Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

separate sleuth command for 'oss index' #165

Merged
merged 6 commits into from
Aug 18, 2020
Merged

separate sleuth command for 'oss index' #165

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
ca90fa1
separate `sleuth` command for 'oss index'
bhamail Aug 13, 2020
3baf8d1
fix integration test to use new 'sleuth' command
bhamail Aug 14, 2020
1f14321
support --path flag (pointing to dep Gopkg.lock file) both ossi and iq
bhamail Aug 17, 2020
10f787b
update docs for `sleuth` command.
bhamail Aug 17, 2020
cbcbbe3
add TODO comments
bhamail Aug 18, 2020
abc47d1
fix vulnerability: CVE-2020-15114 in etcd v3.3.13+incompatible
bhamail Aug 18, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 5 additions & 3 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,8 @@ test: build
$(GOTEST) -v ./... 2>&1

integration-test: build
cd packages/testdata && GOPATH=. ../../$(BINARY_NAME) -p Gopkg.lock && cd -
go list -m all | ./$(BINARY_NAME)
go list -m all > deps.out && ./$(BINARY_NAME) < deps.out
cd packages/testdata && GOPATH=. ../../$(BINARY_NAME) sleuth -p Gopkg.lock && cd -
go list -json -m all | ./$(BINARY_NAME) sleuth
go list -m all | ./$(BINARY_NAME) sleuth
go list -json -m all > deps.out && ./$(BINARY_NAME) sleuth < deps.out
go list -m all > deps.out && ./$(BINARY_NAME) sleuth < deps.out
168 changes: 96 additions & 72 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,75 +34,99 @@

```
~ > nancy --help
nancy is a tool to check for vulnerabilities in your Golang dependencies,
powered by the 'Sonatype OSS Index', and as well, works with Nexus IQ Server, allowing you
a smooth experience as a Golang developer, using the best tools in the market!

Usage:
nancy [flags]
nancy [command]

Examples:
Typical usage will pipe the output of 'go list -json -m all' to 'nancy':
go list -json -m all | nancy [flags]
go list -json -m all | nancy iq [flags]
go list -m all | nancy [flags]
go list -m all | nancy iq [flags]

Available Commands:
config Setup credentials to use when connecting to services
help Help about any command
iq Check for vulnerabilities in your Golang dependencies using 'Sonatype's Nexus IQ IQServer'

Flags:
-v, -- count Set log level, multiple v's is more verbose
-c, --clean-cache Deletes local cache directory
-e, --exclude-vulnerability CveListFlag Comma separated list of CVEs to exclude (default [])
-x, --exclude-vulnerability-file string Path to a file containing newline separated CVEs to be excluded (default "./.nancy-ignore")
-h, --help help for nancy
--loud indicate output should include non-vulnerable packages
-n, --no-color indicate output should not be colorized
-o, --output string Styling for output format. json, json-pretty, text, csv (default "text")
-p, --path string Specify a path to a dep Gopkg.lock file for scanning
-q, --quiet indicate output should contain only packages with vulnerabilities (default true)
-t, --token string Specify OSS Index API token for request
-u, --username string Specify OSS Index username for request
-V, --version Get the version

Use "nancy [command] --help" for more information about a command.
nancy is a tool to check for vulnerabilities in your Golang dependencies,
powered by the 'Sonatype OSS Index', and as well, works with Nexus IQ Server, allowing you
a smooth experience as a Golang developer, using the best tools in the market!

Usage:
nancy [flags]
nancy [command]

Examples:
Typical usage will pipe the output of 'go list -json -m all' to 'nancy':
go list -json -m all | nancy sleuth [flags]
go list -json -m all | nancy iq [flags]

Available Commands:
config Setup credentials to use when connecting to services
help Help about any command
iq Check for vulnerabilities in your Golang dependencies using 'Sonatype's Nexus IQ IQServer'
sleuth Check for vulnerabilities in your Golang dependencies using Sonatype's OSS Index

Flags:
-v, -- count Set log level, multiple v's is more verbose
-c, --clean-cache Deletes local cache directory
-h, --help help for nancy
--loud indicate output should include non-vulnerable packages
-p, --path string Specify a path to a dep Gopkg.lock file for scanning
-q, --quiet indicate output should contain only packages with vulnerabilities (default true)
-t, --token string Specify OSS Index API token for request
-u, --username string Specify OSS Index username for request
-V, --version Get the version

Use "nancy [command] --help" for more information about a command.


$ > nancy sleuth --help
'nancy sleuth' is a command to check for vulnerabilities in your Golang dependencies, powered by the 'Sonatype OSS Index'.

Usage:
nancy sleuth [flags]

Examples:
go list -json -m all | nancy sleuth --username your_user --token your_token

Flags:
-e, --exclude-vulnerability CveListFlag Comma separated list of CVEs to exclude (default [])
-x, --exclude-vulnerability-file string Path to a file containing newline separated CVEs to be excluded (default "./.nancy-ignore")
-h, --help help for sleuth
-n, --no-color indicate output should not be colorized
-o, --output string Styling for output format. json, json-pretty, text, csv (default "text")

Global Flags:
-v, -- count Set log level, multiple v's is more verbose
-c, --clean-cache Deletes local cache directory
--loud indicate output should include non-vulnerable packages
-p, --path string Specify a path to a dep Gopkg.lock file for scanning
-q, --quiet indicate output should contain only packages with vulnerabilities (default true)
-t, --token string Specify OSS Index API token for request
-u, --username string Specify OSS Index username for request
-V, --version Get the version


$ > nancy iq --help
'nancy iq' is a command to check for vulnerabilities in your Golang dependencies, powered by 'Sonatype's Nexus IQ IQServer', allowing you a smooth experience as a Golang developer, using the best tools in the market!

Usage:
nancy iq [flags]

Examples:
go list -json -m all | nancy iq --iq-application your_public_application_id --iq-server-url http://your_iq_server_url:port --iq-username your_user --iq-token your_token --iq-stage develop

Flags:
-h, --help help for iq
-a, --iq-application string Specify Nexus IQ public application ID for request
-x, --iq-server-url string Specify Nexus IQ server url for request (default "http://localhost:8070")
-s, --iq-stage string Specify Nexus IQ stage for request (default "develop")
-p, --iq-token string Specify Nexus IQ token for request (default "admin123")
-l, --iq-username string Specify Nexus IQ username for request (default "admin")

Global Flags:
-v, -- count Set log level, multiple v's is more verbose
--loud indicate output should include non-vulnerable packages
-q, --quiet indicate output should contain only packages with vulnerabilities (default true)
-t, --token string Specify OSS Index API token for request
-u, --username string Specify OSS Index username for request
-V, --version Get the version
'nancy iq' is a command to check for vulnerabilities in your Golang dependencies, powered by 'Sonatype's Nexus IQ IQServer', allowing you a smooth experience as a Golang developer, using the best tools in the market!

Usage:
nancy iq [flags]

Examples:
go list -json -m all | nancy iq --iq-application your_public_application_id --iq-server-url http://your_iq_server_url:port --iq-username your_user --iq-token your_token --iq-stage develop

Flags:
-h, --help help for iq
-a, --iq-application string Specify Nexus IQ public application ID for request
-x, --iq-server-url string Specify Nexus IQ server url for request (default "http://localhost:8070")
-s, --iq-stage string Specify Nexus IQ stage for request (default "develop")
-k, --iq-token string Specify Nexus IQ token for request (default "admin123")
-l, --iq-username string Specify Nexus IQ username for request (default "admin")

Global Flags:
-v, -- count Set log level, multiple v's is more verbose
-c, --clean-cache Deletes local cache directory
--loud indicate output should include non-vulnerable packages
-p, --path string Specify a path to a dep Gopkg.lock file for scanning
-q, --quiet indicate output should contain only packages with vulnerabilities (default true)
-t, --token string Specify OSS Index API token for request
-u, --username string Specify OSS Index username for request
-V, --version Get the version
```

#### What is the best usage of Nancy?

The preferred way to use Nancy is:
- `go list -json -m all | nancy`
- `nancy -p /path/to/Gopkg.lock`
- `go list -json -m all | nancy sleuth`
- `nancy sleuth -p /path/to/Gopkg.lock`

#### Homebrew usage

Expand Down Expand Up @@ -140,7 +164,7 @@ We publish a few different flavors for convenience:

If you start using Nancy extensively, you might run into Rate Limiting from OSS Index! Don't worry, we've got your back!

If you run into Rate Limiting you should recieve an error that will give you instructions on how to register on OSS Index:
If you run into Rate Limiting you should receive an error that will give you instructions on how to register on OSS Index:

```
You have been rate limited by OSS Index.
Expand All @@ -154,7 +178,7 @@ After setting this config, you'll be gifted a nice new higher rate limit. If you

You can also set the user and token via the command line like so:

`nancy --username auser@anemailaddress.com --token A4@k3@p1T0k3n`
`nancy sleuth --username auser@anemailaddress.com --token A4@k3@p1T0k3n`

This can be handy for testing your account out, or if you want to override your set config with a different user.

Expand All @@ -163,8 +187,8 @@ This can be handy for testing your account out, or if you want to override your
By default, `nancy` runs in a "quiet" mode, only displaying a list of vulnerable components.
You can run `nancy` in a loud manner, showing all components by running:

* `./nancy --loud -p /path/to/your/Gopkg.lock`
* `go list -json -m all | ./nancy --loud`
* `./nancy sleuth --loud -p /path/to/your/Gopkg.lock`
* `go list -json -m all | ./nancy sleuth --loud`

#### Exclude vulnerabilities

Expand All @@ -176,15 +200,15 @@ Vulnerabilities excluded will then be silenced and not show up in the output or
We support exclusion of vulnerability either by CVE-ID (ex: `CVE-2018-20303`) or via the OSS Index ID (ex: `a8c20c84-1f6a-472a-ba1b-3eaedb2a2a14`) as not all vulnerabilities have a CVE-ID.

##### Via CLI flag
* `./nancy --exclude-vulnerability CVE-789,bcb0c38d-0d35-44ee-b7a7-8f77183d1ae2 -p /path/to/your/Gopkg.lock`
* `go list -json -m all | ./nancy --exclude-vulnerability CVE-789,bcb0c38d-0d35-44ee-b7a7-8f77183d1ae2`
* `./nancy sleuth --exclude-vulnerability CVE-789,bcb0c38d-0d35-44ee-b7a7-8f77183d1ae2 -p /path/to/your/Gopkg.lock`
* `go list -json -m all | ./nancy sleuth --exclude-vulnerability CVE-789,bcb0c38d-0d35-44ee-b7a7-8f77183d1ae2`

##### Via file
By default if a file named `.nancy-ignore` exists in the same directory that nancy is run it will use it, will no other options need to be passed.

If you would like to define the path to the file you can use the following
* `./nancy --exclude-vulnerability-file=/path/to/your/exclude-file -p /path/to/your/Gopkg.lock`
* `go list -json -m all | ./nancy --exclude-vulnerability-file=/path/to/your/exclude-file`
* `./nancy sleuth --exclude-vulnerability-file=/path/to/your/exclude-file -p /path/to/your/Gopkg.lock`
* `go list -json -m all | ./nancy sleuth --exclude-vulnerability-file=/path/to/your/exclude-file`

The file format requires each vulnerability that you want to exclude to be on a separate line. Comments are allowed in the file as well to help provide context when needed. See an example file below.

Expand Down Expand Up @@ -388,7 +412,7 @@ Options for stage are as follows:

`build, develop, stage-release, release`

By default `-stage` will be `develop`.
By default `--iq-stage` will be `develop`.

Successful submissions to Nexus IQ Server will result in either an OS exit of 0, meaning all is clear and a response akin to:

Expand All @@ -414,7 +438,7 @@ Uh oh! There was an error with your request to Nexus IQ Server: <error>

#### Persistent Nexus IQ Server Config

Nancy let's you set the Nexus IQ Server Address, User and Token as persistent config (application and stage are generally per project so we do not let you set these globally).
Nancy lets you set the Nexus IQ Server Address, User and Token as persistent config (application and stage are generally per project so we do not let you set these globally).

To set your Nexus IQ Server config run:

Expand All @@ -441,7 +465,7 @@ This project is called `nancy` as like the great detective herself, it looks for

## Installation

At current time you have a few options:
At the current time you have a few options:

* Build from source
* Download release binary from [here on GitHub](https://github.com/sonatype-nexus-community/nancy/releases)
Expand Down
65 changes: 44 additions & 21 deletions cmd/iq.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,15 +18,15 @@ package cmd
import (
"errors"
"fmt"
"github.com/spf13/pflag"
"os"
"path"

"github.com/sonatype-nexus-community/nancy/internal/configuration"
"github.com/sonatype-nexus-community/nancy/internal/logger"

"github.com/mitchellh/go-homedir"
"github.com/sonatype-nexus-community/go-sona-types/iq"
"github.com/sonatype-nexus-community/nancy/internal/configuration"
"github.com/sonatype-nexus-community/nancy/internal/customerrors"
"github.com/sonatype-nexus-community/nancy/internal/logger"
"github.com/sonatype-nexus-community/nancy/packages"
"github.com/sonatype-nexus-community/nancy/parse"
"github.com/sonatype-nexus-community/nancy/types"
Expand Down Expand Up @@ -102,20 +102,8 @@ func doIQ(cmd *cobra.Command, args []string) (err error) {

printHeader(!configOssi.Quiet)

if err = checkStdIn(); err != nil {
logLady.WithError(err).Error("unexpected error in iq cmd")
panic(err)
}

mod := packages.Mod{}

mod.ProjectList, err = parse.GoListAgnostic(os.Stdin)
if err != nil {
logLady.WithError(err).Error("unexpected error in iq cmd")
panic(err)
}

var purls = mod.ExtractPurlsFromManifest()
var purls []string
purls, err = getPurls()

err = auditWithIQServer(purls, configIQ.IQApplication)
if err != nil {
Expand All @@ -130,6 +118,32 @@ func doIQ(cmd *cobra.Command, args []string) (err error) {
return
}

func getPurls() (purls []string, err error) {
if configOssi.Path != "" {
var invalidPurls []string
if purls, invalidPurls, err = getPurlsFromPath(configOssi.Path); err != nil {
panic(err)
}
invalidCoordinates := convertInvalidPurlsToCoordinates(invalidPurls)
logLady.WithField("invalid", invalidCoordinates).Info("")
} else {
if err = checkStdIn(); err != nil {
logLady.WithError(err).Error("unexpected error in iq cmd")
panic(err)
}

mod := packages.Mod{}

mod.ProjectList, err = parse.GoListAgnostic(os.Stdin)
if err != nil {
logLady.WithError(err).Error("unexpected error in iq cmd")
panic(err)
}
purls = mod.ExtractPurlsFromManifest()
}
return purls, err
}

const (
flagNameIqUsername = "iq-username"
flagNameIqToken = "iq-token"
Expand All @@ -142,7 +156,7 @@ func init() {
cobra.OnInitialize(initIQConfig)

iqCmd.Flags().StringVarP(&configIQ.IQUsername, flagNameIqUsername, "l", "admin", "Specify Nexus IQ username for request")
iqCmd.Flags().StringVarP(&configIQ.IQToken, flagNameIqToken, "p", "admin123", "Specify Nexus IQ token for request")
iqCmd.Flags().StringVarP(&configIQ.IQToken, flagNameIqToken, "k", "admin123", "Specify Nexus IQ token for request")
iqCmd.Flags().StringVarP(&configIQ.IQStage, flagNameIqStage, "s", "develop", "Specify Nexus IQ stage for request")

iqCmd.Flags().StringVarP(&configIQ.IQApplication, flagNameIqApplication, "a", "", "Specify Nexus IQ public application ID for request")
Expand All @@ -162,17 +176,26 @@ func bindViperIq(cmd *cobra.Command) {
bindViper(rootCmd)

// Bind viper to the flags passed in via the command line, so it will override config from file
if err := viper.BindPFlag(configuration.ViperKeyIQUsername, cmd.Flags().Lookup(flagNameIqUsername)); err != nil {
if err := viper.BindPFlag(configuration.ViperKeyIQUsername, lookupFlagNotNil(flagNameIqUsername, cmd)); err != nil {
panic(err)
}
if err := viper.BindPFlag(configuration.ViperKeyIQToken, cmd.Flags().Lookup(flagNameIqToken)); err != nil {
if err := viper.BindPFlag(configuration.ViperKeyIQToken, lookupFlagNotNil(flagNameIqToken, cmd)); err != nil {
panic(err)
}
if err := viper.BindPFlag(configuration.ViperKeyIQServer, cmd.Flags().Lookup(flagNameIqServerUrl)); err != nil {
if err := viper.BindPFlag(configuration.ViperKeyIQServer, lookupFlagNotNil(flagNameIqServerUrl, cmd)); err != nil {
panic(err)
}
}

func lookupFlagNotNil(flagName string, cmd *cobra.Command) *pflag.Flag {
// see: https://github.com/spf13/viper/pull/949
foundFlag := cmd.Flags().Lookup(flagName)
if foundFlag == nil {
panic(fmt.Errorf("flag lookup for name: '%s' returned nil", flagName))
}
return foundFlag
}

func initIQConfig() {
var cfgFileToCheck string
if cfgFileIQ != "" {
Expand Down
Loading