: {'format': 'text'})
+    def initialize(file:, quiet: false, options: { 'format': 'text' })
       @quiet = quiet
       unless File.file?(file) || file.nil?
         raise 'Gemfile.lock not found, check --file path'
       end
+
       _silence_stderr if @quiet
 
       @pastel = Pastel.new
-      @formatter = FormatterFactory.new.get_formatter(format: options[:format], quiet: @quiet)
+      @formatter = FormatterFactory.new.get_formatter(
+        format: options[:format],
+        quiet: @quiet)
       @client = Chelsea.client(options)
       @deps = Chelsea::Deps.new(path: Pathname.new(file))
+      @spinner = Chelsea::Spinner.new
     end
 
     # Audits depenencies using deps library and prints results
@@ -42,6 +47,13 @@ module Chelsea
       end
       results = @formatter.get_results(server_response, reverse_dependencies)
       @formatter.do_print(results)
+
+      server_response.map { |r| r['vulnerabilities'].length.positive? }.any?
+    end
+
+    def collect_iq
+      dependencies = @deps.dependencies
+      dependencies
     end
 
     # Runs through auditing algorithm, raising exceptions
@@ -50,40 +62,40 @@ module Chelsea
       # This spinner management is out of control
       # we should wrap a block with start and stop messages,
       # or use a stack to ensure all spinners stop.
-      spinner = _spin_msg 'Parsing dependencies'
+      spin = @spinner.spin_msg 'Parsing dependencies'
 
       begin
         dependencies = @deps.dependencies
-        spinner.success('...done.')
+        spin.success('...done.')
       rescue StandardError => e
-        spinner.stop
+        spin.stop
         _print_err "Parsing dependency line #{gem} failed."
       end
 
       reverse_dependencies = @deps.reverse_dependencies
 
-      spinner = _spin_msg 'Parsing Versions'
+      spin = @spinner.spin_msg 'Parsing Versions'
       coordinates = @deps.coordinates
-      spinner.success('...done.')
-      spinner = _spin_msg 'Making request to OSS Index server'
+      spin.success('...done.')
+      spin = @spinner.spin_msg 'Making request to OSS Index server'
 
       begin
         server_response = @client.get_vulns(coordinates)
-        spinner.success('...done.')
+        spin.success('...done.')
       rescue SocketError => e
-        spinner.stop('...request failed.')
+        spin.stop('...request failed.')
         _print_err 'Socket error getting data from OSS Index server.'
       rescue RestClient::RequestFailed => e
-        spinner.stop('...request failed.')
+        spin.stop('...request failed.')
         _print_err "Error getting data from OSS Index server:#{e.response}."
       rescue RestClient::ResourceNotFound => e
-        spinner.stop('...request failed.')
+        spin.stop('...request failed.')
         _print_err 'Error getting data from OSS Index server. Resource not found.'
       rescue Errno::ECONNREFUSED => e
-        spinner.stop('...request failed.')
+        spin.stop('...request failed.')
         _print_err 'Error getting data from OSS Index server. Connection refused.'
       rescue StandardError => e
-        spinner.stop('...request failed.')
+        spin.stop('...request failed.')
         _print_err 'UNKNOWN Error getting data from OSS Index server.'
       end
       [server_response, dependencies, reverse_dependencies]
@@ -95,17 +107,6 @@ module Chelsea
       $stderr.reopen('/dev/null', 'w')
     end
 
-    def _spin_msg(msg)
-      format = "[#{@pastel.green(':spinner')}] " + @pastel.white(msg)
-      spinner = TTY::Spinner.new(
-        format,
-        success_mark: @pastel.green('+'),
-        hide_cursor: true
-      )
-      spinner.auto_spin
-      spinner
-    end
-
     def _print_err(s)
       puts @pastel.red.bold(s)
     end

data/lib/chelsea/iq_client.rb

@@ -1,8 +1,12 @@
 require 'rest-client'
 require 'json'
+require 'pastel'
+
+require_relative 'spinner'
 
 module Chelsea
   class IQClient
+
     DEFAULT_OPTIONS = {
       public_application_id: 'testapp',
       server_url: 'http://localhost:8070',
@@ -12,17 +16,26 @@ module Chelsea
     }
     def initialize(options: DEFAULT_OPTIONS)
       @options = options
+      @pastel = Pastel.new
+      @spinner = Chelsea::Spinner.new
     end
 
-    def submit_sbom(sbom)
-      @internal_application_id = _get_internal_application_id()
+    def post_sbom(sbom)
+      spin = @spinner.spin_msg "Submitting sbom to Nexus IQ Server"
+      @internal_application_id = _get_internal_application_id
       resource = RestClient::Resource.new(
         _api_url,
         user: @options[:username],
         password: @options[:auth_token]
       )
-      _headers['Content-Type'] = 'application/xml'
-      resource.post sbom.to_s, _headers
+      res = resource.post sbom.to_s, _headers.merge(content_type: 'application/xml')
+      unless res.code != 202
+        spin.success("...done.")
+        status_url(res)
+      else
+        spin.stop('...request failed.')
+        nil
+      end
     end
 
     def status_url(res)
@@ -30,16 +43,89 @@ module Chelsea
       res['statusUrl']
     end
 
+    def poll_status(url)
+      spin = @spinner.spin_msg "Polling Nexus IQ Server for results"
+      loop do
+        begin
+          res = _poll_iq_server(url)
+          if res.code == 200
+            spin.success("...done.")
+            _handle_response(res)
+            break
+          end
+        rescue
+          sleep(1)
+        end
+      end
+    end
+
     private
 
+    def _handle_response(res)
+      res = JSON.parse(res.body)
+      unless res['policyAction'] == 'Failure'
+        puts @pastel.white.bold("Hi! Chelsea here, no policy violations for this audit!")
+        puts @pastel.white.bold("Report URL: #{res['reportHtmlUrl']}")
+        exit 0
+      else
+        puts @pastel.red.bold("Hi! Chelsea here, you have some policy violations to clean up!")
+        puts @pastel.red.bold("Report URL: #{res['reportHtmlUrl']}")
+        exit 1
+      end
+    end
+
+    def _poll_iq_server(status_url)
+      resource = RestClient::Resource.new(
+        "#{@options[:server_url]}/#{status_url}",
+        user: @options[:username],
+        password: @options[:auth_token]
+      )
+
+      resource.get _headers
+    end
+
+    def status(status_url)
+      resource = RestClient::Resource.new(
+        "#{@options[:server_url]}/#{status_url}",
+        user: @options[:username],
+        password: @options[:auth_token]
+      )
+      resource.get _headers
+    end
+
+    def _status_url(res)
+      res = JSON.parse(res.body)
+      res['statusUrl']
+    end
+
+    private
+
+    def _poll_status
+      return unless @status_url
+
+      loop do
+        begin
+          res = check_status(@status_url)
+          if res.code == 200
+            puts JSON.parse(res.body)
+            break
+          end
+        rescue RestClient::ResourceNotFound => _e
+          print '.'
+          sleep(1)
+        end
+      end
+    end
+
     def _get_internal_application_id
       resource = RestClient::Resource.new(
         _internal_application_id_api_url,
-        user: @username,
-        password: @auth_token
+        user: @options[:username],
+        password: @options[:auth_token]
       )
-      res = JSON.parse(resource.get(_headers))
-      res['applications'][0]['id']
+      res = resource.get _headers
+      body = JSON.parse(res)
+      body['applications'][0]['id']
     end
 
     def _headers
@@ -47,7 +133,7 @@ module Chelsea
     end
 
     def _api_url
-      "#{@options[:server_url]}/api/v2/scan/applications/#{@@internal_application_id}/sources/chelsea"
+      "#{@options[:server_url]}/api/v2/scan/applications/#{@internal_application_id}/sources/chelsea"
     end
 
     def _internal_application_id_api_url

data/lib/chelsea/oss_index.rb

@@ -6,9 +6,13 @@ require_relative 'db'
 
 module Chelsea
   class OSSIndex
-    def initialize(oss_index_user_name: '', oss_index_user_token: '')
-      @oss_index_user_name = oss_index_user_name
-      @oss_index_user_token = oss_index_user_token
+    DEFAULT_OPTIONS = {
+      oss_index_username: '',
+      oss_index_user_token: ''
+    }
+    def initialize(options: DEFAULT_OPTIONS)
+      @oss_index_user_name = options[:oss_index_user_name]
+      @oss_index_user_token = options[:oss_index_user_token]
       @db = DB.new
     end
 
@@ -26,6 +30,7 @@ module Chelsea
         cached_server_response = cached_server_response.concat(res_json)
         @db.save_values_to_db(res_json)
       end
+
       cached_server_response
     end
 

data/lib/chelsea/spinner.rb

@@ -0,0 +1,21 @@
+require 'tty-spinner'
+require 'pastel'
+
+module Chelsea
+  class Spinner
+    def initialize()
+      @pastel = Pastel.new
+    end
+
+    def spin_msg(msg)
+      format = "[#{@pastel.green(':spinner')}] " + @pastel.white(msg)
+      spinner = TTY::Spinner.new(
+        format,
+        success_mark: @pastel.green('+'),
+        hide_cursor: true
+      )
+      spinner.auto_spin
+      spinner
+    end
+  end
+end

data/lib/chelsea/version.rb

@@ -1,3 +1,3 @@
 module Chelsea
-  VERSION = '0.0.11'.freeze
+  VERSION = '0.0.12'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: chelsea
 version: !ruby/object:Gem::Version
-  version: 0.0.11
+  version: 0.0.12
 platform: ruby
 authors:
 - Allister Beharry
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-04-17 00:00:00.000000000 Z
+date: 2020-04-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: tty-font
@@ -120,14 +120,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '12.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '12.3'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -170,6 +170,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 3.8.3
+- !ruby/object:Gem::Dependency
+  name: byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 11.1.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 11.1.2
 description: 
 email:
 - allister.beharry@gmail.com
@@ -217,6 +231,7 @@ files:
 - lib/chelsea/gems.rb
 - lib/chelsea/iq_client.rb
 - lib/chelsea/oss_index.rb
+- lib/chelsea/spinner.rb
 - lib/chelsea/version.rb
 homepage: https://github.com/sonatype-nexus-community/chelsea
 licenses: