Nancy uses Nexus IQ Server, the journey

README.md

@@ -7,22 +7,24 @@
 
 # Nancy
 
-`nancy` is a tool to check for vulnerabilities in your Golang dependencies, powered by [Sonatype OSS Index](https://ossindex.sonatype.org/).
+`nancy` is a tool to check for vulnerabilities in your Golang dependencies, powered by [Sonatype OSS Index](https://ossindex.sonatype.org/), and as well, works with Nexus IQ Server, allowing you a smooth experience as a Golang developer, using the best tools in the market!
 
 ### Usage
 
 ```
  ~ > nancy
 Usage:
-go list -m all | nancy [options]
-nancy [options] </path/to/Gopkg.lock>
-nancy [options] </path/to/go.sum>
+        nancy [options] </path/to/Gopkg.lock>
+        nancy [options] </path/to/go.sum>
+        nancy iq [options]
 
 Options:
   -exclude-vulnerability value
         Comma separated list of CVEs to exclude
   -exclude-vulnerability-file string
         Path to a file containing newline separated CVEs to be excluded (default "./.nancy-ignore")
+  -help
+        provides help text on how to use nancy
   -no-color
         indicate output should not be colorized
   -noColor
@@ -31,11 +33,23 @@ Options:
         indicate output should contain only packages with vulnerabilities
   -version
         prints current nancy version
+
+IQ Options:
+  -application string
+        Specify application ID for request
+  -server-url string
+        Specify Nexus IQ Server URL/port (default "http://localhost:8070")
+  -stage string
+        Specify stage for application (default "build")
+  -token string
+        Specify token/password for request (default "admin123")
+  -user string
+        Specify username for request (default "admin")
 ```
 
 `nancy` currently works for projects that use `dep` or `go mod` for dependencies.
 
-### Options
+### OSS Index Options
 
 #### Quiet mode
 
@@ -73,6 +87,33 @@ CVN-123 # Mitigated the risk of this since we only use one method in this packag
 CVN-543
 ``` 
 
+### Nexus IQ Server Options
+
+By default, assuming you have an out of the box Nexus IQ Server running, you can run `nancy` like so:
+
+`go list -m all | ./nancy iq -application public-application-id`
+
+It is STRONGLY suggested that you do not do this, and we will warn you on output if you are.
+
+A more logical use of `nancy` against Nexus IQ Server will look like so:
+
+`go list -m all | ./nancy iq -application public-application-id -user nondefaultuser -token yourtoken -server-url http://adifferentserverurl:port -stage develop`
+
+Options for stage are as follows:
+
+`build, develop, stage-release, release`
+
+By default `-stage` will be `develop`.
+
+Successful submissions to Nexus IQ Server will result in either an OS exit of 0, meaning all is clear and a response akin to:
+
+```
+Wonderbar! No policy violations reported for this audit!
+Report URL:  http://reportURL
+```
+
+Failed submissions will either indicate failure because of an issue with processing the request, or a policy violation. Both will exit with a code of 1, allowing you to fail your build in CI. Policy Violation failures will include a report URL where you can learn more about why you encountered a failure.
+
 ### Usage in CI
 
 You can see an example of using `nancy` in Travis-CI at [this intentionally vulnerable repo we made](https://github.com/sonatype-nexus-community/intentionally-vulnerable-golang-project).

configuration/parse.go

@@ -4,20 +4,27 @@ import (
 	"bufio"
 	"flag"
 	"fmt"
-	"github.com/sonatype-nexus-community/nancy/types"
 	"os"
 	"regexp"
 	"strings"
+
+	"github.com/sonatype-nexus-community/nancy/types"
 )
 
 type Configuration struct {
-	UseStdIn bool
-	Help bool
-	NoColor bool
-	Quiet bool
-	Version bool
-	CveList types.CveListFlag
-	Path    string
+	UseStdIn    bool
+	Help        bool
+	NoColor     bool
+	Quiet       bool
+	Version     bool
+	CveList     types.CveListFlag
+	IQ          bool
+	Path        string
+	User        string
+	Token       string
+	Stage       string
+	Application string
+	Server      string
 }
 
 var unixComments = regexp.MustCompile(`#.*$`)
@@ -35,24 +42,53 @@ func Parse(args []string) (Configuration, error) {
 	flag.Var(&config.CveList, "exclude-vulnerability", "Comma separated list of CVEs to exclude")
 	flag.StringVar(&excludeVulnerabilityFilePath, "exclude-vulnerability-file", "./.nancy-ignore", "Path to a file containing newline separated CVEs to be excluded")
 
+	iqCommand := flag.NewFlagSet("iq", flag.ExitOnError)
+	iqCommand.StringVar(&config.User, "user", "admin", "Specify username for request")
+	iqCommand.StringVar(&config.Token, "token", "admin123", "Specify token/password for request")
+	iqCommand.StringVar(&config.Server, "server-url", "http://localhost:8070", "Specify Nexus IQ Server URL/port")
+	iqCommand.StringVar(&config.Application, "application", "", "Specify application ID for request")
+	iqCommand.StringVar(&config.Stage, "stage", "develop", "Specify stage for application")
+
 	flag.Usage = func() {
-		_, _ = fmt.Fprintf(os.Stderr, "Usage: \nnancy [options] </path/to/Gopkg.lock>\nnancy [options] </path/to/go.sum>\n\nOptions:\n")
+		_, _ = fmt.Fprintf(os.Stderr, `Usage:
+	nancy [options] </path/to/Gopkg.lock>
+	nancy [options] </path/to/go.sum>
+	nancy iq [options]
+
+Options:
+`)
 		flag.PrintDefaults()
+		_, _ = fmt.Fprintf(os.Stderr, `
+IQ Options:
+`)
+		iqCommand.PrintDefaults()
 		os.Exit(2)
 	}
 
 	// Parse config from the command line output
-	err := flag.CommandLine.Parse(args)
-	if err != nil {
-		return config, err
+	if len(os.Args) > 1 {
+		if os.Args[1] == "iq" {
+			err := iqCommand.Parse(os.Args[2:])
+			if err != nil {
+				return config, err
+			}
+			config.IQ = true
+			config.UseStdIn = true
+			return config, nil
+		}
 	}
 
 	if len(flag.Args()) == 0 {
 		config.UseStdIn = true
-	}else{
+	} else {
 		config.Path = args[len(args)-1]
 	}
 
+	err := flag.CommandLine.Parse(args)
+	if err != nil {
+		return config, err
+	}
+
 	if noColorDeprecated == true {
 		fmt.Println("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!")
 		fmt.Println("!!!! DEPRECATION WARNING : Please change 'noColor' param to be 'no-color'. This one will be removed in a future release. !!!!")

cyclonedx/cyclonedx.go

@@ -0,0 +1,71 @@
+// Copyright 2020 Sonatype Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package cyclonedx has definitions and functions for processing golang purls into a minimal CycloneDX 1.1 Sbom
+package cyclonedx
+
+import (
+	"encoding/xml"
+	"fmt"
+
+	"github.com/package-url/packageurl-go"
+)
+
+type sbom struct {
+	XMLName    xml.Name   `xml:"bom"`
+	Xmlns      string     `xml:"xmlns,attr"`
+	Version    string     `xml:"version,attr"`
+	Components components `xml:"components"`
+}
+
+type components struct {
+	Component []component `xml:"component"`
+}
+
+type component struct {
+	Type    string `xml:"type,attr"`
+	BomRef  string `xml:"bom-ref,attr"`
+	Name    string `xml:"name"`
+	Version string `xml:"version"`
+	Purl    string `xml:"purl"`
+}
+
+const cycloneDXBomXmlns1_1 = "http://cyclonedx.org/schema/bom/1.1"
+
+const version = "1"
+
+// ProcessPurlsIntoSBOM will take a slice of packageurl.PackageURL and convert them
+// into a minimal 1.1 CycloneDX sbom
+func ProcessPurlsIntoSBOM(purls []packageurl.PackageURL) string {
+	return processPurlsIntoSBOMSchema1_1(purls)
+}
+
+func processPurlsIntoSBOMSchema1_1(purls []packageurl.PackageURL) string {
+	sbom := sbom{}
+	sbom.Xmlns = cycloneDXBomXmlns1_1
+	sbom.Version = version
+	for _, v := range purls {
+		component := component{Type: "library", BomRef: v.String(), Purl: v.String(), Name: v.Name, Version: v.Version}
+		sbom.Components.Component = append(sbom.Components.Component, component)
+	}
+
+	output, err := xml.MarshalIndent(sbom, " ", "     ")
+	if err != nil {
+		fmt.Print(err)
+	}
+
+	output = []byte(xml.Header + string(output))
+
+	return string(output)
+}

go.mod

@@ -8,6 +8,7 @@ require (
 	github.com/Masterminds/vcs v1.13.1 // indirect
 	github.com/armon/go-radix v1.0.0 // indirect
 	github.com/boltdb/bolt v1.3.1 // indirect
+	github.com/coreos/etcd v3.3.18+incompatible // indirect
 	github.com/dgraph-io/badger v1.5.5-0.20181004181505-439fd464b155
 	github.com/dgryski/go-farm v0.0.0-20180109070241-2de33835d102 // indirect
 	github.com/dustin/go-humanize v1.0.0 // indirect
@@ -16,6 +17,7 @@ require (
 	github.com/jmank88/nuts v0.3.0 // indirect
 	github.com/logrusorgru/aurora v0.0.0-20190803045625-94edacc10f9b
 	github.com/nightlyone/lockfile v0.0.0-20180618180623-0ad87eef1443 // indirect
+	github.com/package-url/packageurl-go v0.1.0
 	github.com/pelletier/go-toml v1.4.0 // indirect
 	github.com/pkg/errors v0.8.0 // indirect
 	github.com/sdboyer/constext v0.0.0-20170321163424-836a14457353 // indirect

go.sum

@@ -14,6 +14,8 @@ github.com/armon/go-radix v1.0.0 h1:F4z6KzEeeQIMeLFa97iZU6vupzoecKdU5TX24SNppXI=
 github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/boltdb/bolt v1.3.1 h1:JQmyP4ZBrce+ZQu0dY660FMfatumYDLun9hBCUVIkF4=
 github.com/boltdb/bolt v1.3.1/go.mod h1:clJnj/oiGkjum5o1McbSZDSLxVThjynRyGBgiAx27Ps=
+github.com/coreos/etcd v3.3.18+incompatible h1:Zz1aXgDrFFi1nadh58tA9ktt06cmPTwNNP3dXwIq1lE=
+github.com/coreos/etcd v3.3.18+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
@@ -34,6 +36,8 @@ github.com/logrusorgru/aurora v0.0.0-20190803045625-94edacc10f9b h1:PMbSa9CgaiQR
 github.com/logrusorgru/aurora v0.0.0-20190803045625-94edacc10f9b/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4=
 github.com/nightlyone/lockfile v0.0.0-20180618180623-0ad87eef1443 h1:+2OJrU8cmOstEoh0uQvYemRGVH1O6xtO2oANUWHFnP0=
 github.com/nightlyone/lockfile v0.0.0-20180618180623-0ad87eef1443/go.mod h1:JbxfV1Iifij2yhRjXai0oFrbpxszXHRx1E5RuM26o4Y=
+github.com/package-url/packageurl-go v0.1.0 h1:efWBc98O/dBZRg1pw2xiDzovnlMjCa9NPnfaiBduh8I=
+github.com/package-url/packageurl-go v0.1.0/go.mod h1:C/ApiuWpmbpni4DIOECf6WCjFUZV7O1Fx7VAzrZHgBw=
 github.com/pelletier/go-toml v1.4.0 h1:u3Z1r+oOXJIkxqw34zVhyPgjBsm6X2wn21NWs/HfSeg=
 github.com/pelletier/go-toml v1.4.0/go.mod h1:PN7xzY2wHTK0K9p34ErDQMlFxa51Fk0OUruD3k1mMwo=
 github.com/pkg/errors v0.8.0 h1:WdK/asTD0HN+q6hsWO3/vpuAkAr+tw6aNJNDFFf0+qw=