Skip to main content

An OSS Index integration to check for vulnerabilities in your Conda environments

Project description

Jake

CircleCI

jake is a tool to check for vulnerabilities in your Conda environments, powered by Sonatype OSS Index, that can also be used with Sonatype's Nexus IQ Server.

Usage

$ jake --help
usage: jake [-h] [-S] [-P] [-V] [-VV] [-A APPLICATION] [-C] {ddt}

positional arguments:
  {ddt}                 run jake

optional arguments:
  -h, --help            show this help message and exit
  -S, --snake           set optional jake config
  -P, --python          set optional jake IQ Server config
  -V, --version         show program version and exit
  -VV, --verbose        set verbosity level to debug
  -A APPLICATION, --application APPLICATION
                        supply an IQ Server Public Application ID
  -C, --clean           wipe out jake cache

Typical usage of jake is to run it like so: conda list | jake ddt, which will feed your Conda dependencies in your current Conda environment to jake, which will then reach out and check OSS Index to see if they are vulnerable!

Options

You may also run jake ddt with -VV for a slew of debug data, in case you are running in to an odd situation, or you want to help out on development!

You can also run jake ddt -C to clean out your local cache if desired. We cache results from OSS Index for 12 hours to prevent you from potentially getting rate limited (as your dependencies likely won't change super often).

You can also run jake ddt -S to set optional configuration of your OSS Index username and API Key so that you can run more requests without getting rate limited. You may register for an account at this link, and see the information provided here on Rate Limiting for why this is useful.

Usage with Nexus IQ Server

jake can be used against Nexus IQ Server, to audit your application using your organizations policy.

You can run jake ddt -P to set configuration of your IQ Server username and token.

Once you've configured jake with proper credentials, you can run jake ddt -A application-id, replacing application-id with the public ID of your application in IQ Server. If there is a policy action required after submitting to IQ Server, jake will exit with a non zero code, allowing you to fail builds based on needed policy actions. The IQ Server Report URL will be provided as well.

An example of using jake with the Nexus IQ Server Sandbox Application follows.

  1. (Onetime) Configure jake to use your Nexus IQ Server credentials:

    $ jake ddt -P
    Please enter your username for your IQ Server account: admin
    Please enter your user token for IQ Server: admin123
    Please provide the location of your IQ Server: http://localhost:8070
    
  2. Feed your Conda dependencies in your current Conda environment to jake, which will then reach out and check Nexus IQ Server to see if they are vulnerable:

    $ conda list | jake ddt -A sandbox-application
    ...
    Your IQ Server Report is available here: http://localhost:8070/ui/links/application/sandbox-application/report/fec66f75726f434cb8e94360a6c11df1
    All good to go! Smooth sailing for you! No policy violations reported by IQ Server
    

Why Jake?

Jake The Snake was scared of Snakes. The finishing move was DDT. He finishes the Snake with DDT.

Installation

Download from PyPI

pip3 install jake

Build from source

  • Clone the repo
  • Install Python 3.7 or higher
  • Ensure pip is installed (it should be)
  • Run python3 -m venv .venv (or whatever virtual environment you prefer)
  • Run source .venv/bin/activate
  • Run pip install -r requirements.txt
  • Run pip install -e .

Once you've done this, you should have jake available to test with fairly globally, pointed at the local source you've cloned.

Development

jake is written using Python 3.7

This project also uses pip for dependencies, so you will need to download make sure you have pip.

Follow instructions in Build from source.

Tests can be run with python3 -m unittest discover

More TBD.

Contributing

We care a lot about making the world a safer place, and that's why we created jake. If you as well want to speed up the pace of software development by working on this project, jump on in! Before you start work, create a new issue, or comment on an existing issue, to let others know you are!

The Fine Print

It is worth noting that this is NOT SUPPORTED by Sonatype, and is a contribution of ours to the open source community (read: you!)

Remember:

  • Use this contribution at the risk tolerance that you have
  • Do NOT file Sonatype support tickets related to jake support in regard to this project
  • DO file issues here on GitHub, so that the community can pitch in

Phew, that was easier than I thought. Last but not least of all:

Have fun creating and using jake and the Sonatype OSS Index, we are glad to have you here!

Getting help

Looking to contribute to our code but need some help? There's a few ways to get information:

Project details


Release history Release notifications | RSS feed

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

jake-0.0.21.tar.gz (19.8 kB view details)

Uploaded Source

Built Distribution

jake-0.0.21-py3-none-any.whl (36.4 kB view details)

Uploaded Python 3

File details

Details for the file jake-0.0.21.tar.gz.

File metadata

  • Download URL: jake-0.0.21.tar.gz
  • Upload date:
  • Size: 19.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.1.1 pkginfo/1.5.0.1 requests/2.22.0 setuptools/44.0.0 requests-toolbelt/0.9.1 tqdm/4.41.1 CPython/3.6.4

File hashes

Hashes for jake-0.0.21.tar.gz
Algorithm Hash digest
SHA256 ace6a52cc23f74bacfeddbebcc3dd10afd67445134a3b64c396fd96f948fc9a0
MD5 5b83279f7e605c2d2a7a3b66cdfb177a
BLAKE2b-256 b40334de1374d446addae89519eee72ea84d78c76ec03798ed47b61d396319dc

See more details on using hashes here.

Provenance

File details

Details for the file jake-0.0.21-py3-none-any.whl.

File metadata

  • Download URL: jake-0.0.21-py3-none-any.whl
  • Upload date:
  • Size: 36.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.1.1 pkginfo/1.5.0.1 requests/2.22.0 setuptools/44.0.0 requests-toolbelt/0.9.1 tqdm/4.41.1 CPython/3.6.4

File hashes

Hashes for jake-0.0.21-py3-none-any.whl
Algorithm Hash digest
SHA256 27572af152969dc0330271ccee64ab1d51e19948040725c8b314506d4c7a756c
MD5 9216d7d15e2a29e96d0985d2a7b458df
BLAKE2b-256 a08df0bf8c868c855adfaa7b3657bd933ef6e0669bcb5da704ab30e34e2d6f9b

See more details on using hashes here.

Provenance

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page