chelsea 0.0.20 → 0.0.25
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.circleci/circleci-readme.md +28 -0
- data/.gitignore +3 -0
- data/Jenkinsfile +1 -1
- data/README.md +36 -45
- data/SECURITY.md +79 -0
- data/bin/chelsea +2 -1
- data/lib/chelsea/cli.rb +2 -1
- data/lib/chelsea/iq_client.rb +3 -2
- data/lib/chelsea/version.rb +1 -1
- metadata +4 -4
- data/bin/setup +0 -24
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: d0cad312125f51e22e8e68644fec85a33a065fcf95fbf38539d65d0bddf0bd9f
|
4
|
+
data.tar.gz: 49565480567c9cd6b52224fdf1597deaf606f3caaf22cb4a4fd4c783d466d045
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 2a10c30b4962c7e6f62409427659638db4a2d1388f8bd208534212228b4468fd9d5d6647cab681c30441fcd20ef398b49d3ee2aa80495d09acf06d22bcad504f
|
7
|
+
data.tar.gz: 7c3744d4c0a04c8ad6bccd85b5c33f65c6417bf9d1510ceed83f274e452129c6e56abef7e921c6d36034601d06f7bb31c2ebd2d1e8d19271cd914ad8e621b4fe
|
@@ -0,0 +1,28 @@
|
|
1
|
+
CI Debug Notes
|
2
|
+
================
|
3
|
+
To validate some circleci stuff, I was able to run a “build locally” using the steps below.
|
4
|
+
The local build runs in a docker container.
|
5
|
+
|
6
|
+
* (Once) Install circleci client (`brew install circleci`)
|
7
|
+
|
8
|
+
* Convert the “real” config.yml into a self contained (non-workspace) config via:
|
9
|
+
|
10
|
+
circleci config process .circleci/config.yml > .circleci/local-config.yml
|
11
|
+
|
12
|
+
* Run a local build with the following command:
|
13
|
+
|
14
|
+
circleci local execute -c .circleci/local-config.yml --job 'build'
|
15
|
+
|
16
|
+
Typically both commands are run together:
|
17
|
+
|
18
|
+
circleci config process .circleci/config.yml > .circleci/local-config.yml && circleci local execute -c .circleci/local-config.yml --job 'build'
|
19
|
+
|
20
|
+
With the above command, operations that cannot occur during a local build will show an error like this:
|
21
|
+
|
22
|
+
```
|
23
|
+
... Error: FAILED with error not supported
|
24
|
+
```
|
25
|
+
|
26
|
+
However, the build will proceed and can complete “successfully”, which allows you to verify scripts in your config, etc.
|
27
|
+
|
28
|
+
If the build does complete successfully, you should see a happy yellow `Success!` message.
|
data/.gitignore
CHANGED
data/Jenkinsfile
CHANGED
@@ -32,7 +32,7 @@ dockerizedBuildPipeline(
|
|
32
32
|
sh '''
|
33
33
|
gem build chelsea.gemspec
|
34
34
|
gem install ./chelsea-*.gem
|
35
|
-
chelsea --file Gemfile.lock -b -a chelsea -iu $IQ_USERNAME -it $IQ_PASSWORD -i https://policy.ci.sonatype.dev
|
35
|
+
chelsea --file Gemfile.lock -b -a chelsea -iu $IQ_USERNAME -it $IQ_PASSWORD -i https://policy.ci.sonatype.dev --stage stage-release
|
36
36
|
'''
|
37
37
|
}
|
38
38
|
})
|
data/README.md
CHANGED
@@ -38,21 +38,10 @@ $ gem install chelsea
|
|
38
38
|
```
|
39
39
|
|
40
40
|
```
|
41
|
-
$ chelsea
|
42
|
-
|
43
|
-
/ __ \| | | |
|
44
|
-
| / \/| |__ ___ | | ___ ___ __ _
|
45
|
-
| | | '_ \ / _ \| |/ __| / _ \ / _` |
|
46
|
-
| \__/\| | | || __/| |\__ \| __/| (_| |
|
47
|
-
\____/|_| |_| \___||_||___/ \___| \__,_|
|
48
|
-
|
49
|
-
|
50
|
-
Version: 0.0.11
|
51
|
-
|
52
|
-
usage: chelsea [options] ...
|
53
|
-
|
54
|
-
Options:
|
41
|
+
$ chelsea --help
|
42
|
+
usage: /usr/local/bin/chelsea [options]
|
55
43
|
-f, --file Path to your Gemfile.lock
|
44
|
+
-x, --clear Clear OSS Index cache
|
56
45
|
-c, --config Set persistent config for OSS Index
|
57
46
|
-u, --user Specify OSS Index Username
|
58
47
|
-p, --token Specify OSS Index API Token
|
@@ -61,9 +50,10 @@ Options:
|
|
61
50
|
-iu, --iquser Specify the IQ username
|
62
51
|
-it, --iqpass Specify the IQ auth token
|
63
52
|
-w, --whitelist Set path to vulnerability whitelist file
|
64
|
-
-
|
53
|
+
-v, --verbose For text format, list dependencies, their reverse dependencies (what brought them in to your project), and if they are vulnerable. (default: false)
|
65
54
|
-t, --format Choose what type of format you want your report in (default: text) (options: text, json, xml)
|
66
55
|
-b, --iq Use Nexus IQ Server to audit your project
|
56
|
+
-s, --stage Specify Nexus IQ Stage (default: build) (options: develop, build, stage-release, release, operate)
|
67
57
|
--version Print the version
|
68
58
|
-h, --help Show usage
|
69
59
|
```
|
@@ -96,35 +86,6 @@ Audit Results
|
|
96
86
|
|
97
87
|
Audit Results will show a list of your third party dependencies, their reverse dependencies (so what brought them in to your project), and if they are vulnerable or not.
|
98
88
|
|
99
|
-
### Quiet usage
|
100
|
-
|
101
|
-
Running with `--quiet` will only output any vulnerable dependencies found, similar to:
|
102
|
-
|
103
|
-
```
|
104
|
-
_____ _ _
|
105
|
-
/ __ \| | | |
|
106
|
-
| / \/| |__ ___ | | ___ ___ __ _
|
107
|
-
| | | '_ \ / _ \| |/ __| / _ \ / _` |
|
108
|
-
| \__/\| | | || __/| |\__ \| __/| (_| |
|
109
|
-
\____/|_| |_| \___||_||___/ \___| \__,_|
|
110
|
-
|
111
|
-
|
112
|
-
Version: 0.0.11
|
113
|
-
[15/31] - pkg:gem/rake@10.5.0 Vulnerable.
|
114
|
-
Required by: domain_name-0.5.20190701
|
115
|
-
Required by: equatable-0.6.1
|
116
|
-
Required by: pastel-0.7.3
|
117
|
-
Required by: public_suffix-4.0.3
|
118
|
-
Required by: rspec_junit_formatter-0.4.1
|
119
|
-
Required by: slop-4.8.1
|
120
|
-
Required by: slop-4.8.0
|
121
|
-
Required by: unf-0.1.4
|
122
|
-
Required by: unf_ext-0.0.7.7
|
123
|
-
Required by: unf_ext-0.0.7.6
|
124
|
-
```
|
125
|
-
|
126
|
-
This can be useful if you are only interested in seeing your vulnerable dependencies, and not the whole list.
|
127
|
-
|
128
89
|
### Usage with Formatters
|
129
90
|
|
130
91
|
Chelsea can be run with a number of different formatters:
|
@@ -174,7 +135,37 @@ Report URL: http://localhost:8070/ui/links/application/testapp/report/0e0f469269
|
|
174
135
|
|
175
136
|
## Development
|
176
137
|
|
177
|
-
|
138
|
+
We suggest using [rbenv](https://github.com/rbenv/rbenv) to setup a reliable ruby development environment.
|
139
|
+
|
140
|
+
Follow the [installation steps](https://github.com/rbenv/rbenv#installation).
|
141
|
+
For macos (10.15.7), there was a problem with step 2, with: `$ rbenv init`. The command
|
142
|
+
printed suggested editing `~/.bashrc`; however, this did not work in our case (even after an OS reboot),
|
143
|
+
and we had to instead edit `~/bash_profile`. To sanity check your installation, you should see the
|
144
|
+
`.rbenv` directory early in your PATH, e.g.:
|
145
|
+
```
|
146
|
+
$ echo $PATH
|
147
|
+
/Users/<username>/.rbenv/shims:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:...
|
148
|
+
```
|
149
|
+
|
150
|
+
We are using ruby version 2.6.6, but newer versions should also work.
|
151
|
+
```
|
152
|
+
rbenv install 2.6.6
|
153
|
+
```
|
154
|
+
|
155
|
+
Install `bundler`:
|
156
|
+
```
|
157
|
+
gem install bundler
|
158
|
+
```
|
159
|
+
|
160
|
+
Install dependencies:
|
161
|
+
```
|
162
|
+
bundle install
|
163
|
+
```
|
164
|
+
|
165
|
+
Run tests:
|
166
|
+
```
|
167
|
+
bundle exec rspec
|
168
|
+
```
|
178
169
|
|
179
170
|
To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
|
180
171
|
|
data/SECURITY.md
ADDED
@@ -0,0 +1,79 @@
|
|
1
|
+
<!--
|
2
|
+
|
3
|
+
Copyright (c) 2011-present Sonatype, Inc. All rights reserved.
|
4
|
+
Includes the third-party code listed at http://links.sonatype.com/products/clm/attributions.
|
5
|
+
"Sonatype" is a trademark of Sonatype, Inc.
|
6
|
+
|
7
|
+
-->
|
8
|
+
|
9
|
+
# Reporting Security Vulnerabilities
|
10
|
+
|
11
|
+
## When to report
|
12
|
+
|
13
|
+
First check
|
14
|
+
[Important advisories of known security vulnerabilities in Sonatype products](https://support.sonatype.com/hc/en-us/sections/203012668-Security-Advisories)
|
15
|
+
to see if this has been previously reported.
|
16
|
+
|
17
|
+
## How to report
|
18
|
+
|
19
|
+
Please email reports regarding security related issues you find to [mailto:security@sonatype.com](security@sonatype.com).
|
20
|
+
|
21
|
+
Use our public key below to keep your message safe.
|
22
|
+
|
23
|
+
## What to include
|
24
|
+
|
25
|
+
Please use a descriptive subject line in your email report.
|
26
|
+
|
27
|
+
Your name and/or affiliation.
|
28
|
+
|
29
|
+
A detailed technical description of the vulnerability, attack scenario and where
|
30
|
+
possible, how we can reproduce your findings.
|
31
|
+
|
32
|
+
Provide us with a secure way to respond.
|
33
|
+
|
34
|
+
## What to expect
|
35
|
+
|
36
|
+
Your email will be acknowledged within 1 - 2 business days, and you'll receive a
|
37
|
+
more detailed response to your email within 7 business days.
|
38
|
+
|
39
|
+
We ask that everyone please follow responsible disclosure practices and allow
|
40
|
+
time for us to release a fix prior to public release.
|
41
|
+
|
42
|
+
Once an issue is reported, Sonatype uses the following disclosure process:
|
43
|
+
|
44
|
+
When a report is received, we confirm the issue and determine its severity.
|
45
|
+
|
46
|
+
If third-party services or software require mitigation before publication, those
|
47
|
+
projects will be notified.
|
48
|
+
|
49
|
+
## Our public key
|
50
|
+
|
51
|
+
```console
|
52
|
+
-----BEGIN PUBLIC KEY BLOCK-----
|
53
|
+
mQENBFF+a9ABCADQWSAAU7w9i71Zn3TQ6k7lT9x57cRdtX7V709oeN/c/1it+gCw
|
54
|
+
onmmCyf4ypor6XcPSOasp/x0s3hVuf6YfMbI0tSwJUWWihrmoPGIXtmiSOotQE0Q
|
55
|
+
Sav41xs3YyI9LzQB4ngZR/nhp4YhioD1dVorD6LGXk08rvl2ikoqHwTagbEXZJY7
|
56
|
+
3VYhW6JHbZTLwCsfyg6uaSYF1qXfUxHPOiHYKNbhK/tM3giX+9ld/7xi+9f4zEFQ
|
57
|
+
eX9wcRTdgdDOAqDOK7MV30KXagSqvW0MgEYtKX6q4KjjRzBYjkiTdFW/yMXub/Bs
|
58
|
+
5UckxHTCuAmvpr5J0HIUeLtXi1QCkijyn8HJABEBAAG0KVNvbmF0eXBlIFNlY3Vy
|
59
|
+
aXR5IDxzZWN1cml0eUBzb25hdHlwZS5jb20+iQE4BBMBAgAiBQJRfmvQAhsDBgsJ
|
60
|
+
CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAgkmxsNtgwfUzbCACLtCgieq1kJOqo
|
61
|
+
2i136ND5ZOj31zIzNENLn8dhSg5zQwTHOcntWAtS8uCNq4fSlslwvlbPYWTLD7fE
|
62
|
+
iJn1z7BCU8gBk+pkAJJFWEPweMVt+9bYQ4HfKceGbJeuwBBhS34SK9ZIp9gfxxfA
|
63
|
+
oTm0aGYwKR5wH3sqL/mrhwKhPt9wXR4qwlE635STEX8wzJ5SBqf3ArJUtCp1rzgR
|
64
|
+
Dx+DiZed5HE1pOI2Kyb6O80bm485WThPXxpvp3bfzTNYoGzeLi/F7WkmgggkXxsT
|
65
|
+
Pyd0sSx0B/MO4lJtQvEBlIHDFno9mXa30fKl+rzp2geG5UxNHJUjaC5JhfWLEXEX
|
66
|
+
wV0ErBsmuQENBFF+a9ABCADXj04+GLIz8VCaZH554nUHEhaKoiIXH3Tj7UiMZDqy
|
67
|
+
o4WIw2RFaCQNA8T0R5Q0yxINU146JQMbA2SN59AGcGYZcajyEvTR7tLG0meMO6S0
|
68
|
+
JWpkX7s3xaC0s+5SJ/ba00oHGzW0aotgzG9BWA5OniNHK7zZKMVu7M80M/wB1RvK
|
69
|
+
x775hAeJ+8F9MDJ+ijydBtaOfDdkbg+0kU1xR6Io+vVLPk38ghlWU8QFP4/B0oWi
|
70
|
+
jK4xiDqK6cG7kyH9kC9nau+ckH8MrJ/RzEpsc4GRwqS4IEnvHWe7XbgydWS1bCp6
|
71
|
+
8uP5ma3d02elQmSEa+PABIPKnZcAf1YKLr9O/+IzEdOhABEBAAGJAR8EGAECAAkF
|
72
|
+
AlF+a9ACGwwACgkQIJJsbDbYMH3WzAf/XOm4YQZFOgG2h9d03m8me8d1vrYico+0
|
73
|
+
pBYU9iCozLgamM4er9Efb+XzfLvNVKuqyR0cgvGszukIPQYeX58DMrZ07C+E0wDZ
|
74
|
+
bG+ZAYXT5GqsHkSVnMCVIfyJNLjR4sbVzykyVtnccBL6bP3jxbCP1jJdT7bwiKre
|
75
|
+
1jQjvyoL0yIegdiN/oEdmx52Fqjt4NkQsp4sk625UBFTVISr22bnf60ZIGgrRbAP
|
76
|
+
DU1XMdIrmqmhEEQcXMp4CeflDMksOmaIeAUkZY7eddnXMwQDJTnz5ziCal+1r0R3
|
77
|
+
dh0XISRG0NkiLEXeGkrs7Sn7BAAsTsaH/1zU6YbvoWlMlHYT6EarFQ== =sFGt
|
78
|
+
-----END PUBLIC KEY BLOCK-----
|
79
|
+
```
|
data/bin/chelsea
CHANGED
@@ -31,9 +31,10 @@ opts =
|
|
31
31
|
o.string '-iu', '--iquser', 'Specify the IQ username', default: 'admin'
|
32
32
|
o.string '-it', '--iqpass', 'Specify the IQ auth token', default: 'admin123'
|
33
33
|
o.string '-w', '--whitelist', 'Set path to vulnerability whitelist file'
|
34
|
-
o.bool '-v', '--verbose', '
|
34
|
+
o.bool '-v', '--verbose', 'For text format, list dependencies, their reverse dependencies (what brought them in to your project), and if they are vulnerable. (default: false)', default: false
|
35
35
|
o.string '-t', '--format', 'Choose what type of format you want your report in (default: text) (options: text, json, xml)', default: 'text'
|
36
36
|
o.bool '-b', '--iq', 'Use Nexus IQ Server to audit your project'
|
37
|
+
o.string '-s', '--stage', 'Specify Nexus IQ Stage (default: build) (options: develop, build, stage-release, release, operate)', default: 'build'
|
37
38
|
o.on '--version', 'Print the version' do
|
38
39
|
puts Chelsea::VERSION
|
39
40
|
exit
|
data/lib/chelsea/cli.rb
CHANGED
@@ -63,7 +63,8 @@ module Chelsea
|
|
63
63
|
public_application_id: @opts[:application],
|
64
64
|
server_url: @opts[:server],
|
65
65
|
username: @opts[:iquser],
|
66
|
-
auth_token: @opts[:iqpass]
|
66
|
+
auth_token: @opts[:iqpass],
|
67
|
+
stage: @opts[:stage]
|
67
68
|
}
|
68
69
|
)
|
69
70
|
bom = Chelsea::Bom.new(gems.deps.dependencies).collect
|
data/lib/chelsea/iq_client.rb
CHANGED
@@ -28,7 +28,8 @@ module Chelsea
|
|
28
28
|
server_url: 'http://localhost:8070',
|
29
29
|
username: 'admin',
|
30
30
|
auth_token: 'admin123',
|
31
|
-
internal_application_id: ''
|
31
|
+
internal_application_id: '',
|
32
|
+
stage: 'build'
|
32
33
|
}
|
33
34
|
def initialize(options: DEFAULT_OPTIONS)
|
34
35
|
@options = options
|
@@ -149,7 +150,7 @@ module Chelsea
|
|
149
150
|
end
|
150
151
|
|
151
152
|
def _api_url
|
152
|
-
"#{@options[:server_url]}/api/v2/scan/applications/#{@internal_application_id}/sources/chelsea"
|
153
|
+
"#{@options[:server_url]}/api/v2/scan/applications/#{@internal_application_id}/sources/chelsea?stageId=#{@options[:stage]}"
|
153
154
|
end
|
154
155
|
|
155
156
|
def _internal_application_id_api_url
|
data/lib/chelsea/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: chelsea
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.0.
|
4
|
+
version: 0.0.25
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Allister Beharry
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2020-
|
11
|
+
date: 2020-12-16 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: tty-font
|
@@ -218,10 +218,10 @@ email:
|
|
218
218
|
executables:
|
219
219
|
- chelsea
|
220
220
|
- console
|
221
|
-
- setup
|
222
221
|
extensions: []
|
223
222
|
extra_rdoc_files: []
|
224
223
|
files:
|
224
|
+
- ".circleci/circleci-readme.md"
|
225
225
|
- ".circleci/config.yml"
|
226
226
|
- ".circleci/setup-rubygems.sh"
|
227
227
|
- ".github/CONTRIBUTING.md"
|
@@ -241,9 +241,9 @@ files:
|
|
241
241
|
- LICENSE
|
242
242
|
- README.md
|
243
243
|
- Rakefile
|
244
|
+
- SECURITY.md
|
244
245
|
- bin/chelsea
|
245
246
|
- bin/console
|
246
|
-
- bin/setup
|
247
247
|
- chelsea
|
248
248
|
- chelsea.gemspec
|
249
249
|
- docs/images/chelsea.png
|
data/bin/setup
DELETED
@@ -1,24 +0,0 @@
|
|
1
|
-
#!/usr/bin/env bash
|
2
|
-
#
|
3
|
-
# Copyright 2019-Present Sonatype Inc.
|
4
|
-
#
|
5
|
-
# Licensed under the Apache License, Version 2.0 (the "License");
|
6
|
-
# you may not use this file except in compliance with the License.
|
7
|
-
# You may obtain a copy of the License at
|
8
|
-
#
|
9
|
-
# http://www.apache.org/licenses/LICENSE-2.0
|
10
|
-
#
|
11
|
-
# Unless required by applicable law or agreed to in writing, software
|
12
|
-
# distributed under the License is distributed on an "AS IS" BASIS,
|
13
|
-
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
14
|
-
# See the License for the specific language governing permissions and
|
15
|
-
# limitations under the License.
|
16
|
-
#
|
17
|
-
|
18
|
-
set -euo pipefail
|
19
|
-
IFS=$'\n\t'
|
20
|
-
set -vx
|
21
|
-
|
22
|
-
bundle install
|
23
|
-
|
24
|
-
# Do any other automated setup that you need to do here
|