chelsea 0.0.22 → 0.0.27

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2e8f55973cc277e40b428bd4024d57ee8faeb9497a9533c5325c4992f347e497
-  data.tar.gz: 4e131ffd1c73531aaa2e03ada3a7e0c580fae8ffc3c98c5e3db4bc91ee55f899
+  metadata.gz: 0f179d743f4810498f2e0edbe787038e2caed8e43af7279c39bf309860a568ae
+  data.tar.gz: b20643fbaa0bbc56073a53575b4d3d5ba2d1b4f5b8b1e996dcdc373e2a2bd997
 SHA512:
-  metadata.gz: 68126c4c9fa51ffb7e74402eb6649fe4bca546959d03c28e0c3a028fd36e6912d4ceabe87b6ad7688e2a68a200df05cecc188e4f512fca1b31f823b5ff20f977
-  data.tar.gz: 02e554ba6e20ecea0f5027abf8c72feefa272f1336e458997bbae14000fceacefc14f0237ac78c956328d573f27466455a926c57b351f718de8011d03b3bcab3
+  metadata.gz: b44c830f8e38ba6693babade3cb1da853baf545a6839aa79bea41a5821712cf055737e8af349c1c9aa9653bb09c5faa1cad0660ec3806f0add68418dadd36f54
+  data.tar.gz: ec6ebcd7e0ac9fb7ebb30349c824187cfc06390fabd40a76a39c4c622a6801c513c5446f89dc3422f703e15cab214a3b1fb72ff7acd4f7ef6e249a27c8331b6e

data/.circleci/config.yml

@@ -35,7 +35,9 @@ jobs:
             - chelsea-bundle-v2-
       - run:
           name: Bundle Install
-          command: bundle check --path vendor/bundle || bundle install
+          command: |
+            bundle config set --local path 'vendor/bundle'
+            bundle check || bundle install
       - save_cache:
           key: chelsea-bundle-v2-{{ checksum "Gemfile.lock" }}
           paths:

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    chelsea (0.0.17)
+    chelsea (0.0.26)
       bundler (>= 1.2.0, < 3)
       ox (~> 2.13.2)
       pastel (~> 0.7.2)
@@ -31,7 +31,7 @@ GEM
     mime-types-data (3.2020.0512)
     necromancer (0.6.0)
     netrc (0.11.0)
-    ox (2.13.2)
+    ox (2.13.4)
     pastel (0.7.4)
       equatable (~> 0.6)
       tty-color (~> 0.5)
@@ -57,16 +57,16 @@ GEM
     rspec_junit_formatter (0.4.1)
       rspec-core (>= 2, < 4, != 2.12.0)
     safe_yaml (1.0.5)
-    slop (4.8.1)
+    slop (4.8.2)
     strings (0.1.8)
       strings-ansi (~> 0.1)
       unicode-display_width (~> 1.5)
       unicode_utils (~> 1.4)
     strings-ansi (0.2.0)
-    tty-color (0.5.1)
+    tty-color (0.5.2)
     tty-cursor (0.7.1)
     tty-font (0.5.0)
-    tty-screen (0.8.0)
+    tty-screen (0.8.1)
     tty-spinner (0.9.3)
       tty-cursor (~> 0.7)
     tty-table (0.11.0)

data/README.md

@@ -50,7 +50,7 @@ usage: /usr/local/bin/chelsea [options]
     -iu, --iquser      Specify the IQ username
     -it, --iqpass      Specify the IQ auth token
     -w, --whitelist    Set path to vulnerability whitelist file
-    -v, --verbose      Make chelsea only output vulnerable third party dependencies for text output (default: true)
+    -v, --verbose      For text format, list dependencies, their reverse dependencies (what brought them in to your project), and if they are vulnerable. (default: false)
     -t, --format       Choose what type of format you want your report in (default: text) (options: text, json, xml)
     -b, --iq           Use Nexus IQ Server to audit your project
     -s, --stage        Specify Nexus IQ Stage (default: build) (options: develop, build, stage-release, release, operate)
@@ -135,9 +135,45 @@ Report URL: http://localhost:8070/ui/links/application/testapp/report/0e0f469269
 
 ## Development
 
-After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+We suggest using [rbenv](https://github.com/rbenv/rbenv) to setup a reliable ruby development environment.
 
-To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+Follow the [installation steps](https://github.com/rbenv/rbenv#installation). 
+For macos (10.15.7), there was a problem with step 2, with: `$ rbenv init`. The command 
+printed suggested editing `~/.bashrc`; however, this did not work in our case (even after an OS reboot),
+and we had to instead edit `~/bash_profile`. To sanity check your installation, you should see the 
+`.rbenv` directory early in your PATH, e.g.:
+```
+$ echo $PATH
+/Users/<username>/.rbenv/shims:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:...
+``` 
+ 
+We are using ruby version 2.6.6, but newer versions should also work.
+```
+rbenv install 2.6.6
+``` 
+
+Install `bundler`:
+```
+gem install bundler
+```
+
+Install dependencies:
+```
+bundle install
+```
+
+Run tests:
+```
+bundle exec rspec
+```
+
+To install this gem onto your local machine, run `bundle exec rake install`. To manually release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+### Release Process
+
+Chelsea is automatically released after a commit to the `master` branch.
+
+To avoid performing a release after a commit to the `master` branch, be sure your commit message includes `[skip ci] `.
 
 ## Why Chelsea?
 

data/SECURITY.md

@@ -0,0 +1,79 @@
+<!--
+
+    Copyright (c) 2011-present Sonatype, Inc. All rights reserved.
+    Includes the third-party code listed at http://links.sonatype.com/products/clm/attributions.
+    "Sonatype" is a trademark of Sonatype, Inc.
+
+-->
+
+# Reporting Security Vulnerabilities
+
+## When to report
+
+First check
+[Important advisories of known security vulnerabilities in Sonatype products](https://support.sonatype.com/hc/en-us/sections/203012668-Security-Advisories)
+to see if this has been previously reported.
+
+## How to report
+
+Please email reports regarding security related issues you find to [mailto:security@sonatype.com](security@sonatype.com).
+
+Use our public key below to keep your message safe.
+
+## What to include
+
+Please use a descriptive subject line in your email report.
+
+Your name and/or affiliation.
+
+A detailed technical description of the vulnerability, attack scenario and where
+possible, how we can reproduce your findings.
+
+Provide us with a secure way to respond.
+
+## What to expect
+
+Your email will be acknowledged within 1 - 2 business days, and you'll receive a
+more detailed response to your email within 7 business days.
+
+We ask that everyone please follow responsible disclosure practices and allow
+time for us to release a fix prior to public release.
+
+Once an issue is reported, Sonatype uses the following disclosure process:
+
+When a report is received, we confirm the issue and determine its severity.
+
+If third-party services or software require mitigation before publication, those
+projects will be notified.
+
+## Our public key
+
+```console
+-----BEGIN PUBLIC KEY BLOCK-----
+mQENBFF+a9ABCADQWSAAU7w9i71Zn3TQ6k7lT9x57cRdtX7V709oeN/c/1it+gCw
+onmmCyf4ypor6XcPSOasp/x0s3hVuf6YfMbI0tSwJUWWihrmoPGIXtmiSOotQE0Q
+Sav41xs3YyI9LzQB4ngZR/nhp4YhioD1dVorD6LGXk08rvl2ikoqHwTagbEXZJY7
+3VYhW6JHbZTLwCsfyg6uaSYF1qXfUxHPOiHYKNbhK/tM3giX+9ld/7xi+9f4zEFQ
+eX9wcRTdgdDOAqDOK7MV30KXagSqvW0MgEYtKX6q4KjjRzBYjkiTdFW/yMXub/Bs
+5UckxHTCuAmvpr5J0HIUeLtXi1QCkijyn8HJABEBAAG0KVNvbmF0eXBlIFNlY3Vy
+aXR5IDxzZWN1cml0eUBzb25hdHlwZS5jb20+iQE4BBMBAgAiBQJRfmvQAhsDBgsJ
+CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAgkmxsNtgwfUzbCACLtCgieq1kJOqo
+2i136ND5ZOj31zIzNENLn8dhSg5zQwTHOcntWAtS8uCNq4fSlslwvlbPYWTLD7fE
+iJn1z7BCU8gBk+pkAJJFWEPweMVt+9bYQ4HfKceGbJeuwBBhS34SK9ZIp9gfxxfA
+oTm0aGYwKR5wH3sqL/mrhwKhPt9wXR4qwlE635STEX8wzJ5SBqf3ArJUtCp1rzgR
+Dx+DiZed5HE1pOI2Kyb6O80bm485WThPXxpvp3bfzTNYoGzeLi/F7WkmgggkXxsT
+Pyd0sSx0B/MO4lJtQvEBlIHDFno9mXa30fKl+rzp2geG5UxNHJUjaC5JhfWLEXEX
+wV0ErBsmuQENBFF+a9ABCADXj04+GLIz8VCaZH554nUHEhaKoiIXH3Tj7UiMZDqy
+o4WIw2RFaCQNA8T0R5Q0yxINU146JQMbA2SN59AGcGYZcajyEvTR7tLG0meMO6S0
+JWpkX7s3xaC0s+5SJ/ba00oHGzW0aotgzG9BWA5OniNHK7zZKMVu7M80M/wB1RvK
+x775hAeJ+8F9MDJ+ijydBtaOfDdkbg+0kU1xR6Io+vVLPk38ghlWU8QFP4/B0oWi
+jK4xiDqK6cG7kyH9kC9nau+ckH8MrJ/RzEpsc4GRwqS4IEnvHWe7XbgydWS1bCp6
+8uP5ma3d02elQmSEa+PABIPKnZcAf1YKLr9O/+IzEdOhABEBAAGJAR8EGAECAAkF
+AlF+a9ACGwwACgkQIJJsbDbYMH3WzAf/XOm4YQZFOgG2h9d03m8me8d1vrYico+0
+pBYU9iCozLgamM4er9Efb+XzfLvNVKuqyR0cgvGszukIPQYeX58DMrZ07C+E0wDZ
+bG+ZAYXT5GqsHkSVnMCVIfyJNLjR4sbVzykyVtnccBL6bP3jxbCP1jJdT7bwiKre
+1jQjvyoL0yIegdiN/oEdmx52Fqjt4NkQsp4sk625UBFTVISr22bnf60ZIGgrRbAP
+DU1XMdIrmqmhEEQcXMp4CeflDMksOmaIeAUkZY7eddnXMwQDJTnz5ziCal+1r0R3
+dh0XISRG0NkiLEXeGkrs7Sn7BAAsTsaH/1zU6YbvoWlMlHYT6EarFQ== =sFGt
+-----END PUBLIC KEY BLOCK-----
+```

data/bin/chelsea

@@ -31,7 +31,7 @@ opts =
       o.string '-iu', '--iquser', 'Specify the IQ username', default: 'admin'
       o.string '-it', '--iqpass', 'Specify the IQ auth token', default: 'admin123'
       o.string '-w', '--whitelist', 'Set path to vulnerability whitelist file'
-      o.bool '-v', '--verbose', 'Make chelsea only output vulnerable third party dependencies for text output (default: true)', default: false 
+      o.bool '-v', '--verbose', 'For text format, list dependencies, their reverse dependencies (what brought them in to your project), and if they are vulnerable. (default: false)', default: false
       o.string '-t', '--format', 'Choose what type of format you want your report in (default: text) (options: text, json, xml)', default: 'text'
       o.bool '-b', '--iq', 'Use Nexus IQ Server to audit your project'
       o.string '-s', '--stage', 'Specify Nexus IQ Stage (default: build) (options: develop, build, stage-release, release, operate)', default: 'build'

data/chelsea.gemspec

@@ -38,5 +38,4 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "rspec_junit_formatter", "~> 0.4.1"
   spec.add_development_dependency "webmock", "~> 3.8.3"
   spec.add_development_dependency "byebug", "~> 11.1.2"
-  spec.add_development_dependency 'pry'
 end

data/lib/chelsea/cli.rb

@@ -39,15 +39,19 @@ module Chelsea
         _set_config # move to init
       elsif @opts.clear?
         require_relative 'db'
-        Chelsea::DB.new().clear_cache
+        Chelsea::DB.new.clear_cache
         puts "OSS Index cache cleared"
       elsif @opts.file? && @opts.iq?
         dependencies = _process_file_iq
         _submit_sbom(dependencies)
+      elsif !@opts.file? && @opts.iq?
+        abort "Missing the --file argument. It is required with the --iq argument."
       elsif @opts.file?
         _process_file
       elsif @opts.help? # quit on opts.help earlier
         puts _cli_flags # this doesn't exist
+      else
+        abort "Missing arguments! Chelsea did nothing. Try providing the --file <Gemfile.lock> argument."
       end
     end
 
@@ -73,7 +77,26 @@ module Chelsea
       
       return unless status_url
 
-      iq.poll_status(status_url)
+      msg, color, exit_code = iq.poll_status(status_url)
+      show_status(msg, color)
+      # this may not be very ruby-esque, but `return exit_code` and `exit_code` didn't result in the desired exit status
+      exit exit_code
+    end
+
+    def show_status(msg, color)
+      case color
+      when Chelsea::IQClient::COLOR_FAILURE
+        puts @pastel.red.bold(msg)
+      when Chelsea::IQClient::COLOR_WARNING
+        # want yellow, but that doesn't print
+        # puts @pastel.color.bold(msg, color)
+        puts @pastel.blue.blue(msg)
+      when Chelsea::IQClient::COLOR_NONE
+        # want yellow, but that doesn't print
+        puts @pastel.green.bold(msg)
+      else
+        puts @pastel.bold(msg)
+      end
     end
 
     def _process_file

data/lib/chelsea/iq_client.rb

@@ -17,6 +17,7 @@
 require 'rest-client'
 require 'json'
 require 'pastel'
+require 'uri'
 
 require_relative 'spinner'
 
@@ -31,6 +32,7 @@ module Chelsea
       internal_application_id: '',
       stage: 'build'
     }
+
     def initialize(options: DEFAULT_OPTIONS)
       @options = options
       @pastel = Pastel.new
@@ -46,12 +48,12 @@ module Chelsea
         password: @options[:auth_token]
       )
       res = resource.post sbom.to_s, _headers.merge(content_type: 'application/xml')
-      unless res.code != 202
-        spin.success("...done.")
-        status_url(res)
-      else
+      if res.code != 202
         spin.stop('...request failed.')
         nil
+      else
+        spin.success("...done.")
+        status_url(res)
       end
     end
 
@@ -67,8 +69,7 @@ module Chelsea
           res = _poll_iq_server(url)
           if res.code == 200
             spin.success("...done.")
-            _handle_response(res)
-            break
+            return _handle_response(res)
           end
         rescue
           sleep(1)
@@ -76,18 +77,39 @@ module Chelsea
       end
     end
 
+    # colors to use when printing message
+    COLOR_FAILURE = 31
+    COLOR_WARNING = 33 # want yellow, but doesn't appear to print
+    COLOR_NONE = 32
+    # Known policy actions
+    POLICY_ACTION_FAILURE = 'Failure'
+    POLICY_ACTION_WARNING = 'Warning'
+    POLICY_ACTION_NONE = 'None'
+
     private
 
     def _handle_response(res)
       res = JSON.parse(res.body)
-      unless res['policyAction'] == 'Failure'
-        puts @pastel.white.bold("Hi! Chelsea here, no policy violations for this audit!")
-        puts @pastel.white.bold("Report URL: #{res['reportHtmlUrl']}")
-        exit 0
+      # get absolute report url
+      absolute_report_html_url = URI.join(@options[:server_url], res['reportHtmlUrl'])
+
+      case res['policyAction']
+      when POLICY_ACTION_FAILURE
+        return "Hi! Chelsea here, you have some policy violations to clean up!"\
+          "\nReport URL: #{absolute_report_html_url}",
+          COLOR_FAILURE, 1
+      when POLICY_ACTION_WARNING
+        return "Hi! Chelsea here, you have some policy warnings to peck at!"\
+        "\nReport URL: #{absolute_report_html_url}",
+          COLOR_WARNING, 0
+      when POLICY_ACTION_NONE
+        return "Hi! Chelsea here, no policy violations for this audit!"\
+        "\nReport URL: #{absolute_report_html_url}",
+          COLOR_NONE, 0
       else
-        puts @pastel.red.bold("Hi! Chelsea here, you have some policy violations to clean up!")
-        puts @pastel.red.bold("Report URL: #{res['reportHtmlUrl']}")
-        exit 1
+        return "Hi! Chelsea here, no policy violations for this audit, but unknown policy action!"\
+        "\nReport URL: #{absolute_report_html_url}",
+          COLOR_FAILURE, 1
       end
     end
 
@@ -141,7 +163,15 @@ module Chelsea
         password: @options[:auth_token]
       )
       res = resource.get _headers
+      if res.code != 200
+        puts "failed to get internal application id for IQ application id: #{@options[:public_application_id]}. response status: #{res.code}"
+        return
+      end
       body = JSON.parse(res)
+      if body['applications'].empty?
+        puts "failed to get internal application id for IQ application id: #{@options[:public_application_id]}"
+        return
+      end
       body['applications'][0]['id']
     end
 

data/lib/chelsea/spinner.rb

@@ -19,7 +19,7 @@ require 'pastel'
 
 module Chelsea
   class Spinner
-    def initialize()
+    def initialize
       @pastel = Pastel.new
     end
 

data/lib/chelsea/version.rb

@@ -15,5 +15,5 @@
 #
 
 module Chelsea
-  VERSION = '0.0.22'.freeze
+  VERSION = '0.0.27'.freeze
 end

data/license-excludes.xml

@@ -9,4 +9,5 @@
   <exclude>src/chelsea.gemspec</exclude>
   <exclude>src/CODE_OF_CONDUCT.md</exclude>
   <exclude>src/CONTRIBUTORS.md</exclude>
+  <exclude>src/SECURITY.md</exclude>
 </excludes>

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: chelsea
 version: !ruby/object:Gem::Version
-  version: 0.0.22
+  version: 0.0.27
 platform: ruby
 authors:
 - Allister Beharry
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-10-06 00:00:00.000000000 Z
+date: 2021-01-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: tty-font
@@ -198,27 +198,12 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 11.1.2
-- !ruby/object:Gem::Dependency
-  name: pry
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
 description: 
 email:
 - allister.beharry@gmail.com
 executables:
 - chelsea
 - console
-- setup
 extensions: []
 extra_rdoc_files: []
 files:
@@ -242,9 +227,9 @@ files:
 - LICENSE
 - README.md
 - Rakefile
+- SECURITY.md
 - bin/chelsea
 - bin/console
-- bin/setup
 - chelsea
 - chelsea.gemspec
 - docs/images/chelsea.png

data/bin/setup

@@ -1,24 +0,0 @@
-#!/usr/bin/env bash
-#
-# Copyright 2019-Present Sonatype Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-set -euo pipefail
-IFS=$'\n\t'
-set -vx
-
-bundle install
-
-# Do any other automated setup that you need to do here