Skip to main content

Merge reports from multiple tools into a single file

Project description

ReportMix

PyPI License Python version Build Tests Pylint

Merge reports from multiple tools into a single file.

Install

Install ReportMix from PyPI:

pip install reportmix

Usage

Merge reports using the command-line interface:

reportmix

Arguments

Argument Description
-h, --help Show the help message and exit
-V, --version Show program's version number and exit
-v, --verbose Run verbosely (display DEBUG logging)
--output_dir OUTPUT_DIR The location to write the report
--config_file CONFIG_FILE The path to the configuration file
--formats FORMATS Report formats to be generated (csv, json, html)
--fields FIELDS Fields to include in the output report (CSV and HTML only)
--hash HASH Fields to use for hash generation
--title TITLE The HTML report title
--logo LOGO The URL to the organization logo to display on the HTML report
--meta.* User-defined metadata fields

Run reportmix --help to show the full help message.

Some properties (formats, fields, hash, ...) support a single value or a comma-separated list of items (e.g. --formats "csv,html,json").

Tool-specific configuration arguments are documented in the help message and below.

Configuration

Configure the merging process using command-line arguments or create a configuration file .reportmix in the working directory:

[global]
output_dir=target
formats=html,csv,json
fields=tool_name,tool_version,meta_organization,name,description,type,severity,subject_name
title=Analysis report
logo=http://acme.com/img/logo.png

[meta]
organization=Acme Corporation

[dependency_check]
report_file=target/dependency-check-report.csv

[npm_audit]
report_file=web-app/npm-audit.json

[sonarqube]
host_url=http://sonarqube.acme.corp
project_key=acme:myproject

[reportmix]
report_file=sub-project/reportmix.csv

This configuration can also be passed as command-line arguments:

reportmix --output_dir target --formats "html,csv,json" \
    --fields [...] --title "Analysis report" --logo "http://acme.com/img/logo.png" \
    --meta.organization "Acme Corporation" \
    --dependency_check.report_file "target/dependency-check-report.csv" \
    --npm_audit.report_file "web-app/npm-audit.json" \
    --sonarqube.host_url "http://sonarqube.acme.corp" --sonarqube.project_key "acme:myproject" \
    --reportmix.report_file "sub-project/reportmix.csv"

Metadata fields

Metadata fields allow to define some fields for each issue in the configuration:

Name Description Default value
product The product name
version The product version
organization The organization name
client The client name
audit_date The audit date now()

Hash

hash is a special field. It is not extracted from the reports data but computed using some of the issue fields to create a stable unique identifier. If multiple issues, in a single merged report or in different reports, generated at different times, have the same hash value, we can consider they are the same, so solving one of them will solve the others. It can be especially useful for computing a delta between multiple reports, tracking issues fixes, etc.

Supported reports

Reports produced by the following tools are currently supported:

  • Dependency-Check: load a vulnerability report generated by OWASP dependency check (CSV required, JSON optional), version 5.x is recommended
  • npm audit: load a security audit generated by npm-audit CLI command (JSON format only), npm@6 is required
  • SonarQube: load code quality analysis results from a SonarQube instance, version 7.x is required
  • ReportMix: load a report (CSV format) generated by ReportMix or manually created

Contributions to improve existing report loaders or add new ones are welcome!

Dependency-Check loader

  • Run a Dependency-Check scan (cf. Maven plugin)
    • The CSV report is required, the JSON report is optional (cf. format property in the plugin configuration)
  • Move dependency-check-report.* files in the working directory or configure ReportMix (dependency_check.report_file) to look for the file somewhere else
  • :heavy_check_mark: Run ReportMix

Dependency-Check loader

npm audit loader

  • Run a security audit using the npm-audit CLI command
    • Get the detailed audit report in JSON format, e.g.: npm audit --json > npm-audit.json
  • Move the npm-audit.json file in the working directory or configure ReportMix (npm_audit.report_file) to look for the file somewhere else
  • :heavy_check_mark: Run ReportMix

npm audit loader

SonarQube loader

  • Run a SonarQube analysis (cf. Analyzing Source Code)
  • Configure the instance URL (sonarqube.host_url), the project key (sonarqube.project_key), and authentication settings
  • :heavy_check_mark: Run ReportMix

SonarQube loader

ReportMix loader

  • Run ReportMix (e.g. in another project) to generate a report (csv format required) or create it manually using the ReportMix output format (e.g. to include vulnerabilities from a manual security audit). A spreadsheet can be used to easily create or edit a CSV report.
  • Configure the path to the CSV report file (reportmix.report_file)
  • :heavy_check_mark: Run ReportMix

ReportMix loader

License

ReportMix is licensed under the GNU General Public License.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

reportmix-0.6.0.tar.gz (35.3 kB view hashes)

Uploaded Source

Built Distribution

reportmix-0.6.0-py3-none-any.whl (39.5 kB view hashes)

Uploaded Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page