chelsea 0.0.10 → 0.0.11
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/CONTRIBUTING.md +18 -0
- data/.github/ISSUE_TEMPLATE/bug_report.md +31 -0
- data/.github/ISSUE_TEMPLATE/config.yml +1 -0
- data/.github/ISSUE_TEMPLATE/feature_request.md +18 -0
- data/.github/pull_request_template.md +14 -0
- data/CONTRIBUTORS.md +14 -0
- data/Gemfile.lock +2 -2
- data/README.md +125 -22
- data/bin/chelsea +7 -7
- data/lib/chelsea/version.rb +1 -1
- metadata +8 -3
- data/LICENSE +0 -7
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 2c64fc1b71e170403212d48a6882293c42c80b4d034e06fe4968736ec5256e84
|
4
|
+
data.tar.gz: a65ca2fbfb43e9f9e82b0c3e0c6ffcd42d220dee77642078c49de18a2c71e0bf
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: acaeebea469ad89aae49bdbf0cb3c89f34e2c8b83b0fbdd184d90997459c8a94a35e6575d072ec5b6eacecede3a5ebffeccee4b710d2751c6d16d17c9acdc67f
|
7
|
+
data.tar.gz: 85123d9942b78903df70fba3bb51288b0dc40a24e2cba7c83c43c027bc00c4948a906568b17b9ec24edbf17d27627d381b6f64e1127bdc861ac5236d29d5274b
|
@@ -0,0 +1,18 @@
|
|
1
|
+
## How to be a contributor to this project
|
2
|
+
|
3
|
+
### Are you submitting a pull request?
|
4
|
+
|
5
|
+
* Make sure to fill out an issue for your PR, so that we have traceability as to what you are trying to fix,
|
6
|
+
versus how you fixed it.
|
7
|
+
* Spaces (not tabs), and 2 of them, that's what we like. Set your code style :)
|
8
|
+
* Sign the [Sonatype CLA](https://sonatypecla.herokuapp.com/sign-cla)
|
9
|
+
* Try to fix one thing per pull request! Many people work on this code, so the more focused your changes are, the less
|
10
|
+
of a headache other people will have when they merge their work in.
|
11
|
+
* Ensure your Pull Request passes tests either locally or via CircleCI (it will run automatically on your PR)
|
12
|
+
* Make sure to add yourself or your organization to CONTRIBUTORS.md as a part of your PR, if you are new to the project!
|
13
|
+
* If you're stuck, ask our [gitter channel](https://gitter.im/sonatype-nexus-community/chelsea)! There are a number of experienced programmers who are happy to help with learning and troubleshooting.
|
14
|
+
|
15
|
+
### Are you new and looking to dive in?
|
16
|
+
|
17
|
+
* Check our issues to see if there is something you can dive in to.
|
18
|
+
* Come hang out with us at our [gitter channel](https://gitter.im/sonatype-nexus-community/chelsea).
|
@@ -0,0 +1,31 @@
|
|
1
|
+
---
|
2
|
+
name: Bug report
|
3
|
+
about: Create a report to help us improve
|
4
|
+
title: "[BUG]"
|
5
|
+
labels: bug
|
6
|
+
assignees: ''
|
7
|
+
|
8
|
+
---
|
9
|
+
|
10
|
+
**Describe the bug**
|
11
|
+
A clear and concise description of what the bug is.
|
12
|
+
|
13
|
+
**To Reproduce**
|
14
|
+
Steps to reproduce the behavior:
|
15
|
+
1. Run '...'
|
16
|
+
2. See error
|
17
|
+
|
18
|
+
**Expected behavior**
|
19
|
+
A clear and concise description of what you expected to happen.
|
20
|
+
|
21
|
+
**Screenshots**
|
22
|
+
If applicable, add screenshots to help explain your problem.
|
23
|
+
|
24
|
+
**Desktop (please complete the following information):**
|
25
|
+
- OS: [e.g. OS X 1.13.6]
|
26
|
+
- Ruby Version: [e.g. 2.6.5]
|
27
|
+
- Bundler Version: [e.g. 2.1.4]
|
28
|
+
- chelsea Version [e.g. 0.0.11]
|
29
|
+
|
30
|
+
**Additional context**
|
31
|
+
Add any other context about the problem here.
|
@@ -0,0 +1 @@
|
|
1
|
+
blank_issues_enabled: false
|
@@ -0,0 +1,18 @@
|
|
1
|
+
---
|
2
|
+
name: Feature request
|
3
|
+
about: Suggest an idea for this project
|
4
|
+
title: "[FEATURE]"
|
5
|
+
labels: enhancement
|
6
|
+
assignees: ''
|
7
|
+
|
8
|
+
---
|
9
|
+
|
10
|
+
* **What are you trying to do?**
|
11
|
+
|
12
|
+
* **What feature or behavior is this required for?**
|
13
|
+
|
14
|
+
* **How could we solve this issue? (Not knowing is okay!)**
|
15
|
+
|
16
|
+
* **Anything else?**
|
17
|
+
|
18
|
+
cc @bhamail / @DarthHater / @brittanybelle / @gmohre
|
@@ -0,0 +1,14 @@
|
|
1
|
+
(brief, plain english overview of your changes here)
|
2
|
+
|
3
|
+
This pull request makes the following changes:
|
4
|
+
* (your change here)
|
5
|
+
* (another change here)
|
6
|
+
* (etc)
|
7
|
+
|
8
|
+
(If there are changes to user behavior in general, please make sure to
|
9
|
+
update the docs, as well)
|
10
|
+
|
11
|
+
It relates to the following issue #s:
|
12
|
+
* Fixes #X
|
13
|
+
|
14
|
+
cc @bhamail / @DarthHater / @brittanybelle / @gmohre
|
data/CONTRIBUTORS.md
ADDED
@@ -0,0 +1,14 @@
|
|
1
|
+
A lot of awesome people have contributed to this project! Here they are:
|
2
|
+
|
3
|
+
Sonatype internal people:
|
4
|
+
|
5
|
+
* [@ken-duck](https://github.com/ken-duck/) (Ken Duck)
|
6
|
+
* [@DarthHater](https://github.com/darthhater/) (Jeffry Hesse)
|
7
|
+
* [@bhamail](https://github.com/bhamail) (Dan Rollo)
|
8
|
+
|
9
|
+
External contributors:
|
10
|
+
|
11
|
+
* [@allisterb](https://github.com/allisterb) (Allister Beharry)
|
12
|
+
* [@gmohre](https://github.com/gmohre) (Glenn Mohre)
|
13
|
+
|
14
|
+
Possibly You!
|
data/Gemfile.lock
CHANGED
data/README.md
CHANGED
@@ -1,27 +1,59 @@
|
|
1
1
|
# Chelsea
|
2
2
|
|
3
|
-
|
3
|
+
![Gem](https://img.shields.io/gem/v/chelsea)
|
4
|
+
[![Gitter](https://badges.gitter.im/sonatype-nexus-community/chelsea.svg)](https://gitter.im/sonatype-nexus-community/chelsea?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge)
|
5
|
+
[![CircleCI](https://circleci.com/gh/sonatype-nexus-community/chelsea.svg?style=shield)](https://circleci.com/gh/sonatype-nexus-community/chelsea)
|
4
6
|
|
5
|
-
|
7
|
+
Chelsea is a CLI application written in Ruby, designed to allow you to scan your RubyGem powered projects and report on any vulnerabilities in your third party dependencies. It is powered by [Sonatype's OSS Index.](https://ossindex.sonatype.org/)
|
6
8
|
|
7
|
-
|
9
|
+
## Usage
|
10
|
+
|
11
|
+
Chelsea can be installed with the `gem` command:
|
8
12
|
|
9
|
-
```
|
10
|
-
gem
|
13
|
+
```
|
14
|
+
$ gem install chelsea
|
11
15
|
```
|
12
16
|
|
13
|
-
|
17
|
+
```
|
18
|
+
$ chelsea
|
19
|
+
_____ _ _
|
20
|
+
/ __ \| | | |
|
21
|
+
| / \/| |__ ___ | | ___ ___ __ _
|
22
|
+
| | | '_ \ / _ \| |/ __| / _ \ / _` |
|
23
|
+
| \__/\| | | || __/| |\__ \| __/| (_| |
|
24
|
+
\____/|_| |_| \___||_||___/ \___| \__,_|
|
25
|
+
|
26
|
+
|
27
|
+
Version: 0.0.11
|
14
28
|
|
15
|
-
|
29
|
+
usage: chelsea [options] ...
|
16
30
|
|
17
|
-
|
31
|
+
Options:
|
32
|
+
-f, --file Path to your Gemfile.lock
|
33
|
+
-c, --config Set persistent config for OSS Index
|
34
|
+
-u, --user Specify OSS Index Username
|
35
|
+
-p, --token Specify OSS Index API Token
|
36
|
+
-a, --application Specify the IQ application id
|
37
|
+
-i, --server Specify the IQ server url
|
38
|
+
-iu, --iquser Specify the IQ username
|
39
|
+
-it, --iqpass Specify the IQ auth token
|
40
|
+
-w, --whitelist Set path to vulnerability whitelist file
|
41
|
+
-q, --quiet Make chelsea only output vulnerable third party dependencies for text output (default: false)
|
42
|
+
-t, --format Choose what type of format you want your report in (default: text) (options: text, json, xml)
|
43
|
+
-b, --iq Use Nexus IQ Server to audit your project
|
44
|
+
--version Print the version
|
45
|
+
-h, --help Show usage
|
46
|
+
```
|
18
47
|
|
19
|
-
|
48
|
+
### Basic usage
|
20
49
|
|
21
|
-
|
50
|
+
The most basic usage of chelsea would look like:
|
51
|
+
|
52
|
+
`chelsea --file Gemfile.lock`
|
53
|
+
|
54
|
+
After running this command, you'd see something similar to the following:
|
22
55
|
|
23
56
|
```
|
24
|
-
$ chelsea
|
25
57
|
_____ _ _
|
26
58
|
/ __ \| | | |
|
27
59
|
| / \/| |__ ___ | | ___ ___ __ _
|
@@ -30,21 +62,65 @@ $ chelsea
|
|
30
62
|
\____/|_| |_| \___||_||___/ \___| \__,_|
|
31
63
|
|
32
64
|
|
33
|
-
Version: 0.0.
|
65
|
+
Version: 0.0.11
|
66
|
+
[+] Parsing dependencies ...done.
|
67
|
+
[+] Parsing Versions ...done.
|
68
|
+
[+] Making request to OSS Index server ...done.
|
34
69
|
|
35
|
-
|
70
|
+
Audit Results
|
71
|
+
=============
|
72
|
+
```
|
73
|
+
|
74
|
+
Audit Results will show a list of your third party dependencies, their reverse dependencies (so what brought them in to your project), and if they are vulnerable or not.
|
75
|
+
|
76
|
+
### Quiet usage
|
77
|
+
|
78
|
+
Running with `--quiet` will only output any vulnerable dependencies found, similar to:
|
36
79
|
|
37
|
-
|
38
|
-
|
39
|
-
|
40
|
-
|
41
|
-
|
42
|
-
|
80
|
+
```
|
81
|
+
_____ _ _
|
82
|
+
/ __ \| | | |
|
83
|
+
| / \/| |__ ___ | | ___ ___ __ _
|
84
|
+
| | | '_ \ / _ \| |/ __| / _ \ / _` |
|
85
|
+
| \__/\| | | || __/| |\__ \| __/| (_| |
|
86
|
+
\____/|_| |_| \___||_||___/ \___| \__,_|
|
87
|
+
|
88
|
+
|
89
|
+
Version: 0.0.11
|
90
|
+
[15/31] - pkg:gem/rake@10.5.0 Vulnerable.
|
91
|
+
Required by: domain_name-0.5.20190701
|
92
|
+
Required by: equatable-0.6.1
|
93
|
+
Required by: pastel-0.7.3
|
94
|
+
Required by: public_suffix-4.0.3
|
95
|
+
Required by: rspec_junit_formatter-0.4.1
|
96
|
+
Required by: slop-4.8.1
|
97
|
+
Required by: slop-4.8.0
|
98
|
+
Required by: unf-0.1.4
|
99
|
+
Required by: unf_ext-0.0.7.7
|
100
|
+
Required by: unf_ext-0.0.7.6
|
43
101
|
```
|
44
102
|
|
45
|
-
|
103
|
+
This can be useful if you are only interested in seeing your vulnerable dependencies, and not the whole list.
|
46
104
|
|
47
|
-
|
105
|
+
### Usage with Formatters
|
106
|
+
|
107
|
+
Chelsea can be run with a number of different formatters:
|
108
|
+
|
109
|
+
- `json`
|
110
|
+
- `text` (default)
|
111
|
+
- `xml` (output is JUnit XML style, useful for treating vulnerable dependencies as failing test cases)
|
112
|
+
|
113
|
+
To use the formatters, run Chelsea like so:
|
114
|
+
|
115
|
+
`chelsea --file Gemfile.lock --format json`
|
116
|
+
|
117
|
+
### Rate Limiting / Setting OSS Index config
|
118
|
+
|
119
|
+
Chelsea will cache results from OSS Index, preventing Rate Limiting to occur in most cases. However, usage in CI, or heavy usage of Chelsea from a single IP can run into rate limiting, and the good news is you can [register on OSS Index](https://ossindex.sonatype.org/user/register), and then get your API Token from [your settings](https://ossindex.sonatype.org/user/settings). Once you have that, you can set config for Chelsea like so:
|
120
|
+
|
121
|
+
`chelsea --config`
|
122
|
+
|
123
|
+
Chelsea will prompt you to save your config, provide your username (email address that you registered on OSS Index with), and API Token, save those, and voila! Your rate limiting should be sufficient for most use cases at this point. If it isn't, get in touch via our GitHub issues, and we can take a look at your use case and potentially partner!
|
48
124
|
|
49
125
|
## Development
|
50
126
|
|
@@ -52,14 +128,41 @@ After checking out the repo, run `bin/setup` to install dependencies. Then, run
|
|
52
128
|
|
53
129
|
To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
|
54
130
|
|
131
|
+
## Why Chelsea?
|
132
|
+
|
133
|
+
One of the awesome developers at Sonatype was thinking of names, and came upon the [Chelsea filter](https://en.wikipedia.org/wiki/Chelsea_filter). A Chelsea filter is used to separate gemstones, helping gemologists distinguish between real emeralds, and just regular green glass. We felt this tool helps you do something very similar, looking at your RubyGems, and seeing which are pristine, and which are less than ok at the moment.
|
134
|
+
|
55
135
|
## Contributing
|
56
136
|
|
57
|
-
|
137
|
+
We care a lot about making the world a safer place, and that's why we created `chelsea`. If you as well want to speed up the pace of software development by working on this project, jump on in! Before you start work, create a new issue, or comment on an existing issue, to let others know you are!
|
138
|
+
|
139
|
+
This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.
|
58
140
|
|
59
141
|
## Code of Conduct
|
60
142
|
|
61
143
|
Everyone interacting in the Chelsea project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/sonatype-nexus-community/chelsea/blob/master/CODE_OF_CONDUCT.md).
|
62
144
|
|
145
|
+
## The Fine Print
|
146
|
+
|
147
|
+
It is worth noting that this is **NOT SUPPORTED** by Sonatype, and is a contribution of ours
|
148
|
+
to the open source community (read: you!)
|
149
|
+
|
150
|
+
Remember:
|
151
|
+
|
152
|
+
* Use this contribution at the risk tolerance that you have
|
153
|
+
* Do NOT file Sonatype support tickets related to `chelsea` support in regard to this project
|
154
|
+
* DO file issues here on GitHub, so that the community can pitch in
|
155
|
+
|
156
|
+
Phew, that was easier than I thought. Last but not least of all:
|
157
|
+
|
158
|
+
Have fun creating and using `chelsea` and the [Sonatype OSS Index](https://ossindex.sonatype.org/), we are glad to have you here!
|
159
|
+
|
160
|
+
## Getting help
|
161
|
+
|
162
|
+
Looking to contribute to our code but need some help? There's a few ways to get information:
|
163
|
+
|
164
|
+
* Chat with us on [Gitter](https://gitter.im/sonatype-nexus-community/chelsea)
|
165
|
+
|
63
166
|
## Copyright
|
64
167
|
|
65
168
|
Copyright (c) 2019 Allister Beharry. See [MIT License](LICENSE.txt) for further details.
|
data/bin/chelsea
CHANGED
@@ -5,23 +5,23 @@ require 'slop'
|
|
5
5
|
opts =
|
6
6
|
begin
|
7
7
|
Slop.parse do |o|
|
8
|
-
o.string '-f', '--file', '
|
8
|
+
o.string '-f', '--file', 'Path to your Gemfile.lock'
|
9
9
|
o.bool '-c', '--config', 'Set persistent config for OSS Index'
|
10
10
|
o.string '-u', '--user', 'Specify OSS Index Username'
|
11
11
|
o.string '-p', '--token', 'Specify OSS Index API Token'
|
12
12
|
o.string '-a', '--application', 'Specify the IQ application id', default: 'testapp'
|
13
|
-
o.string '-i', '--server', '
|
13
|
+
o.string '-i', '--server', 'Specify the IQ server url', default: 'http://localhost:8070'
|
14
14
|
o.string '-iu', '--iquser', 'Specify the IQ username', default: 'admin'
|
15
15
|
o.string '-it', '--iqpass', 'Specify the IQ auth token', default: 'admin123'
|
16
16
|
o.string '-w', '--whitelist', 'Set path to vulnerability whitelist file'
|
17
|
-
o.bool '-q', '--quiet', '
|
18
|
-
o.string '-t', '--format', '
|
19
|
-
o.bool '-b', '--
|
20
|
-
o.on '--version', '
|
17
|
+
o.bool '-q', '--quiet', 'Make chelsea only output vulnerable third party dependencies for text output (default: false)', default: false
|
18
|
+
o.string '-t', '--format', 'Choose what type of format you want your report in (default: text) (options: text, json, xml)', default: 'text'
|
19
|
+
o.bool '-b', '--iq', 'Use Nexus IQ Server to audit your project'
|
20
|
+
o.on '--version', 'Print the version' do
|
21
21
|
puts Chelsea::VERSION
|
22
22
|
exit
|
23
23
|
end
|
24
|
-
o.on '-h', '--help', '
|
24
|
+
o.on '-h', '--help', 'Show usage' do
|
25
25
|
puts(o)
|
26
26
|
exit
|
27
27
|
end
|
data/lib/chelsea/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: chelsea
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.0.
|
4
|
+
version: 0.0.11
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Allister Beharry
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2020-04-
|
11
|
+
date: 2020-04-17 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: tty-font
|
@@ -182,13 +182,18 @@ extra_rdoc_files: []
|
|
182
182
|
files:
|
183
183
|
- ".circleci/config.yml"
|
184
184
|
- ".circleci/setup-rubygems.sh"
|
185
|
+
- ".github/CONTRIBUTING.md"
|
186
|
+
- ".github/ISSUE_TEMPLATE/bug_report.md"
|
187
|
+
- ".github/ISSUE_TEMPLATE/config.yml"
|
188
|
+
- ".github/ISSUE_TEMPLATE/feature_request.md"
|
189
|
+
- ".github/pull_request_template.md"
|
185
190
|
- ".gitignore"
|
186
191
|
- ".rspec"
|
187
192
|
- ".vscode/launch.json"
|
188
193
|
- CODE_OF_CONDUCT.md
|
194
|
+
- CONTRIBUTORS.md
|
189
195
|
- Gemfile
|
190
196
|
- Gemfile.lock
|
191
|
-
- LICENSE
|
192
197
|
- LICENSE.txt
|
193
198
|
- README.md
|
194
199
|
- Rakefile
|
data/LICENSE
DELETED
@@ -1,7 +0,0 @@
|
|
1
|
-
Copyright 2020 Sonatype
|
2
|
-
|
3
|
-
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
|
4
|
-
|
5
|
-
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
|
6
|
-
|
7
|
-
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|