chelsea 0.0.10 → 0.0.11

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 426b36c6da9a9e94ce6f973974da56e49ad9e4c1429ad24531ccc70747cc91ba
-  data.tar.gz: b0139684ca64531361035fb56944b8ff66b2c62ef0f84a43496f7541bab9905e
+  metadata.gz: 2c64fc1b71e170403212d48a6882293c42c80b4d034e06fe4968736ec5256e84
+  data.tar.gz: a65ca2fbfb43e9f9e82b0c3e0c6ffcd42d220dee77642078c49de18a2c71e0bf
 SHA512:
-  metadata.gz: 9f1b7c6ecb69bb41b32ed8d7099139eb248dcd3a18005fa602ce9d68eb528c8b8faa14e33e8781bee2cd7b9b69199bfa24d9bfc52e8b00a554cffb5de8e269fb
-  data.tar.gz: 1aa1552bbc348bb4bcc2252ddc1623383ca70f5fe2f6c009937e52894d8b2d743349eeca2c17944c0e7b4283074acfb2a9d15279647976201a5b83c2894a9d89
+  metadata.gz: acaeebea469ad89aae49bdbf0cb3c89f34e2c8b83b0fbdd184d90997459c8a94a35e6575d072ec5b6eacecede3a5ebffeccee4b710d2751c6d16d17c9acdc67f
+  data.tar.gz: 85123d9942b78903df70fba3bb51288b0dc40a24e2cba7c83c43c027bc00c4948a906568b17b9ec24edbf17d27627d381b6f64e1127bdc861ac5236d29d5274b

data/.github/CONTRIBUTING.md

@@ -0,0 +1,18 @@
+## How to be a contributor to this project
+
+### Are you submitting a pull request?
+
+* Make sure to fill out an issue for your PR, so that we have traceability as to what you are trying to fix,
+versus how you fixed it.
+* Spaces (not tabs), and 2 of them, that's what we like. Set your code style :)
+* Sign the [Sonatype CLA](https://sonatypecla.herokuapp.com/sign-cla)
+* Try to fix one thing per pull request! Many people work on this code, so the more focused your changes are, the less
+of a headache other people will have when they merge their work in.
+* Ensure your Pull Request passes tests either locally or via CircleCI (it will run automatically on your PR)
+* Make sure to add yourself or your organization to CONTRIBUTORS.md as a part of your PR, if you are new to the project!
+* If you're stuck, ask our [gitter channel](https://gitter.im/sonatype-nexus-community/chelsea)! There are a number of experienced programmers who are happy to help with learning and troubleshooting.
+
+### Are you new and looking to dive in?
+
+* Check our issues to see if there is something you can dive in to.
+* Come hang out with us at our [gitter channel](https://gitter.im/sonatype-nexus-community/chelsea).

data/.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,31 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: "[BUG]"
+labels: bug
+assignees: ''
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Run '...'
+2. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Desktop (please complete the following information):**
+ - OS: [e.g. OS X 1.13.6]
+ - Ruby Version: [e.g. 2.6.5]
+ - Bundler Version: [e.g. 2.1.4]
+ - chelsea Version [e.g. 0.0.11]
+
+**Additional context**
+Add any other context about the problem here.

data/.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1 @@
+blank_issues_enabled: false

data/.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,18 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: "[FEATURE]"
+labels: enhancement
+assignees: ''
+
+---
+
+* **What are you trying to do?**
+
+* **What feature or behavior is this required for?**
+
+* **How could we solve this issue? (Not knowing is okay!)**
+
+* **Anything else?**
+
+cc @bhamail / @DarthHater / @brittanybelle / @gmohre

data/.github/pull_request_template.md

@@ -0,0 +1,14 @@
+(brief, plain english overview of your changes here)
+
+This pull request makes the following changes:
+* (your change here)
+* (another change here)
+* (etc)
+
+(If there are changes to user behavior in general, please make sure to
+update the docs, as well)
+
+It relates to the following issue #s:
+* Fixes #X
+
+cc @bhamail / @DarthHater / @brittanybelle / @gmohre

data/CONTRIBUTORS.md

@@ -0,0 +1,14 @@
+A lot of awesome people have contributed to this project! Here they are:
+
+Sonatype internal people:
+
+* [@ken-duck](https://github.com/ken-duck/) (Ken Duck)
+* [@DarthHater](https://github.com/darthhater/) (Jeffry Hesse)
+* [@bhamail](https://github.com/bhamail) (Dan Rollo)
+
+External contributors:
+
+* [@allisterb](https://github.com/allisterb) (Allister Beharry)
+* [@gmohre](https://github.com/gmohre) (Glenn Mohre)
+
+Possibly You!

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    chelsea (0.0.6)
+    chelsea (0.0.10)
       bundler (>= 1.2.0, < 3)
       ox (~> 2.13.2)
       pastel (~> 0.7.2)
@@ -79,4 +79,4 @@ DEPENDENCIES
   webmock (~> 3.8.3)
 
 BUNDLED WITH
-   2.1.2
+   2.1.4

data/README.md

@@ -1,27 +1,59 @@
 # Chelsea
 
-Chelsea is a Ruby gem designed to allow you to scan your Ruby Gem powered projects and report on any vulnerabilities in your third party dependencies. It is powered by Sonatype's OSS Index.
+![Gem](https://img.shields.io/gem/v/chelsea)
+[![Gitter](https://badges.gitter.im/sonatype-nexus-community/chelsea.svg)](https://gitter.im/sonatype-nexus-community/chelsea?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge)
+[![CircleCI](https://circleci.com/gh/sonatype-nexus-community/chelsea.svg?style=shield)](https://circleci.com/gh/sonatype-nexus-community/chelsea)
 
-## Installation
+Chelsea is a CLI application written in Ruby, designed to allow you to scan your RubyGem powered projects and report on any vulnerabilities in your third party dependencies. It is powered by [Sonatype's OSS Index.](https://ossindex.sonatype.org/)
 
-Add this line to your application's Gemfile:
+## Usage
+
+Chelsea can be installed with the `gem` command:
 
-```ruby
-gem 'chelsea'
+```
+$ gem install chelsea
 ```
 
-And then execute:
+```
+$ chelsea 
+ _____  _            _                   
+/  __ \| |          | |                  
+| /  \/| |__    ___ | | ___   ___   __ _ 
+| |    | '_ \  / _ \| |/ __| / _ \ / _` |
+| \__/\| | | ||  __/| |\__ \|  __/| (_| |
+ \____/|_| |_| \___||_||___/ \___| \__,_|
+                                         
+                                         
+Version: 0.0.11
 
-    $ bundle
+usage: chelsea [options] ...
 
-Or install it yourself as:
+Options:
+    -f, --file         Path to your Gemfile.lock
+    -c, --config       Set persistent config for OSS Index
+    -u, --user         Specify OSS Index Username
+    -p, --token        Specify OSS Index API Token
+    -a, --application  Specify the IQ application id
+    -i, --server       Specify the IQ server url
+    -iu, --iquser      Specify the IQ username
+    -it, --iqpass      Specify the IQ auth token
+    -w, --whitelist    Set path to vulnerability whitelist file
+    -q, --quiet        Make chelsea only output vulnerable third party dependencies for text output (default: false)
+    -t, --format       Choose what type of format you want your report in (default: text) (options: text, json, xml)
+    -b, --iq           Use Nexus IQ Server to audit your project
+    --version          Print the version
+    -h, --help         Show usage
+```
 
-    $ gem install chelsea
+### Basic usage
 
-## Usage
+The most basic usage of chelsea would look like:
+
+`chelsea --file Gemfile.lock`
+
+After running this command, you'd see something similar to the following:
 
 ```
-$ chelsea 
  _____  _            _                   
 /  __ \| |          | |                  
 | /  \/| |__    ___ | | ___   ___   __ _ 
@@ -30,21 +62,65 @@ $ chelsea
  \____/|_| |_| \___||_||___/ \___| \__,_|
                                          
                                          
-Version: 0.0.3
+Version: 0.0.11
+[+] Parsing dependencies ...done.
+[+] Parsing Versions ...done.
+[+] Making request to OSS Index server ...done.
 
-usage: chelsea [options] ...
+Audit Results
+=============
+```
+
+Audit Results will show a list of your third party dependencies, their reverse dependencies (so what brought them in to your project), and if they are vulnerable or not.
+
+### Quiet usage
+
+Running with `--quiet` will only output any vulnerable dependencies found, similar to:
 
-Options:
-    -h, --help    show usage
-    -q, --quiet   make chelsea only output vulnerable third party dependencies for text output (default: false)
-    -t, --format  choose what type of format you want your report in (default: text) (options: text, json, xml)
-    -f, --file    path to your Gemfile.lock
-    --version     print the version
+```
+ _____  _            _                   
+/  __ \| |          | |                  
+| /  \/| |__    ___ | | ___   ___   __ _ 
+| |    | '_ \  / _ \| |/ __| / _ \ / _` |
+| \__/\| | | ||  __/| |\__ \|  __/| (_| |
+ \____/|_| |_| \___||_||___/ \___| \__,_|
+                                         
+                                         
+Version: 0.0.11
+[15/31] - pkg:gem/rake@10.5.0 Vulnerable.
+        Required by: domain_name-0.5.20190701
+        Required by: equatable-0.6.1
+        Required by: pastel-0.7.3
+        Required by: public_suffix-4.0.3
+        Required by: rspec_junit_formatter-0.4.1
+        Required by: slop-4.8.1
+        Required by: slop-4.8.0
+        Required by: unf-0.1.4
+        Required by: unf_ext-0.0.7.7
+        Required by: unf_ext-0.0.7.6
 ```
 
-Most basic usage is:
+This can be useful if you are only interested in seeing your vulnerable dependencies, and not the whole list.
 
-`chelsea --file Gemfile.lock`
+### Usage with Formatters
+
+Chelsea can be run with a number of different formatters:
+
+- `json`
+- `text` (default)
+- `xml` (output is JUnit XML style, useful for treating vulnerable dependencies as failing test cases)
+
+To use the formatters, run Chelsea like so:
+
+`chelsea --file Gemfile.lock --format json`
+
+### Rate Limiting / Setting OSS Index config
+
+Chelsea will cache results from OSS Index, preventing Rate Limiting to occur in most cases. However, usage in CI, or heavy usage of Chelsea from a single IP can run into rate limiting, and the good news is you can [register on OSS Index](https://ossindex.sonatype.org/user/register), and then get your API Token from [your settings](https://ossindex.sonatype.org/user/settings). Once you have that, you can set config for Chelsea like so:
+
+`chelsea --config`
+
+Chelsea will prompt you to save your config, provide your username (email address that you registered on OSS Index with), and API Token, save those, and voila! Your rate limiting should be sufficient for most use cases at this point. If it isn't, get in touch via our GitHub issues, and we can take a look at your use case and potentially partner!
 
 ## Development
 
@@ -52,14 +128,41 @@ After checking out the repo, run `bin/setup` to install dependencies. Then, run
 
 To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
 
+## Why Chelsea?
+
+One of the awesome developers at Sonatype was thinking of names, and came upon the [Chelsea filter](https://en.wikipedia.org/wiki/Chelsea_filter). A Chelsea filter is used to separate gemstones, helping gemologists distinguish between real emeralds, and just regular green glass. We felt this tool helps you do something very similar, looking at your RubyGems, and seeing which are pristine, and which are less than ok at the moment.
+
 ## Contributing
 
-Bug reports and pull requests are welcome on GitHub at https://github.com/sonatype-nexus-community/chelsea. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.
+We care a lot about making the world a safer place, and that's why we created `chelsea`. If you as well want to speed up the pace of software development by working on this project, jump on in! Before you start work, create a new issue, or comment on an existing issue, to let others know you are!
+
+This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.
 
 ## Code of Conduct
 
 Everyone interacting in the Chelsea project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/sonatype-nexus-community/chelsea/blob/master/CODE_OF_CONDUCT.md).
 
+## The Fine Print
+
+It is worth noting that this is **NOT SUPPORTED** by Sonatype, and is a contribution of ours
+to the open source community (read: you!)
+
+Remember:
+
+* Use this contribution at the risk tolerance that you have
+* Do NOT file Sonatype support tickets related to `chelsea` support in regard to this project
+* DO file issues here on GitHub, so that the community can pitch in
+
+Phew, that was easier than I thought. Last but not least of all:
+
+Have fun creating and using `chelsea` and the [Sonatype OSS Index](https://ossindex.sonatype.org/), we are glad to have you here!
+
+## Getting help
+
+Looking to contribute to our code but need some help? There's a few ways to get information:
+
+* Chat with us on [Gitter](https://gitter.im/sonatype-nexus-community/chelsea)
+
 ## Copyright
 
 Copyright (c) 2019 Allister Beharry. See [MIT License](LICENSE.txt) for further details.

data/bin/chelsea

@@ -5,23 +5,23 @@ require 'slop'
 opts =
   begin
     Slop.parse do |o|
-      o.string '-f', '--file', 'path to your Gemfile.lock'
+      o.string '-f', '--file', 'Path to your Gemfile.lock'
       o.bool '-c', '--config', 'Set persistent config for OSS Index'
       o.string '-u', '--user', 'Specify OSS Index Username'
       o.string '-p', '--token', 'Specify OSS Index API Token'
       o.string '-a', '--application', 'Specify the IQ application id', default: 'testapp'
-      o.string '-i', '--server', 'Specific the IQ server url', default: 'http://localhost:8070'
+      o.string '-i', '--server', 'Specify the IQ server url', default: 'http://localhost:8070'
       o.string '-iu', '--iquser', 'Specify the IQ username', default: 'admin'
       o.string '-it', '--iqpass', 'Specify the IQ auth token', default: 'admin123'
       o.string '-w', '--whitelist', 'Set path to vulnerability whitelist file'
-      o.bool '-q', '--quiet', 'make chelsea only output vulnerable third party dependencies for text output (default: false)', default: false 
-      o.string '-t', '--format', 'choose what type of format you want your report in (default: text) (options: text, json, xml)', default: 'text'
-      o.bool '-b', '--sbom', 'generate an sbom'
-      o.on '--version', 'print the version' do
+      o.bool '-q', '--quiet', 'Make chelsea only output vulnerable third party dependencies for text output (default: false)', default: false 
+      o.string '-t', '--format', 'Choose what type of format you want your report in (default: text) (options: text, json, xml)', default: 'text'
+      o.bool '-b', '--iq', 'Use Nexus IQ Server to audit your project'
+      o.on '--version', 'Print the version' do
           puts Chelsea::VERSION
           exit
       end
-      o.on '-h', '--help', 'show usage' do
+      o.on '-h', '--help', 'Show usage' do
         puts(o)
         exit
       end

data/lib/chelsea/version.rb

@@ -1,3 +1,3 @@
 module Chelsea
-  VERSION = '0.0.10'.freeze
+  VERSION = '0.0.11'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: chelsea
 version: !ruby/object:Gem::Version
-  version: 0.0.10
+  version: 0.0.11
 platform: ruby
 authors:
 - Allister Beharry
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-04-16 00:00:00.000000000 Z
+date: 2020-04-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: tty-font
@@ -182,13 +182,18 @@ extra_rdoc_files: []
 files:
 - ".circleci/config.yml"
 - ".circleci/setup-rubygems.sh"
+- ".github/CONTRIBUTING.md"
+- ".github/ISSUE_TEMPLATE/bug_report.md"
+- ".github/ISSUE_TEMPLATE/config.yml"
+- ".github/ISSUE_TEMPLATE/feature_request.md"
+- ".github/pull_request_template.md"
 - ".gitignore"
 - ".rspec"
 - ".vscode/launch.json"
 - CODE_OF_CONDUCT.md
+- CONTRIBUTORS.md
 - Gemfile
 - Gemfile.lock
-- LICENSE
 - LICENSE.txt
 - README.md
 - Rakefile

data/LICENSE

@@ -1,7 +0,0 @@
-Copyright 2020 Sonatype
-
-Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.