reportmix 0.3.0

Merge reports from multiple tools into a single file

ReportMix

Merge reports from multiple tools into a single file.

Install

Install ReportMix from PyPI:

pip install reportmix

Usage

Merge reports using the command-line interface:

reportmix

Arguments

Argument	Description	Default value
-h, --help	Show the help message and exit
-V, --version	Show program's version number and exit
-v, --verbose	Run verbosely (display DEBUG logging)
--output_dir OUTPUT_DIR	The location to write the report	./
--config_file CONFIG_FILE	The path to the configuration file	.reportmix
--formats FORMATS	Report formats to be generated (csv, json, html)	html
--fields FIELDS	Fields to include in the output report (CSV and HTML only)	all
--logo LOGO	The URL to the organization logo to display on the HTML report
--meta.*	User-defined metadata fields

Run reportmix --help to show the full help message.

Plural properties (formats, fields, ...) support a single value or a comma-separated list of items (e.g. --formats "csv,html,json").

Tool-specific configuration arguments are documented in the help message and below.

Configuration

Configure the merging process using command-line arguments or create a configuration file .reportmix in the working directory:

[global]
output_dir=target
formats=html,csv,json
fields=tool_name,tool_version,meta_organization,name,description,type,severity,subject_name
logo=http://acme.com/img/logo.png

[meta]
organization=Acme Corporation

[dependency_check]
report_file=target/dependency-check-report.csv

[npm_audit]
report_file=web-app/npm-audit.json

[sonarqube]
host_url=http://sonarqube.acme.corp
project_key=acme:myproject

This configuration can also be passed as command-line arguments:

reportmix --output_dir target --formats "html,csv,json" \
    --meta.organization "Acme Corporation"
    --dependency_check.report_file "target/dependency-check-report.csv" \
    --npm_audit.report_file "web-app/npm-audit.json" \
    --sonarqube.host_url "http://sonarqube.acme.corp" --sonarqube.project_key "acme:myproject"

Metadata fields allows to define some fields for each issue in the configuration:

Name	Description	Default value
product	The product name
version	The product version
organization	The organization name
client	The client name
audit_date	The audit date	now()

Supported reports

Reports produced by the following tools are currently supported:

• Dependency-Check: load a vulnerability report generated by OWASP dependency check (CSV format only), version 5.x is recommended
• npm audit: load a security audit generated by npm-audit CLI command (JSON format only), npm@6 is required
• SonarQube: load code quality analysis results from a SonarQube instance, version 7.x is required

Contributions to improve existing report loaders or add new ones are welcome!

Dependency-Check

• Run a Dependency-Check scan (cf. Maven plugin)
  • The CSV report must be generated (cf. format property in the plugin configuration)
• Move the dependency-check-report.csv file in the working directory or configure ReportMix (dependency_check.report_file) to look for the file somewhere else
• :heavy_check_mark: Run ReportMix

→ Dependency-Check loader

npm audit

• Run a security audit using the npm-audit CLI command
  • Get the detailed audit report in JSON format, e.g.: npm audit --json > npm-audit.json
• Move the npm-audit.json file in the working directory or configure ReportMix (npm_audit.report_file) to look for the file somewhere else
• :heavy_check_mark: Run ReportMix

→ npm audit loader

SonarQube

• Run a SonarQube analysis (cf. Analyzing Source Code)
• Configure the instance URL (sonarqube.host_url), the project key (sonarqube.project_key), and authentication settings
• :heavy_check_mark: Run ReportMix

→ SonarQube loader

License

ReportMix is licensed under the GNU General Public License.