chelsea 0.0.14 → 0.0.19

data/lib/chelsea/formatters/text.rb

@@ -1,47 +1,68 @@
+#
+# Copyright 2019-Present Sonatype Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
 require 'pastel'
+require 'tty-table'
 require_relative 'formatter'
 
 module Chelsea
   class TextFormatter < Formatter
-    def initialize(quiet: false)
-      @quiet = quiet
+    def initialize(options)
+      @options = options
       @pastel = Pastel.new
     end
 
     def get_results(server_response, reverse_dependencies)
-      response = String.new
-      if !@quiet
+      response = ''
+      if @options[:verbose]
         response += "\n"\
         "Audit Results\n"\
         "=============\n"
       end
 
-      i = 0
-      count = server_response.count()
-      server_response.sort! {|x| x['vulnerabilities'].count}
-
-      server_response.each do |r|
-        i += 1
-        package = r['coordinates']
-        vulnerable = r['vulnerabilities'].length.positive?
-        coord = r['coordinates'].sub('pkg:gem/', '')
-        name = coord.split('@')[0]
-        version = coord.split('@')[1]
+      vuln_count = server_response.count do |vuln|
+        vuln['vulnerabilities'].length.positive?
+      end
+      server_response.sort! { |x| x['vulnerabilities'].count }
+      server_response.each.with_index do |r, idx|
+        name, version = r['coordinates'].sub('pkg:gem/', '').split('@')
         reverse_deps = reverse_dependencies["#{name}-#{version}"]
-        if vulnerable
-          response += @pastel.red("[#{i}/#{count}] - #{package} ") + @pastel.red.bold("Vulnerable.\n")
+        if r['vulnerabilities'].length.positive?
+          response += @pastel.red(
+            "[#{idx}/#{server_response.count}] - #{r['coordinates']} "
+          )
+          response += @pastel.red.bold("Vulnerable.\n")
           response += _get_reverse_deps(reverse_deps, name) if reverse_deps
           r['vulnerabilities'].each do |k, _|
             response += _format_vuln(k)
           end
-        else
-          if !@quiet
-            response += @pastel.white("[#{i}/#{count}] - #{package} ") + @pastel.green.bold("No vulnerabilities found!\n")
-            response += _get_reverse_deps(reverse_deps, name) if reverse_deps
-          end
+        elsif @options[:verbose]
+          response += @pastel.white(
+            "[#{idx}/#{server_response.count}] - #{r['coordinates']} "
+          )
+          response += @pastel.green.bold("No vulnerabilities found!\n")
+          response += _get_reverse_deps(reverse_deps, name) if reverse_deps
         end
       end
 
+      table = TTY::Table.new(
+        ['Dependencies Audited', 'Vulnerable Dependencies'],
+        [[server_response.count, vuln_count]]
+      )
+      response += table.render(:unicode)
       response
     end
 
@@ -49,34 +70,44 @@ module Chelsea
       puts results
     end
 
+    private
+
     def _format_vuln(vuln)
-      cvssScore = vuln['cvssScore']
       vuln_response = "\n\tVulnerability Details:\n"
-      vuln_response += _color_based_on_cvss_score(cvssScore, "\n\tID: #{vuln['id']}\n")
-      vuln_response += _color_based_on_cvss_score(cvssScore, "\n\tTitle: #{vuln['title']}\n")
-      vuln_response += _color_based_on_cvss_score(cvssScore, "\n\tDescription: #{vuln['description']}\n")
-      vuln_response += _color_based_on_cvss_score(cvssScore, "\n\tCVSS Score: #{vuln['cvssScore']}\n")
-      vuln_response += _color_based_on_cvss_score(cvssScore, "\n\tCVSS Vector: #{vuln['cvssVector']}\n")
-      vuln_response += _color_based_on_cvss_score(cvssScore, "\n\tCVE: #{vuln['cve']}\n")
-      vuln_response += _color_based_on_cvss_score(cvssScore, "\n\tReference: #{vuln['reference']}\n\n")
+      _color_method = _color_based_on_cvss_score(vuln['cvssScore'])
+      _report_lines(vuln).each do |line|
+        vuln_response += _color_method(line)
+      end
       vuln_response
     end
 
-    def _color_based_on_cvss_score(cvssScore, text)
-      case cvssScore
+    def _report_lines(vuln)
+      [
+        "\n\tID: #{vuln['id']}\n",
+        "\n\tTitle: #{vuln['title']}\n",
+        "\n\tDescription: #{vuln['description']}\n",
+        "\n\tCVSS Score: #{vuln['cvssScore']}\n",
+        "\n\tCVSS Vector: #{vuln['cvssVector']}\n",
+        "\n\tCVE: #{vuln['cve']}\n",
+        "\n\tReference: #{vuln['reference']}\n\n"
+      ]
+    end
+
+    def _color_based_on_cvss_score(cvss_score)
+      case cvss_score
       when 0..3
-        @pastel.cyan.bold(text)    
+        @pastel.cyan.bold
       when 4..5
-        @pastel.yellow.bold(text)
+        @pastel.yellow.bold
       when 6..7
-        @pastel.orange.bold(text)
+        @pastel.orange.bold
       else
-        @pastel.red.bold(text)
+        @pastel.red.bold
       end
     end
 
     def _get_reverse_deps(coords, name)
-      coords.each_with_object(String.new) do |dep, s|
+      coords.each_with_object('') do |dep, s|
         dep.each do |gran|
           if gran.class == String && !gran.include?(name)
             s << "\tRequired by: #{gran}\n"

data/lib/chelsea/formatters/xml.rb

@@ -1,3 +1,19 @@
+#
+# Copyright 2019-Present Sonatype Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
 require 'ox'
 require_relative 'formatter'
 module Chelsea
@@ -15,8 +31,8 @@ module Chelsea
       doc << instruct
 
       testsuite = Ox::Element.new('testsuite')
-      testsuite[:name] = "purl"
-      testsuite[:tests] = server_response.count()
+      testsuite[:name] = 'purl'
+      testsuite[:tests] = server_response.count
       doc << testsuite
 
       server_response.each do |coord|
@@ -24,14 +40,15 @@ module Chelsea
         testcase[:classname] = coord["coordinates"]
         testcase[:name] = coord["coordinates"]
 
-        if coord["vulnerabilities"].length() > 0
+        if coord['vulnerabilities'].length.positive?
           failure = Ox::Element.new('failure')
           failure[:type] = "Vulnerable Dependency"
           failure << get_vulnerability_block(coord["vulnerabilities"])
           testcase << failure
+          testsuite << testcase
+        elsif @options[:verbose]
+          testsuite << testcase
         end
-
-        testsuite << testcase
       end
 
       doc

data/lib/chelsea/gems.rb

@@ -1,3 +1,19 @@
+#
+# Copyright 2019-Present Sonatype Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
 # frozen_string_literal: true
 require 'pastel'
 require 'bundler'
@@ -15,18 +31,19 @@ module Chelsea
   # Class to collect and audit packages from a Gemfile.lock
   class Gems
     attr_accessor :deps
-    def initialize(file:, quiet: false, options: { 'format': 'text' })
-      @quiet = quiet
+    def initialize(file:, verbose:, options: { 'format': 'text' })
+      @verbose = verbose
       unless File.file?(file) || file.nil?
         raise 'Gemfile.lock not found, check --file path'
       end
 
-      _silence_stderr if @quiet
+      _silence_stderr unless @verbose
 
       @pastel = Pastel.new
       @formatter = FormatterFactory.new.get_formatter(
         format: options[:format],
-        quiet: @quiet)
+        verbose: verbose
+      )
       @client = Chelsea.client(options)
       @deps = Chelsea::Deps.new(path: Pathname.new(file))
       @spinner = Chelsea::Spinner.new
@@ -42,7 +59,7 @@ module Chelsea
         return
       end
       if server_response.nil?
-        _print_err 'No vulnerability data retrieved from server. Exiting.'
+        _print_success 'No vulnerability data retrieved from server. Exiting.'
         return
       end
       results = @formatter.get_results(server_response, reverse_dependencies)
@@ -78,6 +95,7 @@ module Chelsea
       coordinates = @deps.coordinates
       spin.success('...done.')
       spin = @spinner.spin_msg 'Making request to OSS Index server'
+      spin.stop
 
       begin
         server_response = @client.get_vulns(coordinates)
@@ -94,9 +112,6 @@ module Chelsea
       rescue Errno::ECONNREFUSED => e
         spin.stop('...request failed.')
         _print_err 'Error getting data from OSS Index server. Connection refused.'
-      rescue StandardError => e
-        spin.stop('...request failed.')
-        _print_err 'UNKNOWN Error getting data from OSS Index server.'
       end
       [server_response, dependencies, reverse_dependencies]
     end

data/lib/chelsea/iq_client.rb

@@ -1,3 +1,19 @@
+#
+# Copyright 2019-Present Sonatype Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
 require 'rest-client'
 require 'json'
 require 'pastel'

data/lib/chelsea/oss_index.rb

@@ -1,3 +1,19 @@
+#
+# Copyright 2019-Present Sonatype Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
 # frozen_string_literal: true
 
 require_relative 'config'
@@ -26,7 +42,7 @@ module Chelsea
       end
 
       remaining_coordinates['coordinates'].each_slice(128).to_a.each do |coords|
-        res_json = call_oss_index({ 'coordinates' => coords })
+        res_json = JSON.parse(call_oss_index({ 'coordinates' => coords }))
         cached_server_response = cached_server_response.concat(res_json)
         @db.save_values_to_db(res_json)
       end
@@ -36,7 +52,7 @@ module Chelsea
 
     def call_oss_index(coords)
       r = _resource.post coords.to_json, _headers
-      r.code == 200 ? JSON.parse(r.body) : {}
+      r.code == 200 ? r.body : {}
     end
 
     private
@@ -67,7 +83,7 @@ module Chelsea
           password: @oss_index_user_token
         )
       else
-        RestClient::Resource.new _api_url
+        RestClient::Resource.new(_api_url)
       end
     end
 

data/lib/chelsea/spinner.rb

@@ -1,3 +1,19 @@
+#
+# Copyright 2019-Present Sonatype Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
 require 'tty-spinner'
 require 'pastel'
 

data/lib/chelsea/version.rb

@@ -1,3 +1,19 @@
+#
+# Copyright 2019-Present Sonatype Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
 module Chelsea
-  VERSION = '0.0.14'.freeze
+  VERSION = '0.0.19'.freeze
 end

data/license-excludes.xml

@@ -0,0 +1,12 @@
+<excludes>
+  <exclude>src/.circleci/circleci-readme.md</exclude>
+  <exclude>src/.github/**</exclude>
+  <exclude>src/.vscode/**</exclude>
+  <exclude>src/Gemfile</exclude>
+  <exclude>src/Gemfile.lock</exclude>
+  <exclude>src/.rspec</exclude>
+  <exclude>src/spec/testdata/**</exclude>
+  <exclude>src/chelsea.gemspec</exclude>
+  <exclude>src/CODE_OF_CONDUCT.md</exclude>
+  <exclude>src/CONTRIBUTORS.md</exclude>
+</excludes>

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: chelsea
 version: !ruby/object:Gem::Version
-  version: 0.0.14
+  version: 0.0.19
 platform: ruby
 authors:
 - Allister Beharry
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-04-22 00:00:00.000000000 Z
+date: 2020-09-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: tty-font
@@ -114,6 +114,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 2.13.2
+- !ruby/object:Gem::Dependency
+  name: tty-table
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.11.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.11.0
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -184,6 +198,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 11.1.2
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: 
 email:
 - allister.beharry@gmail.com
@@ -206,9 +234,11 @@ files:
 - ".vscode/launch.json"
 - CODE_OF_CONDUCT.md
 - CONTRIBUTORS.md
+- Dockerfile
 - Gemfile
 - Gemfile.lock
-- LICENSE.txt
+- Jenkinsfile
+- LICENSE
 - README.md
 - Rakefile
 - bin/chelsea
@@ -217,6 +247,7 @@ files:
 - chelsea
 - chelsea.gemspec
 - docs/images/chelsea.png
+- header.txt
 - lib/chelsea.rb
 - lib/chelsea/bom.rb
 - lib/chelsea/cli.rb
@@ -234,9 +265,10 @@ files:
 - lib/chelsea/oss_index.rb
 - lib/chelsea/spinner.rb
 - lib/chelsea/version.rb
+- license-excludes.xml
 homepage: https://github.com/sonatype-nexus-community/chelsea
 licenses:
-- MIT
+- Apache-2.0
 metadata:
   homepage_uri: https://github.com/sonatype-nexus-community/chelsea
   source_code_uri: https://github.com/sonatype-nexus-community/chelsea