chelsea 0.0.7 → 0.0.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 52f656dfb244ce9739b9dff4ae38959a211bd38d5849a3c97bea14b43f2f5a3a
-  data.tar.gz: 06443dcea17e77700763020b47d899179c062dcfb8003c944628b1bf8bb8491b
+  metadata.gz: eee37ec30bb7ddc5a3817c2d966bce9b7cd3ab35cd711c5e2ab79a82bee3f8bd
+  data.tar.gz: 31b9f377cf841c8c4e07580e6bc3a5a957baeac1ef6ddf0e019910c27c3213ee
 SHA512:
-  metadata.gz: 90bba2fec2be99b5168ba80366fffdff8774f3120bdfa50aa87720c6348b16628a1784ef1cb40cc20bfd31a7c1e50aa20eca9d5fb426e100421d568cc33eeae4
-  data.tar.gz: 4dfbbf3db3529e7ef257c71c4f30f9ecfb00adae8c7cd59dea98fe27380dc33b0724b5d34d078d6b740892b51eebc640bad1500045487fb77963baa66e6dd256
+  metadata.gz: aa2e1cde68d722b3d4adbaff36e8b25fe0175b208b20ca18a9a592259dd6445e3481401f2de7c5708c74c2bbf80b5c945f4f9f046c7f6b688e424404428cb246
+  data.tar.gz: '019a53c49865e117967e9cbed7711e5b0b2d339bf5b3457e99440b118f7775a07505f2311fae4bb3ce9fa8c00e3c4187cc01cf1dd1a5718a3c74acda9b9a3fda'

data/bin/chelsea

@@ -7,11 +7,16 @@ opts =
     Slop.parse do |o|
       o.string '-f', '--file', 'path to your Gemfile.lock'
       o.bool '-c', '--config', 'Set persistent config for OSS Index'
-      o.string '-u', '--user', 'Specify OSS Index Username', default: ""
-      o.string '-p', '--token', 'Specify OSS Index API Token', default: ""
+      o.string '-u', '--user', 'Specify OSS Index Username'
+      o.string '-p', '--token', 'Specify OSS Index API Token'
+      o.string '-a', '--application', 'Specify the IQ application id', default: 'testapp'
+      o.string '-i', '--server', 'Specific the IQ server url', default: 'http://localhost:8070'
+      o.string '-iu', '--iquser', 'Specify the IQ username', default: 'admin'
+      o.string '-it', '--iqpass', 'Specify the IQ auth token', default: 'admin123'
       o.string '-w', '--whitelist', 'Set path to vulnerability whitelist file'
       o.bool '-q', '--quiet', 'make chelsea only output vulnerable third party dependencies for text output (default: false)', default: false 
       o.string '-t', '--format', 'choose what type of format you want your report in (default: text) (options: text, json, xml)', default: 'text'
+      o.bool '-b', '--sbom', 'generate an sbom'
       o.on '--version', 'print the version' do
           puts Chelsea::VERSION
           exit

data/lib/chelsea.rb

@@ -1 +1,19 @@
-require_relative "./chelsea/cli"
+# frozen_string_literal: true
+
+# Lazy loading
+require_relative 'chelsea/cli'
+require_relative 'chelsea/deps'
+require_relative 'chelsea/bom'
+require_relative 'chelsea/iq_client'
+require_relative 'chelsea/oss_index'
+require_relative 'chelsea/config'
+require_relative 'chelsea/version'
+# module Chelsea
+#   autoload :CLI,          'chelsea/cli'
+#   autoload :Deps,         'chelsea/deps'
+#   autoload :Bom,          'chelsea/bom'
+#   autoload :IQClient,     'chelsea/iq_client'
+#   autoload :OSSIndex,     'chelsea/oss_index'
+#   autoload :Config,       'chelsea/config'
+#   autoload :Version,      'chelsea/version'
+# end

data/lib/chelsea/bom.rb

@@ -0,0 +1,97 @@
+# frozen_string_literal: true
+
+require 'securerandom'
+require 'ox'
+
+module Chelsea
+  # Class to convext dependencies to BOM xml
+  class Bom
+    attr_accessor :xml
+    def initialize(dependencies)
+      @dependencies = dependencies
+      @xml = _get_xml
+    end
+
+    def to_s
+      Ox.dump(@xml).to_s
+    end
+
+    def random_urn_uuid
+      'urn:uuid:' + SecureRandom.uuid
+    end
+
+    private
+
+    def _get_xml
+      doc = Ox::Document.new
+      doc << _root_xml
+      bom = _bom_xml
+      doc << bom
+      components = Ox::Element.new('components')
+      @dependencies.each do |_, (name, version)|
+        components << _component_xml(name, version)
+      end
+      bom << components
+      doc
+    end
+
+    def _bom_xml
+      bom = Ox::Element.new('bom')
+      bom[:xmlns] = 'http://cyclonedx.org/schema/bom/1.1'
+      bom[:version] = '1'
+      bom[:serialNumber] = random_urn_uuid
+      bom
+    end
+
+    def _root_xml
+      instruct = Ox::Instruct.new(:xml)
+      instruct[:version] = '1.0'
+      instruct[:encoding] = 'UTF-8'
+      instruct[:standalone] = 'yes'
+      instruct
+    end
+
+    def _component_xml(name, version)
+      component = Ox::Element.new('component')
+      component[:type] = 'library'
+      n = Ox::Element.new('name')
+      n << name
+      v = Ox::Element.new('version')
+      v << version.version
+      purl = Ox::Element.new('purl')
+      purl << Chelsea.to_purl(name, version.version)
+      component << n << v << purl
+      component
+    end
+
+    def _show_logo
+      logo = %Q(
+                          -o/
+                      -+hNmNN-
+    .:+osyhddddyso/-``ody+-  .NN.
+  /mMMdhssooooooosyhdmhs/.    /Mm-
+  oMs`                `.-:.    oMNs.                     .
+  `N.           `.              .+hNh+`                 +N.
+   yo -m`  -d` `dm.                `:smd+.            `yMM.
+   -m`mM/ -mN/`ddMs                    -sNh/         .dy-M-
+    dmdsd/m--dmo Nh   `o:      /o`       `+md-      :m/  N:
+    /y `Nd`  do  my   .dMy.  .hMy`         `oN+    om-   m:
+        +    .  `No     +NN+oNm:             .d+ `hd`    d:
+                `Mo      .dMMy     SBOM       `d+ms`     d:
+        `.      -M+     `yMhmNo`    BABY      `hN/-      d/
+    /:  yd  /o  -M/    /NN/  +Nm:            +Nd.-mo     m+
+    dm`/mmo-NMo /M-  .dMs`    `o/          /mN+   `hh.   N+
+   -MMdN//NNhhMysm    /-                `+mMs`      +mo  N+
+  sN/Ny  hd``yMMh                    :yNNs.         `sm+M+
+  dd.``  ``   /d-   oy.          `/yNNh/`             .yM+
+   `yNy/`            oMm`     `/sdMdo-                   ..
+     `/ymmys+///++shN+/Nm.   /NMNo.
+         `-/+ooo+/:.`  :NN- /MMo`
+                        -NNoNM+
+                         :MMM+
+                          :d/
+  )
+      puts logo
+    end
+  end
+end

data/lib/chelsea/cli.rb

@@ -4,50 +4,66 @@ require 'tty-font'
 
 require_relative 'version'
 require_relative 'gems'
+require_relative 'iq_client'
 require_relative 'config'
 
 module Chelsea
   ##
   # This class provides an interface to the oss index, gems and deps
   class CLI
-
     def initialize(opts)
       @opts = opts
       @pastel = Pastel.new
       _validate_arguments
-      _show_logo
+      _show_logo # Move to formatter
     end
 
     def process!
       if @opts.config?
-        _try_set_config()
-      end
-      if @opts.file?
-        @gems = Chelsea::Gems.new(file: @opts[:file], quiet: false, options: @opts)
-        @gems.execute
+        _set_config # move to init
+      elsif @opts.file? # don't process unless there was a file
+        _process_file
+        _submit_sbom if @opts.sbom?
+      elsif @opts.help? # quit on opts.help earlier
+        puts _cli_flags # this doesn't exist
       end
     end
 
-    # this is how you do static methods in ruby, because in a test we want to 
-    # check for version without opts, and heck, we don't even want a dang object!
     def self.version
       Chelsea::VERSION
     end
 
-  protected
+    private
 
-    def _flags_error
-      # should be custom exception! 
-      switches = _flags.collect {|f| "--#{f}"}
+    def _submit_sbom
+      iq = Chelsea::IQClient.new(
+        @opts[:application],
+        @opts[:server],
+        @opts[:iquser],
+        @opts[:iqpass]
+      )
+      bom = Chelsea::Bom.new(@gems.deps)
+      iq.submit_sbom(bom)
+    end
+
+    def _process_file
+      gems = Chelsea::Gems.new(
+        file: @opts[:file],
+        quiet: @opts[:quiet],
+        options: @opts
+      )
+      gems.execute # should be more like collect
+    end
 
+    def _flags_error
+      switches = _flags.collect { |f| "--#{f}" }
       abort "please set one of #{switches}"
     end
 
     def _validate_arguments
-      if !_flags_set? && !@opts.file?
-        ## require at least one argument
-        _flags_error
-      end
+      return unless !_flags_set? && !@opts.file?
+
+      _flags_error
     end
 
     def _flags_set?
@@ -58,23 +74,22 @@ module Chelsea
 
     def _flags
       # Seems wrong, should all be handled by bin
-      [:file, :help, :config]
+      %i[file help config]
     end
 
-    def _show_logo()
+    def _show_logo
       font = TTY::Font.new(:doom)
-      puts @pastel.green(font.write("Chelsea"))
-      puts @pastel.green("Version: " + CLI::version)
+      puts @pastel.green(font.write('Chelsea'))
+      puts @pastel.green('Version: ' + CLI.version)
     end
 
-    def _try_load_config()
+    def _load_config
       config = Chelsea::Config.new
-      oss_index_config = config.get_oss_index_config()
+      config.oss_index_config
     end
 
-    def _try_set_config()
-      config = Chelsea::Config.new
-      config.get_oss_index_config_from_command_line()
+    def _set_config
+      Chelsea.oss_index_config_from_command_line
     end
   end
 end

data/lib/chelsea/config.rb

@@ -1,53 +1,72 @@
 require 'yaml'
+require_relative 'oss_index'
 
 module Chelsea
-  class Config
-    def initialize(opts = {})
-      @oss_index_config_location = File.join("#{Dir.home}", ".ossindex")
-      @oss_index_config_filename = ".oss-index-config"
-    end
+  @oss_index_config_location = File.join(Dir.home.to_s, '.ossindex')
+  @oss_index_config_filename = '.oss-index-config'
 
-    def get_oss_index_config()
-      if !File.exist? File.join(@oss_index_config_location, @oss_index_config_filename)
-        return {}
-      else
-        oss_index_config = YAML.load(File.read(File.join(@oss_index_config_location, @oss_index_config_filename)))
+  def self.to_purl(name, version)
+    "pkg:gem/#{name}@#{version}"
+  end
 
-        oss_index_config
-      end
+  def self.config(options = {})
+    if !options[:user].nil? && !options[:token].nil?
+      Chelsea::OSSIndex.new(
+        oss_index_user_name: options[:user],
+        oss_index_user_token: options[:token]
+      )
+    else
+      Chelsea::OSSIndex.new(oss_index_config)
     end
+  end
 
-    def get_white_list_vuln_config(white_list_config_path)
-      if white_list_config_path.nil?
-        white_list_vuln_config = YAML.load(File.read(File.join(Dir.pwd, "chelsea-ignore.yaml")))
-      else
-        white_list_vuln_config = YAML.load(File.read(white_list_config_path))
-      end
+  def self.client(options = {})
+    @client ||= config(options)
+    @client
+  end
 
-      white_list_vuln_config
+  def self.oss_index_config
+    if !File.exist? File.join(@oss_index_config_location, @oss_index_config_filename)
+      { oss_index_user_name: '', oss_index_user_token: '' }
+    else
+      conf_hash = YAML.safe_load(
+        File.read(
+          File.join(@@oss_index_config_location, @@oss_index_config_filename)
+        )
+      )
+      {
+        oss_index_user_name: conf_hash['Username'],
+        oss_index_user_token: conf_hash['Token']
+      }
     end
+  end
 
-    def get_oss_index_config_from_command_line()
-      config = {}
-
-      puts "What username do you want to authenticate as (ex: your email address)? "
-      config["Username"] = STDIN.gets.chomp
-
-      puts "What token do you want to use? "
-      config["Token"] = STDIN.gets.chomp
-
-      _set_oss_index_config(config)
+  def get_white_list_vuln_config(white_list_config_path)
+    if white_list_config_path.nil?
+      YAML.safe_load(File.read(File.join(Dir.pwd, 'chelsea-ignore.yaml')))
+    else
+      YAML.safe_load(File.read(white_list_config_path))
     end
+  end
+
+  def self.read_oss_index_config_from_command_line
+    config = {}
 
-    private
+    puts 'What username do you want to authenticate as (ex: your email address)? '
+    config['Username'] = STDIN.gets.chomp
 
-      def _set_oss_index_config(config)
-        Dir.mkdir(@oss_index_config_location) unless File.exists? @oss_index_config_location
+    puts 'What token do you want to use? '
+    config['Token'] = STDIN.gets.chomp
 
-        File.open(File.join(@oss_index_config_location, @oss_index_config_filename), "w") do |file|
-          file.write config.to_yaml
-        end
-      end
+    _write_oss_index_config_file(config)
+  end
 
+  def self._write_oss_index_config_file(config)
+    unless File.exist? @oss_index_config_location
+      Dir.mkdir(@oss_index_config_location)
+    end
+    File.open(File.join(@oss_index_config_location, @oss_index_config_filename), "w") do |file|
+      file.write config.to_yaml
+    end
   end
-end
+end

data/lib/chelsea/db.rb

@@ -0,0 +1,39 @@
+require 'pstore'
+
+module Chelsea
+  class DB
+    def initialize
+      @store = PStore.new(_get_db_store_location)
+    end
+
+    # This method will take an array of values, and save them to a pstore database
+    # and as well set a TTL of Time.now to be checked later
+    def save_values_to_db(values)
+      values.each do |val|
+        next unless get_cached_value_from_db(val['coordinates']).nil?
+
+        new_val = val.dup
+        new_val['ttl'] = Time.now
+        @store.transaction do
+          @store[new_val['coordinates']] = new_val
+        end
+      end
+    end
+
+    def _get_db_store_location()
+      initial_path = File.join(Dir.home.to_s, '.ossindex')
+      Dir.mkdir(initial_path) unless File.exist? initial_path
+      File.join(initial_path, 'chelsea.pstore')
+    end
+
+    # Checks pstore to see if a coordinate exists, and if it does also
+    # checks to see if it's ttl has expired. Returns nil unless a record
+    # is valid in the cache (ttl has not expired) and found
+    def get_cached_value_from_db(val)
+      record = @store.transaction { @store[val] }
+      return if record.nil?
+
+      (Time.now - record['ttl']) / 3600 > 12 ? nil : record
+    end
+  end
+end

data/lib/chelsea/deps.rb

@@ -4,34 +4,16 @@ require 'rubygems'
 require 'rubygems/commands/dependency_command'
 require 'json'
 require 'rest-client'
-require 'pstore'
 
 require_relative 'dependency_exception'
 require_relative 'oss_index'
 
 module Chelsea
   class Deps
-    attr_reader :server_response, :reverse_dependencies, :coordinates, :dependencies
-
-    def initialize(path: , oss_index_client: , quiet: false)
-      @oss_index_client = oss_index_client
-      @path, @quiet = path, quiet
-      ENV['BUNDLE_GEMFILE'] = File.expand_path(path).chomp(".lock")
-
-      begin
-        @lockfile = Bundler::LockfileParser.new(
-          File.read(@path)
-        )
-      rescue
-        raise "Gemfile.lock not parseable, please check file or that it's path is valid"
-      end
-
-      @dependencies = {}
-      @reverse_dependencies = {}
-      @dependencies_versions = {}
-      @coordinates = { 'coordinates' => [] }
-      @server_response = []
-      @store = PStore.new(_get_db_store_location())
+    def initialize(path:, quiet: false)
+      @quiet = quiet
+      ENV['BUNDLE_GEMFILE'] = File.expand_path(path).chomp('.lock')
+      @lockfile = Bundler::LockfileParser.new(File.read(path))
     end
 
     def nil?
@@ -39,119 +21,36 @@ module Chelsea
     end
 
     def self.to_purl(name, version)
-      return "pkg:gem/#{name}@#{version}"
+      "pkg:gem/#{name}@#{version}"
     end
 
-    # Parses specs from lockfile instanct var and inserts into dependenices instance var
-    def get_dependencies
-      @lockfile.specs.each do |gem|\
-        begin
-          @dependencies[gem.name] = [gem.name, gem.version]
-        rescue StandardError => e
-          raise Chelsea::DependencyException e, "Parsing dependency line #{gem} failed."
-        end
+    # Parses specs from lockfile instanct var and
+    # inserts into dependenices instance var
+    def dependencies
+      @lockfile.specs.each_with_object({}) do |gem, h|
+        h[gem.name] = [gem.name, gem.version]
       end
     end
 
     # Collects all reverse dependencies in reverse_dependencies instance var
-    def get_reverse_dependencies
-      begin
-        reverse = Gem::Commands::DependencyCommand.new
-        reverse.options[:reverse_dependencies] = true
-        @reverse_dependencies = reverse.reverse_dependencies(@lockfile.specs).to_h
-      rescue => e
-        raise Chelsea::DependencyException e, "ReverseDependencyException"
+    # this rescue block honks
+    def reverse_dependencies
+      reverse = Gem::Commands::DependencyCommand.new
+      reverse.options[:reverse_dependencies] = true
+      # We want to filter the reverses dependencies by specs in lockfile
+      spec_names = @lockfile.specs.map { |i| i.to_s.split }.map { |n, _| "#{n}" }
+      reverse.reverse_dependencies(@lockfile.specs).to_h.transform_values do |reverse_dep|
+        # Add filtering if version meets range
+        reverse_dep.select { |name, dep, req, _| spec_names.include?(name.split("-")[0]) }
       end
     end
 
     # Iterates over all dependencies and stores them
     # in dependencies_versions and coordinates instance vars
-    def get_dependencies_versions_as_coordinates
-      @dependencies.each do |p, r|
-        o =  r[0]
-        v = r[1].to_s
-        if v.split('.').length == 1 then
-          v = v + ".0.0"
-        elsif v.split('.').length == 2 then
-            v = v + ".0"
-        end
-        @dependencies_versions[p] = v
-      end
-
-      @dependencies_versions.each do |p, v|
-        @coordinates["coordinates"] << self.class.to_purl(p,v);
-      end
-    end
-
-    # Makes REST calls to OSS for vulnerabilities 128 coordinates at a time
-    # Checks cache and stores results in cache
-    def get_vulns()
-      _check_db_for_cached_values()
-
-      if @coordinates["coordinates"].count() > 0
-        chunked = Hash.new()
-        @coordinates["coordinates"].each_slice(128).to_a.each do |coords|
-          chunked["coordinates"] = coords
-          res_json = @oss_index_client.call_oss_index(chunked)
-          @server_response = @server_response.concat(res_json)
-          _save_values_to_db(res_json)
-        end
-      end
-    end
-
-    protected
-    # This method will take an array of values, and save them to a pstore database
-    # and as well set a TTL of Time.now to be checked later
-    def _save_values_to_db(values)
-      values.each do |val|
-        if _get_cached_value_from_db(val["coordinates"]).nil?
-          new_val = val.dup
-          new_val["ttl"] = Time.now
-          @store.transaction do
-            @store[new_val["coordinates"]] = new_val
-          end
-        end
-      end
-    end
-
-    def _get_db_store_location()
-      initial_path = File.join("#{Dir.home}", ".ossindex")
-      Dir.mkdir(initial_path) unless File.exists? initial_path
-      path = File.join(initial_path, "chelsea.pstore")
-    end
-
-    # Checks pstore to see if a coordinate exists, and if it does also
-    # checks to see if it's ttl has expired. Returns nil unless a record
-    # is valid in the cache (ttl has not expired) and found
-    def _get_cached_value_from_db(coordinate)
-      record = @store.transaction { @store[coordinate] }
-      if !record.nil?
-        diff = (Time.now - record['ttl']) / 3600
-        if diff > 12
-          return nil
-        else
-          return record
-        end
-      else
-        return nil
-      end
-    end
-
-    # Goes through the list of @coordinates and checks pstore for them, if it finds a valid coord
-    # it will add it to the server response. If it does not, it will append the coord to a new hash
-    # and eventually set @coordinates to the new hash, so we query OSS Index on only coords not in cache
-    def _check_db_for_cached_values()
-      new_coords = Hash.new
-      new_coords["coordinates"] = Array.new
-      @coordinates["coordinates"].each do |coord|
-        record = _get_cached_value_from_db(coord)
-        if !record.nil?
-          @server_response << record
-        else
-          new_coords["coordinates"].push(coord)
-        end
+    def coordinates
+      dependencies.each_with_object({ 'coordinates' => [] }) do |(name, v), coords|
+        coords['coordinates'] << self.class.to_purl(name, v[1]);
       end
-      @coordinates = new_coords
     end
   end
 end

data/lib/chelsea/formatters/factory.rb

@@ -2,15 +2,18 @@ require_relative 'json'
 require_relative 'xml'
 require_relative 'text'
 
+# Factory for formatting dependencies
 class FormatterFactory
-    def get_formatter(format: 'text', options: {})
-        case format
-        when 'text'
-          Chelsea::TextFormatter.new()
-        when 'json'
-          Chelsea::JsonFormatter.new()
-        when 'xml'
-          Chelsea::XMLFormatter.new()
-        end
+  def get_formatter(format: 'text', quiet: false)
+    case format
+    when 'text'
+      Chelsea::TextFormatter.new quiet: quiet
+    when 'json'
+      Chelsea::JsonFormatter.new quiet: quiet
+    when 'xml'
+      Chelsea::XMLFormatter.new quiet: quiet
+    else
+      Chelsea::TextFormatter.new quiet: quiet
+    end
   end
-end
+end

data/lib/chelsea/formatters/text.rb

@@ -8,7 +8,7 @@ module Chelsea
       @pastel = Pastel.new
     end
 
-    def get_results(dependencies)
+    def get_results(server_response, reverse_dependencies)
       response = String.new
       if !@quiet
         response += "\n"\
@@ -17,25 +17,25 @@ module Chelsea
       end
 
       i = 0
-      count = dependencies.server_response.count()
-      dependencies.server_response.each do |r|
+      count = server_response.count()
+      server_response.each do |r|
         i += 1
-        package = r["coordinates"]
-        vulnerable = r["vulnerabilities"].length() > 0
-        coord = r["coordinates"].sub("pkg:gem/", "")
+        package = r['coordinates']
+        vulnerable = r['vulnerabilities'].length.positive?
+        coord = r['coordinates'].sub('pkg:gem/', '')
         name = coord.split('@')[0]
         version = coord.split('@')[1]
-        reverse_deps = dependencies.reverse_dependencies["#{name}-#{version}"]
+        reverse_deps = reverse_dependencies["#{name}-#{version}"]
         if vulnerable
-          response += @pastel.red("[#{i}/#{count}] - #{package} ") +  @pastel.red.bold("Vulnerable.\n")
-          response += _get_reverse_deps(reverse_deps, name)
-          r["vulnerabilities"].each do |k, v|
-            response += @pastel.red.bold("    #{k}:#{v}\n")
+          response += @pastel.red("[#{i}/#{count}] - #{package} ") + @pastel.red.bold("Vulnerable.\n")
+          response += _get_reverse_deps(reverse_deps, name) if reverse_deps
+          r['vulnerabilities'].each do |k, v|
+            response += _format_vuln(v)
           end
         else
           if !@quiet
             response += @pastel.white("[#{i}/#{count}] - #{package} ") + @pastel.green.bold("No vulnerabilities found!\n")
-            response += _get_reverse_deps(reverse_deps, name)
+            response += _get_reverse_deps(reverse_deps, name) if reverse_deps
           end
         end
       end
@@ -47,17 +47,18 @@ module Chelsea
       puts results
     end
 
-    # Right now this looks at all Ruby deps, so it might find some in your Library, but that don't belong to your project
-    def _get_reverse_deps(coord, name)
-      response = String.new
-      coord.each do |dep|
+    def _format_vuln(vuln)
+      @pastel.red.bold("\n#{vuln}\n")
+    end
+
+    def _get_reverse_deps(coords, name)
+      coords.each_with_object(String.new) do |dep, s|
         dep.each do |gran|
           if gran.class == String && !gran.include?(name)
-            response += "\tRequired by: #{gran}\n"
+            s << "\tRequired by: #{gran}\n"
           end
         end
       end
-      response
     end
   end
 end

data/lib/chelsea/gems.rb

@@ -1,118 +1,107 @@
 # frozen_string_literal: true
-
 require 'pastel'
 require 'tty-spinner'
 require 'bundler'
 require 'bundler/lockfile_parser'
 require 'rubygems'
 require 'rubygems/commands/dependency_command'
+
 require_relative 'version'
 require_relative 'formatters/factory'
 require_relative 'deps'
-
+require_relative 'bom'
 
 module Chelsea
   class Gems
     def initialize(file:, quiet: false, options: {})
-      @file, @quiet, @options = file, quiet, options
-
-      if not _gemfile_lock_file_exists? or file.nil?
-        raise "Gemfile.lock not found, check --file path"
+      @quiet = quiet
+      unless File.file?(file) || file.nil?
+        raise 'Gemfile.lock not found, check --file path'
       end
+      _silence_stderr if @quiet
+
       @pastel = Pastel.new
-      @formatter = FormatterFactory.new.get_formatter(format: @options[:format], options: @options)
-      @deps = Chelsea::Deps.new({path: Pathname.new(@file), oss_index_client: Chelsea::OSSIndex.new(oss_index_user_name: @options[:user], oss_index_user_token: @options[:token])})
+      @formatter = FormatterFactory.new.get_formatter(format: options[:format], quiet: @quiet)
+      @client = Chelsea.client(options)
+      @deps = Chelsea::Deps.new(path: Pathname.new(file))
     end
 
     # Audits depenencies using deps library and prints results
     # using formatter library
-    def execute(input: $stdin, output: $stdout)
-      audit
-      if @deps.nil?
-        _print_err "No dependencies retrieved. Exiting."
+
+    def execute
+      server_response, dependencies, reverse_dependencies = audit
+      if dependencies.nil?
+        _print_err 'No dependencies retrieved. Exiting.'
         return
       end
-      if !@deps.server_response.count
-        _print_err "No vulnerability data retrieved from server. Exiting."
+      if server_response.nil?
+        _print_err 'No vulnerability data retrieved from server. Exiting.'
         return
       end
-      # if !@options[:whitelist]
-
-      # end
-      @formatter.do_print(@formatter.get_results(@deps))
+      results = @formatter.get_results(server_response, reverse_dependencies)
+      @formatter.do_print(results)
     end
 
     # Runs through auditing algorithm, raising exceptions
     # on REST calls made by @deps.get_vulns
     def audit
-      unless @quiet
-        spinner = _spin_msg "Parsing dependencies"
-      end
+      # This spinner management is out of control
+      # we should wrap a block with start and stop messages,
+      # or use a stack to ensure all spinners stop.
+      spinner = _spin_msg 'Parsing dependencies'
 
       begin
-        @deps.get_dependencies
-        unless @quiet
-          spinner.success("...done.")
-        end
+        dependencies = @deps.dependencies
+        spinner.success('...done.')
       rescue StandardError => e
-        unless @quiet
-          spinner.stop
-        end
+        spinner.stop
         _print_err "Parsing dependency line #{gem} failed."
       end
 
-      @deps.get_reverse_dependencies
+      reverse_dependencies = @deps.reverse_dependencies
 
-      unless @quiet
-        spinner = _spin_msg "Parsing Versions"
-      end
-      @deps.get_dependencies_versions_as_coordinates
-      unless @quiet
-        spinner.success("...done.")
-      end
-
-      unless @quiet
-        spinner = _spin_msg "Making request to OSS Index server"
-      end
+      spinner = _spin_msg 'Parsing Versions'
+      coordinates = @deps.coordinates
+      spinner.success('...done.')
+      spinner = _spin_msg 'Making request to OSS Index server'
 
       begin
-        @deps.get_vulns
-        unless @quiet
-          spinner.success("...done.")
-        end
+        server_response = @client.get_vulns(coordinates)
+        spinner.success('...done.')
       rescue SocketError => e
-        unless @quiet
-          spinner.stop("...request failed.")
-        end
-        _print_err "Socket error getting data from OSS Index server."
+        spinner.stop('...request failed.')
+        _print_err 'Socket error getting data from OSS Index server.'
       rescue RestClient::RequestFailed => e
-        unless @quiet
-          spinner.stop("...request failed.")
-        end
+        spinner.stop('...request failed.')
         _print_err "Error getting data from OSS Index server:#{e.response}."
-      rescue RestClient::ResourceNotfound => e
-        unless @quiet
-          spinner.stop("...request failed.")
-        end
-        _print_err "Error getting data from OSS Index server. Resource not found."
+      rescue RestClient::ResourceNotFound => e
+        spinner.stop('...request failed.')
+        _print_err 'Error getting data from OSS Index server. Resource not found.'
       rescue Errno::ECONNREFUSED => e
-        unless @quiet
-          spinner.stop("...request failed.")
-        end
-        _print_err "Error getting data from OSS Index server. Connection refused."
+        spinner.stop('...request failed.')
+        _print_err 'Error getting data from OSS Index server. Connection refused.'
       rescue StandardError => e
-        unless @quiet
-          spinner.stop("...request failed.")
-        end
-        _print_err "UNKNOWN Error getting data from OSS Index server."
+        spinner.stop('...request failed.')
+        _print_err 'UNKNOWN Error getting data from OSS Index server.'
       end
+      [server_response, dependencies, reverse_dependencies]
     end
 
     protected
+
+    def _silence_stderr
+      $stderr.reopen('/dev/null', 'w')
+    end
+
     def _spin_msg(msg)
       format = "[#{@pastel.green(':spinner')}] " + @pastel.white(msg)
-      spinner = TTY::Spinner.new(format, success_mark: @pastel.green('+'), hide_cursor: true)
-      spinner.auto_spin()
+      spinner = TTY::Spinner.new(
+        format,
+        success_mark: @pastel.green('+'),
+        hide_cursor: true
+      )
+      spinner.auto_spin
       spinner
     end
 
@@ -123,9 +112,5 @@ module Chelsea
     def _print_success(s)
       puts @pastel.green.bold(s)
     end
-
-    def _gemfile_lock_file_exists?
-      ::File.file? @file
-    end
   end
-end
+end

data/lib/chelsea/iq_client.rb

@@ -0,0 +1,61 @@
+require 'rest-client'
+require 'json'
+
+module Chelsea
+  class IQClient
+    DEFAULT_OPTIONS = {
+      public_application_id: 'testapp',
+      server_url: 'http://localhost:8070',
+      username: 'admin',
+      auth_token: 'admin123',
+      internal_application_id: ''
+    }
+    def initialize(options: DEFAULT_OPTIONS)
+      @options = options
+    end
+
+    def submit_sbom(sbom)
+      @internal_application_id = _get_internal_application_id()
+      resource = RestClient::Resource.new(
+        _api_url,
+        user: @options[:username],
+        password: @options[:auth_token]
+      )
+      _headers['Content-Type'] = 'application/xml'
+      resource.post sbom.to_s, _headers
+    end
+
+    def status_url(res)
+      res = JSON.parse(res.body)
+      res['statusUrl']
+    end
+
+    private
+
+    def _get_internal_application_id
+      resource = RestClient::Resource.new(
+        _internal_application_id_api_url,
+        user: @username,
+        password: @auth_token
+      )
+      res = JSON.parse(resource.get(headers))
+      res['applications'][0]['id']
+    end
+
+    def _headers
+      { 'User-Agent' => _user_agent }
+    end
+
+    def _api_url
+      "#{@options[:server_url]}/api/v2/scan/applications/#{@@internal_application_id}/sources/chelsea"
+    end
+
+    def _internal_application_id_api_url
+      "#{@options[:server_url]}/api/v2/applications?publicId=#{@options[:public_application_id]}"
+    end
+
+    def _user_agent
+      "chelsea/#{Chelsea::VERSION}"
+    end
+  end
+end

data/lib/chelsea/oss_index.rb

@@ -1,50 +1,77 @@
+# frozen_string_literal: true
+
 require_relative 'config'
 require 'rest-client'
+require_relative 'db'
 
 module Chelsea
   class OSSIndex
+    def initialize(oss_index_user_name: '', oss_index_user_token: '')
+      @oss_index_user_name = oss_index_user_name
+      @oss_index_user_token = oss_index_user_token
+      @db = DB.new
+    end
 
-    def initialize(oss_index_user_name: "", oss_index_user_token: "")
-      if oss_index_user_name.empty? || oss_index_user_token.empty?
-        config = Chelsea::Config.new().get_oss_index_config()
-        if config != {}
-          @oss_index_user_name, @oss_index_user_token = config["Username"], config["Token"]
-        else
-          @oss_index_user_name, @oss_index_user_token = oss_index_user_name, oss_index_user_token
-        end
-      else
-        @oss_index_user_name, @oss_index_user_token = oss_index_user_name, oss_index_user_token
+    # Makes REST calls to OSS for vulnerabilities 128 coordinates at a time
+    # Checks cache and stores results in cache
+
+    def get_vulns(coordinates)
+      remaining_coordinates, cached_server_response = _cache(coordinates)
+      unless remaining_coordinates['coordinates'].count.positive?
+        return cached_server_response
+      end
+
+      remaining_coordinates['coordinates'].each_slice(128).to_a.each do |coords|
+        res_json = call_oss_index({ 'coordinates' => coords })
+        cached_server_response = cached_server_response.concat(res_json)
+        @db.save_values_to_db(res_json)
       end
+      cached_server_response
     end
 
     def call_oss_index(coords)
       r = _resource.post coords.to_json, _headers
-      if r.code == 200
-        JSON.parse(r.body)
-      end
+      r.code == 200 ? JSON.parse(r.body) : {}
     end
 
     private
 
+    def _cache(coordinates)
+      new_coords = { 'coordinates' => [] }
+      cached_server_response = []
+      coordinates['coordinates'].each do |coord|
+        record = @db.get_cached_value_from_db(coord)
+        if !record.nil?
+          cached_server_response << record
+        else
+          new_coords['coordinates'].push(coord)
+        end
+      end
+      [new_coords, cached_server_response]
+    end
+
     def _headers
       { :content_type => :json, :accept => :json, 'User-Agent' => _user_agent }
     end
 
     def _resource
       if !@oss_index_user_name.empty? && !@oss_index_user_token.empty?
-        RestClient::Resource.new _api_url, :user => @oss_index_user_name, :password => @oss_index_user_token
+        RestClient::Resource.new(
+          _api_url,
+          user: @oss_index_user_name,
+          password: @oss_index_user_token
+        )
       else
         RestClient::Resource.new _api_url
       end
     end
 
     def _api_url
-      "https://ossindex.sonatype.org/api/v3/component-report"
+      'https://ossindex.sonatype.org/api/v3/component-report'
     end
 
     def _user_agent
       "chelsea/#{Chelsea::VERSION}"
     end
-
   end
-end
+end

data/lib/chelsea/version.rb

@@ -1,3 +1,3 @@
 module Chelsea
-  VERSION = "0.0.7"
+  VERSION = '0.0.8'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: chelsea
 version: !ruby/object:Gem::Version
-  version: 0.0.7
+  version: 0.0.8
 platform: ruby
 authors:
 - Allister Beharry
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-04-07 00:00:00.000000000 Z
+date: 2020-04-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: tty-font
@@ -198,8 +198,10 @@ files:
 - chelsea
 - chelsea.gemspec
 - lib/chelsea.rb
+- lib/chelsea/bom.rb
 - lib/chelsea/cli.rb
 - lib/chelsea/config.rb
+- lib/chelsea/db.rb
 - lib/chelsea/dependency_exception.rb
 - lib/chelsea/deps.rb
 - lib/chelsea/formatters/factory.rb
@@ -208,6 +210,7 @@ files:
 - lib/chelsea/formatters/text.rb
 - lib/chelsea/formatters/xml.rb
 - lib/chelsea/gems.rb
+- lib/chelsea/iq_client.rb
 - lib/chelsea/oss_index.rb
 - lib/chelsea/version.rb
 homepage: https://github.com/sonatype-nexus-community/chelsea