chelsea 0.0.19 → 0.0.24

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a44baa47f70b877e0f6b8051962bf0c66eae508bb0fa148d47056b7d5dfdf6bb
-  data.tar.gz: 5565acd13beccaab790612682ae19d50a8b9c4427f83692476ffcbe6ddd5425c
+  metadata.gz: 1f51bc9ebee4f9d00b5c0ddda4c45c692864946b5adde386871f1d5bdbd90782
+  data.tar.gz: ed391b804442208428439d285009b0344215d71789bc71d6e55685c08356bb5a
 SHA512:
-  metadata.gz: 50c1634dae11bd146bbf734706abc60b3c06bb6cab1bb177cbf5e98c528c4d1dd25a0a9fd4d47719b3887dc4aaf9ce7a5f42126d7973b1008eac4c87c99cdd7b
-  data.tar.gz: f8db897e7a16e5f87b8a3f3f0f7a8ae98541d058922c54d4d580fbe36763e128f3b30f9f8cde5f138b410af172208d3948025ee9342858113ab31ea1fe1ac51c
+  metadata.gz: e1bbc05ec99c96ed359aa98a704338f7351780d170f74f09a8e1d4a3b61fb68fc7ba217534ebd8fc56ee05e194820add3601d13eed74cc42f2b6d4c90ba70cb7
+  data.tar.gz: c0c8025f8cc54425e31ff9cd703c743f8b4a7b3c10c023a3da04ad4d6d7b3b38092cf061dd8239e49410ba10ea8707bf28151ae9d52e23459146821838edc054

data/.circleci/circleci-readme.md

@@ -0,0 +1,28 @@
+CI Debug Notes
+================
+To validate some circleci stuff, I was able to run a “build locally” using the steps below.
+The local build runs in a docker container.
+
+  * (Once) Install circleci client (`brew install circleci`)
+
+  * Convert the “real” config.yml into a self contained (non-workspace) config via:
+
+        circleci config process .circleci/config.yml > .circleci/local-config.yml
+
+  * Run a local build with the following command:
+          
+        circleci local execute -c .circleci/local-config.yml --job 'build'
+
+    Typically both commands are run together:
+    
+        circleci config process .circleci/config.yml > .circleci/local-config.yml && circleci local execute -c .circleci/local-config.yml --job 'build'
+    
+    With the above command, operations that cannot occur during a local build will show an error like this:
+     
+      ```
+      ... Error: FAILED with error not supported
+      ```
+    
+      However, the build will proceed and can complete “successfully”, which allows you to verify scripts in your config, etc.
+      
+      If the build does complete successfully, you should see a happy yellow `Success!` message.

data/.gitignore

@@ -12,3 +12,6 @@
 .rspec_status
 .byebug_history
 .ruby-version
+
+# ci config for local ci build
+.circleci/local-config.yml

data/Jenkinsfile

@@ -32,12 +32,12 @@ dockerizedBuildPipeline(
         sh '''
         gem build chelsea.gemspec
         gem install ./chelsea-*.gem
-        chelsea --file Gemfile.lock -b -a chelsea -iu $IQ_USERNAME -it $IQ_PASSWORD -i https://policy.ci.sonatype.dev
+        chelsea --file Gemfile.lock -b -a chelsea -iu $IQ_USERNAME -it $IQ_PASSWORD -i https://policy.ci.sonatype.dev --stage stage-release
         '''
       }
     })
   },
-  testResults: [ 'test-results/rspec.xml' ],
+  testResults: [ 'test_results/rspec.xml' ],
   onSuccess: {
     githubStatusUpdate('success')
   },

data/README.md

@@ -38,21 +38,10 @@ $ gem install chelsea
 ```
 
 ```
-$ chelsea 
- _____  _            _                   
-/  __ \| |          | |                  
-| /  \/| |__    ___ | | ___   ___   __ _ 
-| |    | '_ \  / _ \| |/ __| / _ \ / _` |
-| \__/\| | | ||  __/| |\__ \|  __/| (_| |
- \____/|_| |_| \___||_||___/ \___| \__,_|
-                                         
-                                         
-Version: 0.0.11
-
-usage: chelsea [options] ...
-
-Options:
+$ chelsea --help
+usage: /usr/local/bin/chelsea [options]
     -f, --file         Path to your Gemfile.lock
+    -x, --clear        Clear OSS Index cache
     -c, --config       Set persistent config for OSS Index
     -u, --user         Specify OSS Index Username
     -p, --token        Specify OSS Index API Token
@@ -61,9 +50,10 @@ Options:
     -iu, --iquser      Specify the IQ username
     -it, --iqpass      Specify the IQ auth token
     -w, --whitelist    Set path to vulnerability whitelist file
-    -q, --quiet        Make chelsea only output vulnerable third party dependencies for text output (default: false)
+    -v, --verbose      For text format, list dependencies, their reverse dependencies (what brought them in to your project), and if they are vulnerable. (default: false)
     -t, --format       Choose what type of format you want your report in (default: text) (options: text, json, xml)
     -b, --iq           Use Nexus IQ Server to audit your project
+    -s, --stage        Specify Nexus IQ Stage (default: build) (options: develop, build, stage-release, release, operate)
     --version          Print the version
     -h, --help         Show usage
 ```
@@ -96,35 +86,6 @@ Audit Results
 
 Audit Results will show a list of your third party dependencies, their reverse dependencies (so what brought them in to your project), and if they are vulnerable or not.
 
-### Quiet usage
-
-Running with `--quiet` will only output any vulnerable dependencies found, similar to:
-
-```
- _____  _            _                   
-/  __ \| |          | |                  
-| /  \/| |__    ___ | | ___   ___   __ _ 
-| |    | '_ \  / _ \| |/ __| / _ \ / _` |
-| \__/\| | | ||  __/| |\__ \|  __/| (_| |
- \____/|_| |_| \___||_||___/ \___| \__,_|
-                                         
-                                         
-Version: 0.0.11
-[15/31] - pkg:gem/rake@10.5.0 Vulnerable.
-        Required by: domain_name-0.5.20190701
-        Required by: equatable-0.6.1
-        Required by: pastel-0.7.3
-        Required by: public_suffix-4.0.3
-        Required by: rspec_junit_formatter-0.4.1
-        Required by: slop-4.8.1
-        Required by: slop-4.8.0
-        Required by: unf-0.1.4
-        Required by: unf_ext-0.0.7.7
-        Required by: unf_ext-0.0.7.6
-```
-
-This can be useful if you are only interested in seeing your vulnerable dependencies, and not the whole list.
-
 ### Usage with Formatters
 
 Chelsea can be run with a number of different formatters:
@@ -174,7 +135,37 @@ Report URL: http://localhost:8070/ui/links/application/testapp/report/0e0f469269
 
 ## Development
 
-After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+We suggest using [rbenv](https://github.com/rbenv/rbenv) to setup a reliable ruby development environment.
+
+Follow the [installation steps](https://github.com/rbenv/rbenv#installation). 
+For macos (10.15.7), there was a problem with step 2, with: `$ rbenv init`. The command 
+printed suggested editing `~/.bashrc`; however, this did not work in our case (even after an OS reboot),
+and we had to instead edit `~/bash_profile`. To sanity check your installation, you should see the 
+`.rbenv` directory early in your PATH, e.g.:
+```
+$ echo $PATH
+/Users/<username>/.rbenv/shims:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:...
+``` 
+ 
+We are using ruby version 2.6.6, but newer versions should also work.
+```
+rbenv install 2.6.6
+``` 
+
+Install `bundler`:
+```
+gem install bundler
+```
+
+Install dependencies:
+```
+bundle install
+```
+
+Run tests:
+```
+bundle exec rspec
+```
 
 To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
 

data/bin/chelsea

@@ -31,9 +31,10 @@ opts =
       o.string '-iu', '--iquser', 'Specify the IQ username', default: 'admin'
       o.string '-it', '--iqpass', 'Specify the IQ auth token', default: 'admin123'
       o.string '-w', '--whitelist', 'Set path to vulnerability whitelist file'
-      o.bool '-v', '--verbose', 'Make chelsea only output vulnerable third party dependencies for text output (default: true)', default: false 
+      o.bool '-v', '--verbose', 'For text format, list dependencies, their reverse dependencies (what brought them in to your project), and if they are vulnerable. (default: false)', default: false
       o.string '-t', '--format', 'Choose what type of format you want your report in (default: text) (options: text, json, xml)', default: 'text'
       o.bool '-b', '--iq', 'Use Nexus IQ Server to audit your project'
+      o.string '-s', '--stage', 'Specify Nexus IQ Stage (default: build) (options: develop, build, stage-release, release, operate)', default: 'build'
       o.on '--version', 'Print the version' do
           puts Chelsea::VERSION
           exit

data/lib/chelsea/cli.rb

@@ -63,7 +63,8 @@ module Chelsea
           public_application_id: @opts[:application],
           server_url: @opts[:server],
           username: @opts[:iquser],
-          auth_token: @opts[:iqpass]
+          auth_token: @opts[:iqpass],
+          stage: @opts[:stage]
         }
       )
       bom = Chelsea::Bom.new(gems.deps.dependencies).collect

data/lib/chelsea/iq_client.rb

@@ -28,7 +28,8 @@ module Chelsea
       server_url: 'http://localhost:8070',
       username: 'admin',
       auth_token: 'admin123',
-      internal_application_id: ''
+      internal_application_id: '',
+      stage: 'build'
     }
     def initialize(options: DEFAULT_OPTIONS)
       @options = options
@@ -149,7 +150,7 @@ module Chelsea
     end
 
     def _api_url
-      "#{@options[:server_url]}/api/v2/scan/applications/#{@internal_application_id}/sources/chelsea"
+      "#{@options[:server_url]}/api/v2/scan/applications/#{@internal_application_id}/sources/chelsea?stageId=#{@options[:stage]}"
     end
 
     def _internal_application_id_api_url

data/lib/chelsea/version.rb

@@ -15,5 +15,5 @@
 #
 
 module Chelsea
-  VERSION = '0.0.19'.freeze
+  VERSION = '0.0.24'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: chelsea
 version: !ruby/object:Gem::Version
-  version: 0.0.19
+  version: 0.0.24
 platform: ruby
 authors:
 - Allister Beharry
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-09-11 00:00:00.000000000 Z
+date: 2020-10-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: tty-font
@@ -218,10 +218,10 @@ email:
 executables:
 - chelsea
 - console
-- setup
 extensions: []
 extra_rdoc_files: []
 files:
+- ".circleci/circleci-readme.md"
 - ".circleci/config.yml"
 - ".circleci/setup-rubygems.sh"
 - ".github/CONTRIBUTING.md"
@@ -243,7 +243,6 @@ files:
 - Rakefile
 - bin/chelsea
 - bin/console
-- bin/setup
 - chelsea
 - chelsea.gemspec
 - docs/images/chelsea.png

data/bin/setup

@@ -1,24 +0,0 @@
-#!/usr/bin/env bash
-#
-# Copyright 2019-Present Sonatype Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-set -euo pipefail
-IFS=$'\n\t'
-set -vx
-
-bundle install
-
-# Do any other automated setup that you need to do here