chelsea 0.0.20 → 0.0.25

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 64783b583be55563a644a1c8eec06c6b07265bb88db9b171caa01a1329c359b9
-  data.tar.gz: 20adbf427970a872053481b3420fddb7b13fb338e2ba2b683f26258d52eaa6a4
+  metadata.gz: d0cad312125f51e22e8e68644fec85a33a065fcf95fbf38539d65d0bddf0bd9f
+  data.tar.gz: 49565480567c9cd6b52224fdf1597deaf606f3caaf22cb4a4fd4c783d466d045
 SHA512:
-  metadata.gz: d457980c0f7462d7db67847dfecb744e35e7376fd5776af50fb57aa28f4af32adaf215ff5be7ba99af75f17586641d4a2f39415899c114b88318fe7bf57ba8c4
-  data.tar.gz: 7867281a4549324ae3093f177f6caf473132bd272af8d323dc93ad88df35462fa93bb4bf3a090e1772bf078b3b50b43ad69453235ad451ed4075f8e60e81fa48
+  metadata.gz: 2a10c30b4962c7e6f62409427659638db4a2d1388f8bd208534212228b4468fd9d5d6647cab681c30441fcd20ef398b49d3ee2aa80495d09acf06d22bcad504f
+  data.tar.gz: 7c3744d4c0a04c8ad6bccd85b5c33f65c6417bf9d1510ceed83f274e452129c6e56abef7e921c6d36034601d06f7bb31c2ebd2d1e8d19271cd914ad8e621b4fe

data/.circleci/circleci-readme.md

@@ -0,0 +1,28 @@
+CI Debug Notes
+================
+To validate some circleci stuff, I was able to run a “build locally” using the steps below.
+The local build runs in a docker container.
+
+  * (Once) Install circleci client (`brew install circleci`)
+
+  * Convert the “real” config.yml into a self contained (non-workspace) config via:
+
+        circleci config process .circleci/config.yml > .circleci/local-config.yml
+
+  * Run a local build with the following command:
+          
+        circleci local execute -c .circleci/local-config.yml --job 'build'
+
+    Typically both commands are run together:
+    
+        circleci config process .circleci/config.yml > .circleci/local-config.yml && circleci local execute -c .circleci/local-config.yml --job 'build'
+    
+    With the above command, operations that cannot occur during a local build will show an error like this:
+     
+      ```
+      ... Error: FAILED with error not supported
+      ```
+    
+      However, the build will proceed and can complete “successfully”, which allows you to verify scripts in your config, etc.
+      
+      If the build does complete successfully, you should see a happy yellow `Success!` message.

data/.gitignore

@@ -12,3 +12,6 @@
 .rspec_status
 .byebug_history
 .ruby-version
+
+# ci config for local ci build
+.circleci/local-config.yml

data/Jenkinsfile

@@ -32,7 +32,7 @@ dockerizedBuildPipeline(
         sh '''
         gem build chelsea.gemspec
         gem install ./chelsea-*.gem
-        chelsea --file Gemfile.lock -b -a chelsea -iu $IQ_USERNAME -it $IQ_PASSWORD -i https://policy.ci.sonatype.dev
+        chelsea --file Gemfile.lock -b -a chelsea -iu $IQ_USERNAME -it $IQ_PASSWORD -i https://policy.ci.sonatype.dev --stage stage-release
         '''
       }
     })

data/README.md

@@ -38,21 +38,10 @@ $ gem install chelsea
 ```
 
 ```
-$ chelsea 
- _____  _            _                   
-/  __ \| |          | |                  
-| /  \/| |__    ___ | | ___   ___   __ _ 
-| |    | '_ \  / _ \| |/ __| / _ \ / _` |
-| \__/\| | | ||  __/| |\__ \|  __/| (_| |
- \____/|_| |_| \___||_||___/ \___| \__,_|
-                                         
-                                         
-Version: 0.0.11
-
-usage: chelsea [options] ...
-
-Options:
+$ chelsea --help
+usage: /usr/local/bin/chelsea [options]
     -f, --file         Path to your Gemfile.lock
+    -x, --clear        Clear OSS Index cache
     -c, --config       Set persistent config for OSS Index
     -u, --user         Specify OSS Index Username
     -p, --token        Specify OSS Index API Token
@@ -61,9 +50,10 @@ Options:
     -iu, --iquser      Specify the IQ username
     -it, --iqpass      Specify the IQ auth token
     -w, --whitelist    Set path to vulnerability whitelist file
-    -q, --quiet        Make chelsea only output vulnerable third party dependencies for text output (default: false)
+    -v, --verbose      For text format, list dependencies, their reverse dependencies (what brought them in to your project), and if they are vulnerable. (default: false)
     -t, --format       Choose what type of format you want your report in (default: text) (options: text, json, xml)
     -b, --iq           Use Nexus IQ Server to audit your project
+    -s, --stage        Specify Nexus IQ Stage (default: build) (options: develop, build, stage-release, release, operate)
     --version          Print the version
     -h, --help         Show usage
 ```
@@ -96,35 +86,6 @@ Audit Results
 
 Audit Results will show a list of your third party dependencies, their reverse dependencies (so what brought them in to your project), and if they are vulnerable or not.
 
-### Quiet usage
-
-Running with `--quiet` will only output any vulnerable dependencies found, similar to:
-
-```
- _____  _            _                   
-/  __ \| |          | |                  
-| /  \/| |__    ___ | | ___   ___   __ _ 
-| |    | '_ \  / _ \| |/ __| / _ \ / _` |
-| \__/\| | | ||  __/| |\__ \|  __/| (_| |
- \____/|_| |_| \___||_||___/ \___| \__,_|
-                                         
-                                         
-Version: 0.0.11
-[15/31] - pkg:gem/rake@10.5.0 Vulnerable.
-        Required by: domain_name-0.5.20190701
-        Required by: equatable-0.6.1
-        Required by: pastel-0.7.3
-        Required by: public_suffix-4.0.3
-        Required by: rspec_junit_formatter-0.4.1
-        Required by: slop-4.8.1
-        Required by: slop-4.8.0
-        Required by: unf-0.1.4
-        Required by: unf_ext-0.0.7.7
-        Required by: unf_ext-0.0.7.6
-```
-
-This can be useful if you are only interested in seeing your vulnerable dependencies, and not the whole list.
-
 ### Usage with Formatters
 
 Chelsea can be run with a number of different formatters:
@@ -174,7 +135,37 @@ Report URL: http://localhost:8070/ui/links/application/testapp/report/0e0f469269
 
 ## Development
 
-After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+We suggest using [rbenv](https://github.com/rbenv/rbenv) to setup a reliable ruby development environment.
+
+Follow the [installation steps](https://github.com/rbenv/rbenv#installation). 
+For macos (10.15.7), there was a problem with step 2, with: `$ rbenv init`. The command 
+printed suggested editing `~/.bashrc`; however, this did not work in our case (even after an OS reboot),
+and we had to instead edit `~/bash_profile`. To sanity check your installation, you should see the 
+`.rbenv` directory early in your PATH, e.g.:
+```
+$ echo $PATH
+/Users/<username>/.rbenv/shims:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:...
+``` 
+ 
+We are using ruby version 2.6.6, but newer versions should also work.
+```
+rbenv install 2.6.6
+``` 
+
+Install `bundler`:
+```
+gem install bundler
+```
+
+Install dependencies:
+```
+bundle install
+```
+
+Run tests:
+```
+bundle exec rspec
+```
 
 To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
 

data/SECURITY.md

@@ -0,0 +1,79 @@
+<!--
+
+    Copyright (c) 2011-present Sonatype, Inc. All rights reserved.
+    Includes the third-party code listed at http://links.sonatype.com/products/clm/attributions.
+    "Sonatype" is a trademark of Sonatype, Inc.
+
+-->
+
+# Reporting Security Vulnerabilities
+
+## When to report
+
+First check
+[Important advisories of known security vulnerabilities in Sonatype products](https://support.sonatype.com/hc/en-us/sections/203012668-Security-Advisories)
+to see if this has been previously reported.
+
+## How to report
+
+Please email reports regarding security related issues you find to [mailto:security@sonatype.com](security@sonatype.com).
+
+Use our public key below to keep your message safe.
+
+## What to include
+
+Please use a descriptive subject line in your email report.
+
+Your name and/or affiliation.
+
+A detailed technical description of the vulnerability, attack scenario and where
+possible, how we can reproduce your findings.
+
+Provide us with a secure way to respond.
+
+## What to expect
+
+Your email will be acknowledged within 1 - 2 business days, and you'll receive a
+more detailed response to your email within 7 business days.
+
+We ask that everyone please follow responsible disclosure practices and allow
+time for us to release a fix prior to public release.
+
+Once an issue is reported, Sonatype uses the following disclosure process:
+
+When a report is received, we confirm the issue and determine its severity.
+
+If third-party services or software require mitigation before publication, those
+projects will be notified.
+
+## Our public key
+
+```console
+-----BEGIN PUBLIC KEY BLOCK-----
+mQENBFF+a9ABCADQWSAAU7w9i71Zn3TQ6k7lT9x57cRdtX7V709oeN/c/1it+gCw
+onmmCyf4ypor6XcPSOasp/x0s3hVuf6YfMbI0tSwJUWWihrmoPGIXtmiSOotQE0Q
+Sav41xs3YyI9LzQB4ngZR/nhp4YhioD1dVorD6LGXk08rvl2ikoqHwTagbEXZJY7
+3VYhW6JHbZTLwCsfyg6uaSYF1qXfUxHPOiHYKNbhK/tM3giX+9ld/7xi+9f4zEFQ
+eX9wcRTdgdDOAqDOK7MV30KXagSqvW0MgEYtKX6q4KjjRzBYjkiTdFW/yMXub/Bs
+5UckxHTCuAmvpr5J0HIUeLtXi1QCkijyn8HJABEBAAG0KVNvbmF0eXBlIFNlY3Vy
+aXR5IDxzZWN1cml0eUBzb25hdHlwZS5jb20+iQE4BBMBAgAiBQJRfmvQAhsDBgsJ
+CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAgkmxsNtgwfUzbCACLtCgieq1kJOqo
+2i136ND5ZOj31zIzNENLn8dhSg5zQwTHOcntWAtS8uCNq4fSlslwvlbPYWTLD7fE
+iJn1z7BCU8gBk+pkAJJFWEPweMVt+9bYQ4HfKceGbJeuwBBhS34SK9ZIp9gfxxfA
+oTm0aGYwKR5wH3sqL/mrhwKhPt9wXR4qwlE635STEX8wzJ5SBqf3ArJUtCp1rzgR
+Dx+DiZed5HE1pOI2Kyb6O80bm485WThPXxpvp3bfzTNYoGzeLi/F7WkmgggkXxsT
+Pyd0sSx0B/MO4lJtQvEBlIHDFno9mXa30fKl+rzp2geG5UxNHJUjaC5JhfWLEXEX
+wV0ErBsmuQENBFF+a9ABCADXj04+GLIz8VCaZH554nUHEhaKoiIXH3Tj7UiMZDqy
+o4WIw2RFaCQNA8T0R5Q0yxINU146JQMbA2SN59AGcGYZcajyEvTR7tLG0meMO6S0
+JWpkX7s3xaC0s+5SJ/ba00oHGzW0aotgzG9BWA5OniNHK7zZKMVu7M80M/wB1RvK
+x775hAeJ+8F9MDJ+ijydBtaOfDdkbg+0kU1xR6Io+vVLPk38ghlWU8QFP4/B0oWi
+jK4xiDqK6cG7kyH9kC9nau+ckH8MrJ/RzEpsc4GRwqS4IEnvHWe7XbgydWS1bCp6
+8uP5ma3d02elQmSEa+PABIPKnZcAf1YKLr9O/+IzEdOhABEBAAGJAR8EGAECAAkF
+AlF+a9ACGwwACgkQIJJsbDbYMH3WzAf/XOm4YQZFOgG2h9d03m8me8d1vrYico+0
+pBYU9iCozLgamM4er9Efb+XzfLvNVKuqyR0cgvGszukIPQYeX58DMrZ07C+E0wDZ
+bG+ZAYXT5GqsHkSVnMCVIfyJNLjR4sbVzykyVtnccBL6bP3jxbCP1jJdT7bwiKre
+1jQjvyoL0yIegdiN/oEdmx52Fqjt4NkQsp4sk625UBFTVISr22bnf60ZIGgrRbAP
+DU1XMdIrmqmhEEQcXMp4CeflDMksOmaIeAUkZY7eddnXMwQDJTnz5ziCal+1r0R3
+dh0XISRG0NkiLEXeGkrs7Sn7BAAsTsaH/1zU6YbvoWlMlHYT6EarFQ== =sFGt
+-----END PUBLIC KEY BLOCK-----
+```

data/bin/chelsea

@@ -31,9 +31,10 @@ opts =
       o.string '-iu', '--iquser', 'Specify the IQ username', default: 'admin'
       o.string '-it', '--iqpass', 'Specify the IQ auth token', default: 'admin123'
       o.string '-w', '--whitelist', 'Set path to vulnerability whitelist file'
-      o.bool '-v', '--verbose', 'Make chelsea only output vulnerable third party dependencies for text output (default: true)', default: false 
+      o.bool '-v', '--verbose', 'For text format, list dependencies, their reverse dependencies (what brought them in to your project), and if they are vulnerable. (default: false)', default: false
       o.string '-t', '--format', 'Choose what type of format you want your report in (default: text) (options: text, json, xml)', default: 'text'
       o.bool '-b', '--iq', 'Use Nexus IQ Server to audit your project'
+      o.string '-s', '--stage', 'Specify Nexus IQ Stage (default: build) (options: develop, build, stage-release, release, operate)', default: 'build'
       o.on '--version', 'Print the version' do
           puts Chelsea::VERSION
           exit

data/lib/chelsea/cli.rb

@@ -63,7 +63,8 @@ module Chelsea
           public_application_id: @opts[:application],
           server_url: @opts[:server],
           username: @opts[:iquser],
-          auth_token: @opts[:iqpass]
+          auth_token: @opts[:iqpass],
+          stage: @opts[:stage]
         }
       )
       bom = Chelsea::Bom.new(gems.deps.dependencies).collect

data/lib/chelsea/iq_client.rb

@@ -28,7 +28,8 @@ module Chelsea
       server_url: 'http://localhost:8070',
       username: 'admin',
       auth_token: 'admin123',
-      internal_application_id: ''
+      internal_application_id: '',
+      stage: 'build'
     }
     def initialize(options: DEFAULT_OPTIONS)
       @options = options
@@ -149,7 +150,7 @@ module Chelsea
     end
 
     def _api_url
-      "#{@options[:server_url]}/api/v2/scan/applications/#{@internal_application_id}/sources/chelsea"
+      "#{@options[:server_url]}/api/v2/scan/applications/#{@internal_application_id}/sources/chelsea?stageId=#{@options[:stage]}"
     end
 
     def _internal_application_id_api_url

data/lib/chelsea/version.rb

@@ -15,5 +15,5 @@
 #
 
 module Chelsea
-  VERSION = '0.0.20'.freeze
+  VERSION = '0.0.25'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: chelsea
 version: !ruby/object:Gem::Version
-  version: 0.0.20
+  version: 0.0.25
 platform: ruby
 authors:
 - Allister Beharry
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-09-11 00:00:00.000000000 Z
+date: 2020-12-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: tty-font
@@ -218,10 +218,10 @@ email:
 executables:
 - chelsea
 - console
-- setup
 extensions: []
 extra_rdoc_files: []
 files:
+- ".circleci/circleci-readme.md"
 - ".circleci/config.yml"
 - ".circleci/setup-rubygems.sh"
 - ".github/CONTRIBUTING.md"
@@ -241,9 +241,9 @@ files:
 - LICENSE
 - README.md
 - Rakefile
+- SECURITY.md
 - bin/chelsea
 - bin/console
-- bin/setup
 - chelsea
 - chelsea.gemspec
 - docs/images/chelsea.png

data/bin/setup

@@ -1,24 +0,0 @@
-#!/usr/bin/env bash
-#
-# Copyright 2019-Present Sonatype Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-set -euo pipefail
-IFS=$'\n\t'
-set -vx
-
-bundle install
-
-# Do any other automated setup that you need to do here