Skip to main content

An OSS Index integration to check for vulnerabilities in your Conda environments

Project description

Jake

CircleCI

jake is a tool to check for vulnerabilities in your Conda environments, powered by Sonatype OSS Index, that can also be used with Sonatype's Nexus IQ Server.

Usage

$ jake --help
usage: jake [-h] [-S] [-P] [-V] [-VV] [-A APPLICATION] [-C] {ddt}

positional arguments:
  {ddt}                 run jake

optional arguments:
  -h, --help            show this help message and exit
  -S, --snake           set optional jake config
  -P, --python          set optional jake IQ Server config
  -V, --version         show program version and exit
  -VV, --verbose        set verbosity level to debug
  -A APPLICATION, --application APPLICATION
                        supply an IQ Server Public Application ID
  -C, --clean           wipe out jake cache

Typical usage of jake is to run it like so: conda list | jake ddt, which will feed your Conda dependencies in your current Conda environment to jake, which will then reach out and check OSS Index to see if they are vulnerable!

Options

You may also run jake ddt with -VV for a slew of debug data, in case you are running in to an odd situation, or you want to help out on development!

You can also run jake ddt -C to clean out your local cache if desired. We cache results from OSS Index for 12 hours to prevent you from potentially getting rate limited (as your dependencies likely won't change super often).

You can also run jake ddt -S to set optional configuration of your OSS Index username and API Key so that you can run more requests without getting rate limited. You may register for an account at this link, and see the information provided here on Rate Limiting for why this is useful.

Usage with Nexus IQ Server

jake can be used against Nexus IQ Server, to audit your application using your organizations policy.

You can run jake ddt -P to set configuration of your IQ Server username and token.

Once you've configured jake with proper credentials, you can run jake ddt -A application-id, replacing application-id with the public ID of your application in IQ Server. If there is a policy action required after submitting to IQ Server, jake will exit with a non zero code, allowing you to fail builds based on needed policy actions. The IQ Server Report URL will be provided as well.

Why Jake?

Jake The Snake was scared of Snakes. The finishing move was DDT. He finishes the Snake with DDT.

Installation

Download from PyPI

pip3 install jake

Build from source

  • Clone the repo
  • Install Python 3.7 or higher
  • Ensure pip is installed (it should be)
  • Run python3 -m venv .venv (or whatever virtual environment you prefer)
  • Run source .venv/bin/activate
  • Run pip install -r requirements.txt
  • Run pip install -e .

Once you've done this, you should have jake available to test with fairly globally, pointed at the local source you've cloned.

Development

jake is written using Python 3.7

This project also uses pip for dependencies, so you will need to download make sure you have pip.

Follow instructions in Build from source.

Tests can be run with python3 -m unittest discover

More TBD.

Contributing

We care a lot about making the world a safer place, and that's why we created jake. If you as well want to speed up the pace of software development by working on this project, jump on in! Before you start work, create a new issue, or comment on an existing issue, to let others know you are!

The Fine Print

It is worth noting that this is NOT SUPPORTED by Sonatype, and is a contribution of ours to the open source community (read: you!)

Remember:

  • Use this contribution at the risk tolerance that you have
  • Do NOT file Sonatype support tickets related to jake support in regard to this project
  • DO file issues here on GitHub, so that the community can pitch in

Phew, that was easier than I thought. Last but not least of all:

Have fun creating and using jake and the Sonatype OSS Index, we are glad to have you here!

Getting help

Looking to contribute to our code but need some help? There's a few ways to get information:

Project details


Release history Release notifications | RSS feed

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

jake-0.0.17.tar.gz (17.1 kB view details)

Uploaded Source

Built Distribution

jake-0.0.17-py3-none-any.whl (36.2 kB view details)

Uploaded Python 3

File details

Details for the file jake-0.0.17.tar.gz.

File metadata

  • Download URL: jake-0.0.17.tar.gz
  • Upload date:
  • Size: 17.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.1.1 pkginfo/1.5.0.1 requests/2.22.0 setuptools/44.0.0 requests-toolbelt/0.9.1 tqdm/4.41.1 CPython/3.6.4

File hashes

Hashes for jake-0.0.17.tar.gz
Algorithm Hash digest
SHA256 971e5b328e1e73bd838eb08e86d358416a702f3906786c533255668752b57fcc
MD5 ee9bb36139df069d3d7c767825a5dc40
BLAKE2b-256 6da75bd7013d61dc2817956db41259c02240542a73b4fffe4c9517c2abe81def

See more details on using hashes here.

Provenance

File details

Details for the file jake-0.0.17-py3-none-any.whl.

File metadata

  • Download URL: jake-0.0.17-py3-none-any.whl
  • Upload date:
  • Size: 36.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.1.1 pkginfo/1.5.0.1 requests/2.22.0 setuptools/44.0.0 requests-toolbelt/0.9.1 tqdm/4.41.1 CPython/3.6.4

File hashes

Hashes for jake-0.0.17-py3-none-any.whl
Algorithm Hash digest
SHA256 068a50c3002b43451bb99d8f8ef05fefb0a4a042c73646a2042e36bf84827e8f
MD5 a20a6764f37d2dff0bdc7420b7d0a456
BLAKE2b-256 0e1479c70933f289d154f1f38b891c5b5889325db9b6369735c75fb64a54e0b2

See more details on using hashes here.

Provenance

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page