An OSS Index integration to check for vulnerabilities in your Conda environments
Project description
Jake
jake is a tool to check for vulnerabilities in your Conda environments, powered by Sonatype OSS Index, that can also be used with Sonatype's Nexus IQ Server.
Usage
$ jake --help
usage: jake [-h] [-S] [-P] [-V] [-VV] [-A APPLICATION] [-C] {ddt}
positional arguments:
{ddt} run jake
optional arguments:
-h, --help show this help message and exit
-S, --snake set optional jake config
-P, --python set optional jake IQ Server config
-V, --version show program version and exit
-VV, --verbose set verbosity level to debug
-A APPLICATION, --application APPLICATION
supply an IQ Server Public Application ID
-C, --clean wipe out jake cache
Typical usage of jake is to run it like so: conda list | jake ddt, which will feed your Conda dependencies in your current Conda environment to jake, which will then reach out and check OSS Index to see if they are vulnerable!
Options
You may also run jake ddt with -VV for a slew of debug data, in case you are running in to an odd situation, or you want to help out on development!
You can also run jake ddt -C to clean out your local cache if desired. We cache results from OSS Index for 12 hours to prevent you from potentially getting rate limited (as your dependencies likely won't change super often).
You can also run jake ddt -S to set optional configuration of your OSS Index username and API Key so that you can run more requests without getting rate limited. You may register for an account at this link, and see the information provided here on Rate Limiting for why this is useful.
Usage with Nexus IQ Server
jake can be used against Nexus IQ Server, to audit your application using your organizations policy.
You can run jake ddt -P to set configuration of your IQ Server username and token.
Once you've configured jake with proper credentials, you can run jake ddt -A application-id, replacing application-id with the public ID of your application in IQ Server. If there is a policy action required after submitting to IQ Server, jake will exit with a non zero code, allowing you to fail builds based on needed policy actions. The IQ Server Report URL will be provided as well.
An example of using jake with the Nexus IQ Server Sandbox Application follows.
-
(Onetime) Configure
jaketo use your Nexus IQ Server credentials:$ jake ddt -P Please enter your username for your IQ Server account: admin Please enter your user token for IQ Server: admin123 Please provide the location of your IQ Server: http://localhost:8070 -
Feed your Conda dependencies in your current Conda environment to
jake, which will then reach out and check Nexus IQ Server to see if they are vulnerable:$ conda list | jake ddt -A sandbox-application ... Your IQ Server Report is available here: http://localhost:8070/ui/links/application/sandbox-application/report/fec66f75726f434cb8e94360a6c11df1 All good to go! Smooth sailing for you! No policy violations reported by IQ Server
Why Jake?
Jake The Snake was scared of Snakes. The finishing move was DDT. He finishes the Snake with DDT.
Installation
Download from PyPI
pip3 install jake
Build from source
- Clone the repo
- Install Python 3.7 or higher
- Ensure pip is installed (it should be)
- Run
python3 -m venv .venv(or whatever virtual environment you prefer) - Run
source .venv/bin/activate - Run
pip install -r requirements.txt - Run
pip install -e .
Once you've done this, you should have jake available to test with fairly globally, pointed at the local source you've cloned.
Development
jake is written using Python 3.7
This project also uses pip for dependencies, so you will need to download make sure you have pip.
Follow instructions in Build from source.
Tests can be run with python3 -m unittest discover
More TBD.
Contributing
We care a lot about making the world a safer place, and that's why we created jake. If you as well want to
speed up the pace of software development by working on this project, jump on in! Before you start work, create
a new issue, or comment on an existing issue, to let others know you are!
The Fine Print
It is worth noting that this is NOT SUPPORTED by Sonatype, and is a contribution of ours to the open source community (read: you!)
Remember:
- Use this contribution at the risk tolerance that you have
- Do NOT file Sonatype support tickets related to
jakesupport in regard to this project - DO file issues here on GitHub, so that the community can pitch in
Phew, that was easier than I thought. Last but not least of all:
Have fun creating and using jake and the Sonatype OSS Index, we are glad to have you here!
Getting help
Looking to contribute to our code but need some help? There's a few ways to get information:
- Chat with us on Gitter
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
