reportmix 0.1.0

Merge reports from multiple tools into a single file

ReportMix

Merge reports from multiple tools into a single file.

:warning: This tool is only in alpha stage, not safe for production usage!

Install

Install ReportMix from PyPI:

pip install reportmix

Usage

Merge reports using the command-line interface:

reportmix

Arguments

Argument	Description	Default value
--help	Show the help message and exit
--verbose	Run verbosely (display DEBUG logging)
--output_dir OUTPUT_DIR	The location to write the report	./
--config_file CONFIG_FILE	The path to the configuration file	.reportmix
--formats FORMATS	Report formats to be generated (csv, json, html)	html
--fields FIELDS	Fields to include in the output report (CSV and HTML only)	all
--logo LOGO	The URL to the company logo to display on the HTML report

Run reportmix --help to show the full help message.

Plural properties (formats, fields, ...) support a single value or a comma-separated list of items (e.g. --formats "csv,html,json").

Tool-specific configuration arguments are documented in the help message and below.

Configuration

Configure the merging process using command-line arguments or create a configuration file .reportmix in the working directory:

[global]
output_dir=target
formats=html,csv,json
fields=tool_name,tool_version,name,description,type,severity,subject_name
logo=http://acme.com/img/logo.png

[dependency_check]
report_file=target/dependency-check-report.csv

[npm_audit]
report_file=web-app/npm-audit.json

[sonarqube]
host_url=http://sonarqube.acme.corp
project_key=acme:myproject

This configuration can also be passed as command-line arguments:

python reportmix.py --output_dir target --formats "html,csv,json" \
    dependency_check.report_file "target/dependency-check-report.csv" \
    npm_audit.report_file "web-app/npm-audit.json" \
    sonarqube.host_url "http://sonarqube.acme.corp" sonarqube.project_key "acme:myproject"

Supported reports

Reports produced by the following tools are currently supported:

• Dependency-Check: load a vulnerability report generated by OWASP dependency check (CSV format only), version 5.x is recommended
• npm audit: load a security audit generated by npm-audit CLI command (JSON format only), npm@6 is required
• SonarQube: load code quality analysis results from a SonarQube instance, version 7.x is required

Contributions to improve existing report loaders or add new ones are welcome!

Dependency-Check

• Run a Dependency-Check scan (cf. Maven plugin)
  • The CSV report must be generated (cf. format property in the plugin configuration)
• Move the dependency-check-report.csv file in the working directory or configure ReportMix (dependency_check.report_file) to look for the file somewhere else
• :heavy_check_mark: Run ReportMix

→ Dependency-Check loader

npm audit

• Run a security audit using the npm-audit CLI command
  • Get the detailed audit report in JSON format, e.g.: npm audit --json > npm-audit.json
• Move the npm-audit.json file in the working directory or configure ReportMix (npm_audit.report_file) to look for the file somewhere else
• :heavy_check_mark: Run ReportMix

→ npm audit loader

SonarQube

• Run a SonarQube analysis (cf. Analyzing Source Code)
• Configure the instance URL (sonarqube.host_url), the project key (sonarqube.project_key), and authentication settings
• :heavy_check_mark: Run ReportMix

→ SonarQube loader

Development

Environment

Create the virtual environment, install dependencies from Pipfile and activate the Pipenv shell:

export PIPENV_VENV_IN_PROJECT=1 # optional
pipenv install
pipenv shell

Resources

• Basic Usage of Pipenv
• Tools for Writing Python CLI Applications
• argparse — Python 3 documentation
• configparser — Python 3 documentation
• csv — Python 3 documentation
• logging — Python 3 documentation
• A sample Python project
• Cowsay

License

ReportMix is licensed under the GNU General Public License.