Skip to content
An OSS Index integration to check your Conda environments for vulnerable Open Source packages
Python Shell
Branch: master
Clone or download
semantic-release Sonatype Community
semantic-release and Sonatype Community 0.0.21
[skip ci]
Latest commit f5df45d Jan 10, 2020

README.md

Jake

CircleCI

jake is a tool to check for vulnerabilities in your Conda environments, powered by Sonatype OSS Index, that can also be used with Sonatype's Nexus IQ Server.

Usage

$ jake --help
usage: jake [-h] [-S] [-P] [-V] [-VV] [-A APPLICATION] [-C] {ddt}

positional arguments:
  {ddt}                 run jake

optional arguments:
  -h, --help            show this help message and exit
  -S, --snake           set optional jake config
  -P, --python          set optional jake IQ Server config
  -V, --version         show program version and exit
  -VV, --verbose        set verbosity level to debug
  -A APPLICATION, --application APPLICATION
                        supply an IQ Server Public Application ID
  -C, --clean           wipe out jake cache

Typical usage of jake is to run it like so: conda list | jake ddt, which will feed your Conda dependencies in your current Conda environment to jake, which will then reach out and check OSS Index to see if they are vulnerable!

Options

You may also run jake ddt with -VV for a slew of debug data, in case you are running in to an odd situation, or you want to help out on development!

You can also run jake ddt -C to clean out your local cache if desired. We cache results from OSS Index for 12 hours to prevent you from potentially getting rate limited (as your dependencies likely won't change super often).

You can also run jake ddt -S to set optional configuration of your OSS Index username and API Key so that you can run more requests without getting rate limited. You may register for an account at this link, and see the information provided here on Rate Limiting for why this is useful.

Usage with Nexus IQ Server

jake can be used against Nexus IQ Server, to audit your application using your organizations policy.

You can run jake ddt -P to set configuration of your IQ Server username and token.

Once you've configured jake with proper credentials, you can run jake ddt -A application-id, replacing application-id with the public ID of your application in IQ Server. If there is a policy action required after submitting to IQ Server, jake will exit with a non zero code, allowing you to fail builds based on needed policy actions. The IQ Server Report URL will be provided as well.

An example of using jake with the Nexus IQ Server Sandbox Application follows.

  1. (Onetime) Configure jake to use your Nexus IQ Server credentials:

    $ jake ddt -P
    Please enter your username for your IQ Server account: admin
    Please enter your user token for IQ Server: admin123
    Please provide the location of your IQ Server: http://localhost:8070
    
  2. Feed your Conda dependencies in your current Conda environment to jake, which will then reach out and check Nexus IQ Server to see if they are vulnerable:

    $ conda list | jake ddt -A sandbox-application
    ...
    Your IQ Server Report is available here: http://localhost:8070/ui/links/application/sandbox-application/report/fec66f75726f434cb8e94360a6c11df1
    All good to go! Smooth sailing for you! No policy violations reported by IQ Server
    

Why Jake?

Jake The Snake was scared of Snakes. The finishing move was DDT. He finishes the Snake with DDT.

Installation

Download from PyPI

pip3 install jake

Build from source

  • Clone the repo
  • Install Python 3.7 or higher
  • Ensure pip is installed (it should be)
  • Run python3 -m venv .venv (or whatever virtual environment you prefer)
  • Run source .venv/bin/activate
  • Run pip install -r requirements.txt
  • Run pip install -e .

Once you've done this, you should have jake available to test with fairly globally, pointed at the local source you've cloned.

Development

jake is written using Python 3.7

This project also uses pip for dependencies, so you will need to download make sure you have pip.

Follow instructions in Build from source.

Tests can be run with python3 -m unittest discover

More TBD.

Contributing

We care a lot about making the world a safer place, and that's why we created jake. If you as well want to speed up the pace of software development by working on this project, jump on in! Before you start work, create a new issue, or comment on an existing issue, to let others know you are!

The Fine Print

It is worth noting that this is NOT SUPPORTED by Sonatype, and is a contribution of ours to the open source community (read: you!)

Remember:

  • Use this contribution at the risk tolerance that you have
  • Do NOT file Sonatype support tickets related to jake support in regard to this project
  • DO file issues here on GitHub, so that the community can pitch in

Phew, that was easier than I thought. Last but not least of all:

Have fun creating and using jake and the Sonatype OSS Index, we are glad to have you here!

Getting help

Looking to contribute to our code but need some help? There's a few ways to get information:

You can’t perform that action at this time.