Skip to main content

An OSS Index integration to check for vulnerabilities in your Python environments

Project description

jake icon

Jake

GitHub Workflow Status Python Version Support PyPI Version GitHub license GitHub issues GitHub forks GitHub stars


jake is a tool to check for your Python environments and applications that can:

  • produce CycloneDX software bill-of-materials
  • report on known vulnerabilities

jake is powered by Sonatype OSS Index and can also be used with Sonatype's Nexus IQ Server.

Installation

Install from pypi.org as you would any other Python module:

pip install jake

or

poetry add jake

Other Python package managers are available.

Usage

Getting Started

jake can guide you...

> jake --help
usage: jake [-h] [-v] [-X]  ...

Put your Python dependencies in a chokehold

optional arguments:
  -h, --help        show this help message and exit
  -v, --version     show which version of jake you are running
  -w, --warn-only   prevents exit with non-zero code when issues have been
                    detected
  -X                enable debug output

Jake sub-commands:

    iq              perform a scan backed by Nexus Lifecycle
    ddt             perform a scan backed by OSS Index
    sbom            generate a CycloneDX software-bill-of-materials (no vulnerabilities)

jake will exit with code 0 under normal operation and 1 if vulnerabilities are found (OssIndex) or Policy Violations are detected (Nexus IQ), unless you pass the -w flag in which case jake will always exit with code 0....

Check for vulnerabilities using OSS Index

jake will look at the packaged installed in your current Python environment and check these against OSS Index for you. Optionally, it can create a CycloneDX software bill-of-materials at the same time in a format that suits you.

> jake ddt --help

usage: jake ddt [-h] [--clear-cache] [-o PATH/TO/FILE] [--output-format {xml,json}] [--schema-version {1.2,1.1,1.0,1.3}]

optional arguments:
  -h, --help            show this help message and exit
  --clear-cache         Clears any local cached OSS Index data prior to execution
  -o PATH/TO/FILE, --output-file PATH/TO/FILE
                        Specify a file to output the SBOM to. If not specified the report will be output to the console. STDOUT is not supported.
  --output-format {xml,json}
                        SBOM output format (default = xml)
  --schema-version {1.2,1.1,1.0,1.3}
                        CycloneDX schema version to use (default = 1.3)

So you can quickly get a report by running:

> jake ddt

                   ___           ___           ___     
       ___        /  /\         /  /\         /  /\    
      /__/\      /  /::\       /  /:/        /  /::\   
      \__\:\    /  /:/\:\     /  /:/        /  /:/\:\  
  ___ /  /::\  /  /::\ \:\   /  /::\____   /  /::\ \:\ 
 /__/\  /:/\/ /__/:/\:\_\:\ /__/:/\:::::\ /__/:/\:\ \:\
 \  \:\/:/~~  \__\/  \:\/:/ \__\/~|:|~~~~ \  \:\ \:\_\/
  \  \::/          \__\::/     |  |:|      \  \:\ \:\  
   \__\/           /  /:/      |  |:|       \  \:\_\/  
                  /__/:/       |__|:|        \  \:\    
                  \__\/         \__\|         \__\/    

                                                  
            /)                     /)             
        _/_(/    _     _  __   _  (/_   _         
 o   o  (__/ )__(/_   /_)_/ (_(_(_/(___(/_ o   o  
                                                  
                                                  

Jake Version: 1.0.0
Put your Python dependencies in a chokehold.

๐Ÿ Collected 42 packages from your environment (0:00:00.10)
๐Ÿ Successfully queried OSS Index for package and vulnerability info (0:00:00.59)
๐Ÿ Sane number of results from OSS Index


โ•”Summaryโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•ฆโ•โ•โ•โ•โ•—
โ•‘ Audited Dependencies โ•‘ 42 โ•‘
โ• โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•ฌโ•โ•โ•โ•โ•ฃ
โ•‘ Vulnerablities Found โ•‘ 0  โ•‘
โ•šโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•ฉโ•โ•โ•โ•โ•

Check for vulnerabilities using Sonatype Nexus Lifecycle

Access Sonatype's proprietary vulnerability data using jake:

> jake iq --help

usage: jake iq [-h] -s https://localhost:8070 -i APP_ID -u USER_ID -p PASSWORD

optional arguments:
  -h, --help            show this help message and exit
  -s https://localhost:8070, --server-url https://localhost:8070
                        Full http(s):// URL to your Nexus Lifecycle server
  -i APP_ID, --application-id APP_ID
                        Public Application ID in Nexus Lifecycle
  -u USER_ID, --username USER_ID
                        Username for authentication to Nexus Lifecycle
  -p PASSWORD, --password PASSWORD
                        Password for authentication to Nexus Lifecycle

So passing parameters that suit your Nexus Lifecycle environment you can get a report:

> jake iq -s https://my-nexus-lifecyle -i APP_ID -u USERNAME -p PASSWORD

                   ___           ___           ___     
       ___        /  /\         /  /\         /  /\    
      /__/\      /  /::\       /  /:/        /  /::\   
      \__\:\    /  /:/\:\     /  /:/        /  /:/\:\  
  ___ /  /::\  /  /::\ \:\   /  /::\____   /  /::\ \:\ 
 /__/\  /:/\/ /__/:/\:\_\:\ /__/:/\:::::\ /__/:/\:\ \:\
 \  \:\/:/~~  \__\/  \:\/:/ \__\/~|:|~~~~ \  \:\ \:\_\/
  \  \::/          \__\::/     |  |:|      \  \:\ \:\  
   \__\/           /  /:/      |  |:|       \  \:\_\/  
                  /__/:/       |__|:|        \  \:\    
                  \__\/         \__\|         \__\/    

                                                  
            /)                     /)             
        _/_(/    _     _  __   _  (/_   _         
 o   o  (__/ )__(/_   /_)_/ (_(_(_/(___(/_ o   o  
                                                  
                                                  

Jake Version: 1.0.0
Put your Python dependencies in a chokehold

๐Ÿ IQ Server at https://my-nexus-lifecyle is up and accessible (0:00:00.14)
๐Ÿ Collected 42 packages from your environment (0:00:00.09)
๐Ÿงจ Something slithers around your ankle! There are policy warnings from Sonatype Nexus IQ. (0:00:11.50)

Your Sonatype Nexus IQ Lifecycle Report is available here:
  HTML: https://my-nexus-lifecyle/ui/links/application/APP_ID/report/4831bcb7fbaa45c3a2481048e446b598
  PDF:  https://my-nexus-lifecyle/ui/links/application/APP_ID/report/4831bcb7fbaa45c3a2481048e446b598/pdf

Why Jake?

Jake The Snake was scared of Snakes. The finishing move was DDT. He finishes the Snake with DDT.

Who better to wrangle those slippery dependencies in any virtual or real environment.

Python Support

We endeavour to support all functionality for all current actively supported Python versions. However, some features may not be possible/present in older Python versions due to their lack of support.

Changelog

See our CHANGELOG.

The Fine Print

Remember:

It is worth noting that this is NOT SUPPORTED by Sonatype, and is a contribution of ours to the open source community (read: you!)

  • Use this contribution at the risk tolerance that you have
  • Do NOT file Sonatype support tickets related to ossindex-lib
  • DO file issues here on GitHub, so that the community can pitch in

Phew, that was easier than I thought. Last but not least of all - have fun!

Project details


Release history Release notifications | RSS feed

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

jake-1.0.1.tar.gz (18.2 kB view details)

Uploaded Source

Built Distribution

jake-1.0.1-py3-none-any.whl (23.7 kB view details)

Uploaded Python 3

File details

Details for the file jake-1.0.1.tar.gz.

File metadata

  • Download URL: jake-1.0.1.tar.gz
  • Upload date:
  • Size: 18.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.4.2 importlib_metadata/4.8.1 pkginfo/1.7.1 requests/2.26.0 requests-toolbelt/0.9.1 tqdm/4.62.3 CPython/3.7.11

File hashes

Hashes for jake-1.0.1.tar.gz
Algorithm Hash digest
SHA256 46206448e5882a57f97893af7e522da92cb1a778eef23d01e220162dbc80c9db
MD5 9a3f7f7aec1e7339eb231e5334e45630
BLAKE2b-256 c7b4196fdf4fa19ed143f164e72e9410bf06303a7e97146114722fa67cc41f05

See more details on using hashes here.

Provenance

File details

Details for the file jake-1.0.1-py3-none-any.whl.

File metadata

  • Download URL: jake-1.0.1-py3-none-any.whl
  • Upload date:
  • Size: 23.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.4.2 importlib_metadata/4.8.1 pkginfo/1.7.1 requests/2.26.0 requests-toolbelt/0.9.1 tqdm/4.62.3 CPython/3.7.11

File hashes

Hashes for jake-1.0.1-py3-none-any.whl
Algorithm Hash digest
SHA256 5a15ba9cc80629bd74cef4b7ba81ff7f97070619e128225eba147f93eb30c551
MD5 ac38293e4ce351abbda2bb36ef3a0012
BLAKE2b-256 dcb489913c534550c3be65548244bd6b71439ef25b47b688f1f4b60207031058

See more details on using hashes here.

Provenance

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page