Tools and CLI for handling BDSCA analysis configuration file(s).
Project description
bdsca-analysis-config-file
Utilities and CLI to validate and work with BDSCA analysis configuration files (YAML).
This tool supports:
- Validating config files with friendly error output
- Adding missing components to a project BOM
- Overwriting component versions in the BOM
- Triaging vulnerabilities (by CVE or BDSA), including filters by vendor and SHA
It also supports dry-run mode to preview changes, and paginated search when resolving components by name/version.
CLI usage
All commands are available via the bdsca-config CLI.
Show version
bdsca-config --version
Validate a YAML configuration file
bdsca-config validate <config.yaml> [--output yaml|json|summary] [--target]
- Validates the file and prints errors in a table if invalid.
--outputpretty-prints the file in YAML, JSON, or a concise summary.--targetprints the effective change target (project info).
Add missing components to BOM
bdsca-config add-components <config.yaml> --base-url <BLACKDUCK_URL> --api-token <TOKEN> [--insecure] [--verbosity info|debug] [--dryrun]
- Adds missing components from
componentAdditionsto each target project. - Each
componentAdditionsentry can identify a component by:- purl
- name (with optional version and vendor)
Examples:
componentAdditions:
- component:
purl: pkg:maven/org.apache.commons/commons-lang3@3.12.0
- component:
name: commons-io
version: "2.13.0"
vendor: maven
Remediate vulnerabilities
bdsca-config remediate <config.yaml> --base-url <BLACKDUCK_URL> --api-token <TOKEN> [--insecure] [--verbosity info|debug] [--dryrun]
- Validates the file and performs remediation using Black Duck.
vulnerabilityTriagescan identify a component by any of:- purl
- name + version
- sha (file/component SHA)
- Each triage uses either
cveorbdsa, plus aresolutionand optionalcomment. --dryrunpreviews changes without making updates.
Example excerpt:
vulnerabilityTriages:
- component:
name: lodash
version: "4.17.21"
vendor: npmjs
triages:
- cve: CVE-2020-8203
resolution: NOT_AFFECTED
comment: Affected code not used
- component:
sha: 5e884898da28047151d0e56f8dc6292773603d0d
triages:
- bdsa: BDSA-2024-1234
resolution: PATCHED
comment: Fixed by upstream
Overwrite component version
bdsca-config overwrite <config.yaml> --base-url <BLACKDUCK_URL> --api-token <TOKEN> [--insecure] [--verbosity info|debug] [--dryrun]
- Reads the
overridessection and updates matching BOM components. - A component can be identified by
purlOR byname(with optionalversionandvendor). - Set
newVersionto the desired component version. --dryrunpreviews without making changes.
Example excerpt:
overrides:
- component:
name: Apache Commons IO
version: "2.2"
vendor: maven
newVersion: "2.3"
- component:
purl: pkg:npm/semver@5.7.2
newVersion: "5.7.1"
Notes:
- The
vendorshould match the origin name in Black Duck (e.g.,maven,npmjs). - The tool resolves component versions and origins; for name-based lookups it paginates results when necessary.
Module usage
You can also run commands via Python module execution:
python -m bdsca_analysis_config_file --version
python -m bdsca_analysis_config_file validate examples/example.yaml
Configuration reference
High-level structure:
specVersion: "1"
changeTarget:
- project: { name: <string>, version: <string> }
componentAdditions: []
overrides: []
vulnerabilityTriages: []
Targets (one or more projects):
changeTarget:
- project:
name: example-project
version: "1.0"
- project:
name: another-project
version: "main"
Component additions:
componentAdditions:
- component:
purl: pkg:pypi/sample@1.0.0
- component:
name: sample-lib
version: "2.0.0"
vendor: maven
Overrides:
overrides:
- component:
name: example-component
vendor: ExampleVendor
version: "1.0.0"
newVersion: "1.0.1"
Vulnerability triages:
vulnerabilityTriages:
- component:
purl: pkg:maven/org.example/foo@1.2.3
triages:
- cve: CVE-2024-0001
resolution: PATCHED
comment: fixed upstream
- component:
name: lib-a
version: "1.2.3"
vendor: vendor-a
triages:
- bdsa: BDSA-2024-1111
resolution: IGNORED
comment: Not in our threat model
- component:
sha: 0123456789abcdef0123456789abcdef01234567
triages:
- cve: CVE-2023-9999
resolution: MITIGATED
comment: Mitigated by sandboxing
See examples/example_all.yaml for a comprehensive sample covering all flows.
Output examples
Single project summary:
bdsca-config validate examples/example.yaml --output summary --target
...
target: project name='example-project' version='1.0'
Multiple projects summary:
bdsca-config validate examples/example2.yaml --output summary --target
...
target:
- project name='HippotechOrg/sampleapp' version='main'
- project name='HippotechOrg/anotherapp' version='1.2.3'
Features
- Modern
src/layout withpyproject.toml - CLI with validate, add-components, remediate, overwrite
- Tests via pytest; lint via ruff/black; typing via mypy
- Dry-run support for safe previews
- Pagination when searching components by name/version
Quickstart
Install in editable mode and run tests:
python -m venv .venv
.venv\Scripts\Activate.ps1
pip install -U pip
pip install -e .[dev]
pytest
Installation
Local build and install:
python -m build
pip install dist/bdsca_analysis_config_file-<version>-py3-none-any.whl
Replace <version> with the actual version (e.g., 0.1.2).
From PyPI or TestPyPI:
pip install bdsca-analysis-config-file
or
pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple bdsca-analysis-config-file
Release documentation
See the dedicated guide in docs/release.md for release workflow and options.
Dry-run mode
- Use the
--dryrunflag withremediateoroverwriteto preview changes. - The CLI prints current values alongside the new values that would be applied.
- No PUT requests are sent in dry-run mode.
License
MIT © Jouni Lehto
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file bdsca_analysis_config_file-0.1.6.tar.gz.
File metadata
- Download URL: bdsca_analysis_config_file-0.1.6.tar.gz
- Upload date:
- Size: 32.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
431cbe6da8832fd20204f0bd5507997d55bb3cdf6e571e5281c0ee8761b06276
|
|
| MD5 |
4283be179553e35ce3e97c0e65ffaf2c
|
|
| BLAKE2b-256 |
cce16b95620f1be4dce274c971d31cd42101c3c5b2378a012f9c0e2e5d61cbac
|
File details
Details for the file bdsca_analysis_config_file-0.1.6-py3-none-any.whl.
File metadata
- Download URL: bdsca_analysis_config_file-0.1.6-py3-none-any.whl
- Upload date:
- Size: 26.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
7db637b76bfe4be13ed394ab9151ca73cb5970d1e896e8a33ad132ab7bb48301
|
|
| MD5 |
901fb8a58d1845eca6c4862812b693ff
|
|
| BLAKE2b-256 |
2b4a22c9e3e3da562f764a078ef87df5bfbd699b2e05ba091e2351f9cb1347d4
|
