Issue 35

.circleci/config.yml

@@ -35,7 +35,9 @@ jobs:
           keys:
             - go-mod-v1-{{ checksum "go.sum" }}
       - run: go get -u github.com/jstemmer/go-junit-report
+      - run: go get -u github.com/sonatype-nexus-community/nancy
       - run: make deps
+      - run: go list -json -m all | nancy sleuth
       - run: make ci-lint
       - run: make test | go-junit-report > $TEST_RESULTS/gotest/report.xml
       - save_cache:

README.md

@@ -147,18 +147,20 @@ Examples:
         yum list installed | ./ahab chase
         apk info -vv | sort | ./ahab chase
 
-
 Flags:
-  -v, -- count          Set log level, higher is more verbose
-      --clean-cache     Flag to clean the database cache for OSS Index
-  -h, --help            help for chase
-      --loud            Specify if you want non vulnerable packages included in your output
-      --no-color        Specify if you want no color in your results
-      --os string       Specify a value for the operating system type you want to scan (alpine, debian, fedora). Useful if autodetection fails and/or you want to explicitly set it.
-      --output string   Specify the output type you want (json, text, csv) (default "text")
-      --quiet           Quiet removes the header from being printed
-      --token string    Specify your OSS Index API Token
-      --user string     Specify your OSS Index Username
+  -v, -- count                              Set log level, higher is more verbose
+      --clean-cache                         Flag to clean the database cache for OSS Index
+  -e, --exclude-vulnerability CveListFlag   Comma separated list of CVEs to exclude (default [])
+  -x, --exclude-vulnerability-file string   Path to a file containing newline separated CVEs to be excluded (default "./.ahab-ignore")
+  -h, --help                                help for chase
+      --loud                                Specify if you want non vulnerable packages included in your output
+      --no-color                            Specify if you want no color in your results
+      --os string                           Specify a value for the operating system type you want to scan (alpine, debian, fedora). Useful if autodetection fails and/or you want to explicitly set it. (DEPRECATED: use package-manager)
+      --output string                       Specify the output type you want (json, text, csv) (default "text")
+      --package-manager string              Specify package manager type you want to scan (apk, dnf, dpkg or yum). Useful if autodetection fails and/or you want to explicitly set it.
+      --quiet                               Quiet removes the header from being printed
+      --token string                        Specify your OSS Index API Token
+      --user string                         Specify your OSS Index Username
 ```
 
 #### Exclude vulnerabilities
@@ -226,18 +228,19 @@ Examples:
 
 
 Flags:
-  -v, -- count                   Set log level, higher is more verbose
-      --application string       Specify public application ID for request (required)
-  -h, --help                     help for iq
-      --host string              Specify Nexus IQ Server URL (default "http://localhost:8070")
-      --max-retries int          Specify maximum number of tries to poll Nexus IQ Server (default 300)
-      --os string                Specify a value for the operating system type you want to scan (alpine, debian, fedora). Useful if autodetection fails and/or you want to explicitly set it.
-      --oss-index-token string   Specify your OSS Index API Token
-      --oss-index-user string    Specify your OSS Index Username
-      --quiet                    Quiet removes the header from being printed
-      --stage string             Specify stage for application (default "develop")
-      --token string             Specify Nexus IQ Token/Password for request (default "admin123")
-      --user string              Specify Nexus IQ Username for request (default "admin")
+  -v, -- count                              Set log level, higher is more verbose
+      --clean-cache                         Flag to clean the database cache for OSS Index
+  -e, --exclude-vulnerability CveListFlag   Comma separated list of CVEs to exclude (default [])
+  -x, --exclude-vulnerability-file string   Path to a file containing newline separated CVEs to be excluded (default "./.ahab-ignore")
+  -h, --help                                help for chase
+      --loud                                Specify if you want non vulnerable packages included in your output
+      --no-color                            Specify if you want no color in your results
+      --os string                           Specify a value for the operating system type you want to scan (alpine, debian, fedora). Useful if autodetection fails and/or you want to explicitly set it. (DEPRECATED: use package-manager)
+      --output string                       Specify the output type you want (json, text, csv) (default "text")
+      --package-manager string              Specify package manager type you want to scan (apk, dnf, dpkg or yum). Useful if autodetection fails and/or you want to explicitly set it.
+      --quiet                               Quiet removes the header from being printed
+      --token string                        Specify your OSS Index API Token
+      --user string                         Specify your OSS Index Username
 ```
 
 ## Why Ahab?

cmd/chase.go

@@ -56,7 +56,7 @@ func (cve *CveListFlag) Set(value string) error {
 func (cve *CveListFlag) Type() string { return "CveListFlag" }
 
 var (
-	operating                    string
+	packageManager               string
 	cleanCache                   bool
 	ossIndexUser                 string
 	ossIndexToken                string
@@ -73,17 +73,23 @@ var (
 
 func init() {
 	rootCmd.AddCommand(chaseCmd)
-	chaseCmd.PersistentFlags().StringVar(&operating, "os", "", "Specify a value for the operating system type you want to scan (alpine, debian, fedora). Useful if autodetection fails and/or you want to explicitly set it.")
-	chaseCmd.PersistentFlags().BoolVar(&cleanCache, "clean-cache", false, "Flag to clean the database cache for OSS Index")
-	chaseCmd.PersistentFlags().StringVar(&ossIndexUser, "user", "", "Specify your OSS Index Username")
-	chaseCmd.PersistentFlags().StringVar(&ossIndexToken, "token", "", "Specify your OSS Index API Token")
-	chaseCmd.PersistentFlags().StringVar(&output, "output", "text", "Specify the output type you want (json, text, csv)")
+
+	pf := chaseCmd.PersistentFlags()
+	pf.StringVar(&packageManager, "os", "", "Specify a value for the operating system type you want to scan (alpine, debian, fedora). Useful if autodetection fails and/or you want to explicitly set it.")
+	pf.StringVar(&packageManager, "package-manager", "", "Specify package manager type you want to scan (apk, dnf, dpkg or yum). Useful if autodetection fails and/or you want to explicitly set it.")
+	pf.BoolVar(&cleanCache, "clean-cache", false, "Flag to clean the database cache for OSS Index")
+	pf.StringVar(&ossIndexUser, "user", "", "Specify your OSS Index Username")
+	pf.StringVar(&ossIndexToken, "token", "", "Specify your OSS Index API Token")
+	pf.StringVar(&output, "output", "text", "Specify the output type you want (json, text, csv)")
+	pf.BoolVar(&loud, "loud", false, "Specify if you want non vulnerable packages included in your output")
+	pf.BoolVar(&quiet, "quiet", false, "Quiet removes the header from being printed")
+	pf.BoolVar(&noColor, "no-color", false, "Specify if you want no color in your results")
+	pf.CountVarP(&verbose, "", "v", "Set log level, higher is more verbose")
+
 	chaseCmd.Flags().VarP(&cveList, "exclude-vulnerability", "e", "Comma separated list of CVEs to exclude")
-	chaseCmd.PersistentFlags().BoolVar(&loud, "loud", false, "Specify if you want non vulnerable packages included in your output")
-	chaseCmd.PersistentFlags().BoolVar(&quiet, "quiet", false, "Quiet removes the header from being printed")
-	chaseCmd.PersistentFlags().BoolVar(&noColor, "no-color", false, "Specify if you want no color in your results")
-	chaseCmd.PersistentFlags().CountVarP(&verbose, "", "v", "Set log level, higher is more verbose")
 	chaseCmd.Flags().StringVarP(&excludeVulnerabilityFilePath, "exclude-vulnerability-file", "x", "./.ahab-ignore", "Path to a file containing newline separated CVEs to be excluded")
+
+	chaseCmd.Flag("os").Deprecated = "use package-manager"
 }
 
 var chaseCmd = &cobra.Command{
@@ -141,26 +147,25 @@ var chaseCmd = &cobra.Command{
 
 		err = getCVEExcludesFromFile(excludeVulnerabilityFilePath)
 
-		if operating == "" {
-			logLady.Trace("Attempting to detect os for you")
+		if packageManager == "" {
+			logLady.Trace("Attempting to detect package manager for you")
 			manager, err := packages.DetectPackageManager(logLady)
 			if err != nil {
 				logLady.Error(err)
 				panic(err)
 			}
-			operating = manager
+			packageManager = manager
 		}
 
-
 		logLady.Trace("Attempting to audit list of strings from standard in")
-		pkgs, err := parseStdIn(&operating)
+		pkgs, err := parseStdIn(&packageManager)
 		if err != nil {
 			logLady.Error(err)
 			panic(err)
 		}
 
-		logLady.WithField("os", operating).Trace("Attempting to extract purls from Project List")
-		purls := pkgs.ExtractPurlsFromProjectList(operating)
+		logLady.WithField("package-manager", packageManager).Trace("Attempting to extract purls from Project List")
+		purls := pkgs.ExtractPurlsFromProjectList()
 
 		logLady.Trace("Attempting to Audit Packages with OSS Index")
 		coordinates, err := ossi.AuditPackages(purls)
@@ -198,38 +203,29 @@ func getLogger(level int) (*logrus.Logger, error) {
 	}
 }
 
-func parseStdInList(list []string, operating *string) (packages.IPackage, error) {
-	thing := *operating
+func parseStdInList(list []string, packageManager *string) (packages.IPackage, error) {
+	thing := *packageManager
+	logLady.WithFields(logrus.Fields{
+		"list": list,
+	}).Trace("Chasing ", thing)
 	switch thing {
-	case "debian":
-		logLady.WithFields(logrus.Fields{
-			"list": list,
-		}).Trace("Chasing Debian")
-
+	case "dpkg", "debian":
 		var aptResult packages.Apt
 		aptResult.ProjectList = parse.ParseDpkgList(list)
 
 		logLady.WithFields(logrus.Fields{
 			"project_list": aptResult.ProjectList,
-		}).Trace("Obtained apt project list")
+		}).Trace("Obtained dpkg project list")
 		return aptResult, nil
-	case "alpine":
-		logLady.WithFields(logrus.Fields{
-			"list": list,
-		}).Trace("Chasing Alpine")
-
+	case "apk", "alpine":
 		var apkResult packages.Apk
 		apkResult.ProjectList = parse.ParseApkShow(list)
 
 		logLady.WithFields(logrus.Fields{
 			"project_list": apkResult.ProjectList,
 		}).Trace("Obtained apk project list")
 		return apkResult, nil
-	case "fedora":
-		logLady.WithFields(logrus.Fields{
-			"list": list,
-		}).Trace("Chasing Fedora")
-
+	case "yum", "dnf", "fedora":
 		var dnfResult packages.Yum
 		dnfResult.ProjectList = parse.ParseYumListFromStdIn(list)
 
@@ -238,21 +234,17 @@ func parseStdInList(list []string, operating *string) (packages.IPackage, error)
 		}).Trace("Obtained dnf project list")
 		return dnfResult, nil
 	default:
-		logLady.WithFields(logrus.Fields{
-			"list": list,
-		}).Trace("Chasing Yum")
-
 		var yumResult packages.Yum
 		yumResult.ProjectList = parse.ParseYumListFromStdIn(list)
 
 		logLady.WithFields(logrus.Fields{
 			"project_list": yumResult.ProjectList,
-		}).Trace("Obtained yum project list")
+		}).Trace("Obtained yum project list (default case)")
 		return yumResult, nil
 	}
 }
 
-func parseStdIn(operating *string) (packages.IPackage, error) {
+func parseStdIn(packageManager *string) (packages.IPackage, error) {
 	fi, err := os.Stdin.Stat()
 	if err != nil {
 		return nil, err
@@ -270,7 +262,7 @@ func parseStdIn(operating *string) (packages.IPackage, error) {
 		return nil, err
 	}
 
-	return parseStdInList(list, operating)
+	return parseStdInList(list, packageManager)
 }
 
 func printHeader() {

cmd/iq.go

@@ -42,7 +42,8 @@ func init() {
 	rootCmd.AddCommand(iqCmd)
 
 	pf := iqCmd.PersistentFlags()
-	pf.StringVar(&operating, "os", "", "Specify a value for the operating system type you want to scan (alpine, debian, fedora). Useful if autodetection fails and/or you want to explicitly set it.")
+	pf.StringVar(&packageManager, "os", "", "Specify a value for the operating system type you want to scan (alpine, debian, fedora). Useful if autodetection fails and/or you want to explicitly set it.")
+	pf.StringVar(&packageManager, "package-manager", "", "Specify package manager type you want to scan (apk, dnf, dpkg or yum). Useful if autodetection fails and/or you want to explicitly set it.")
 	pf.StringVar(&iqUsername, "user", "admin", "Specify Nexus IQ Username for request")
 	pf.StringVar(&iqToken, "token", "admin123", "Specify Nexus IQ Token/Password for request")
 	pf.StringVar(&ossIndexUser, "oss-index-user", "", "Specify your OSS Index Username")
@@ -53,6 +54,8 @@ func init() {
 	pf.StringVar(&stage, "stage", "develop", "Specify stage for application")
 	pf.IntVar(&maxRetries, "max-retries", 300, "Specify maximum number of tries to poll Nexus IQ Server")
 	pf.CountVarP(&verbose, "", "v", "Set log level, higher is more verbose")
+
+	iqCmd.Flag("os").Deprecated = "use package-manager"
 }
 
 var iqCmd = &cobra.Command{
@@ -96,7 +99,7 @@ var iqCmd = &cobra.Command{
 			panic(err)
 		}
 
-		lifecycle = iq.New(logLady,
+		lifecycle, err = iq.New(logLady,
 			iq.Options{
 				User:          iqUsername,
 				Token:         iqToken,
@@ -110,27 +113,30 @@ var iqCmd = &cobra.Command{
 				DBCacheName:   "ahab-cache",
 				MaxRetries:    maxRetries,
 			})
+		if err != nil {
+			logLady.Error(err)
+			panic(err)
+		}
 
-
-		if operating == "" {
-			logLady.Trace("Attempting to detect os for you")
+		if packageManager == "" {
+			logLady.Trace("Attempting to detect package manager for you")
 			manager, err := packages.DetectPackageManager(logLady)
 			if err != nil {
 				logLady.Error(err)
 				panic(err)
 			}
-			operating = manager
+			packageManager = manager
 		}
 
-		pkgs, err := parseStdIn(&operating)
+		pkgs, err := parseStdIn(&packageManager)
 		if err != nil {
 			logLady.Error(err)
 			panic(err)
 		}
 
-		purls := pkgs.ExtractPurlsFromProjectList(operating)
+		purls := pkgs.ExtractPurlsFromProjectList()
 
-		res, err := lifecycle.AuditPackages(purls, application)
+		res, err := lifecycle.AuditPackages(purls)
 		if err != nil {
 			logLady.Error(err)
 			panic(err)

docker/apk/Dockerfile

@@ -9,4 +9,7 @@ COPY ahab .
 # Spit out these just for easier debugging
 RUN apk info -vv | sort
 
+# Deprecated
 RUN apk info -vv | sort | ./ahab chase --os alpine
+# New way
+RUN apk info -vv | sort | ./ahab chase --package-manager apk

docker/dnf/Dockerfile

@@ -9,5 +9,7 @@ COPY ahab .
 # Spit out these just for easier debugging
 RUN dnf list installed
 
+# Deprecated
 RUN dnf list installed | ./ahab chase --os fedora
-
+# New way
+RUN dnf list installed | ./ahab chase --package-manager dnf

docker/dpkg-query/Dockerfile

@@ -9,5 +9,7 @@ COPY ahab .
 # Spit out these just for easier debugging
 RUN dpkg-query --show --showformat='${Package} ${Version}\n'
 
+# Deprecated
 RUN dpkg-query --show --showformat='${Package} ${Version}\n' | ./ahab chase --os debian
-
+# New way
+RUN dpkg-query --show --showformat='${Package} ${Version}\n' | ./ahab chase --package-manager dpkg

docker/yum/Dockerfile

@@ -9,5 +9,7 @@ COPY ahab .
 # Spit out these just for easier debugging
 RUN yum list installed
 
+# Deprecated
 RUN yum list installed | ./ahab chase --os fedora
-
+# New way
+RUN yum list installed | ./ahab chase --package-manager yum

go.mod

@@ -3,20 +3,23 @@ module github.com/sonatype-nexus-community/ahab
 go 1.14
 
 require (
-	github.com/common-nighthawk/go-figure v0.0.0-20200604155835-c37800f1341b
-	github.com/jedib0t/go-pretty/v6 v6.0.3
-	github.com/logrusorgru/aurora v0.0.0-20200102142835-e9ef32dff381
+	github.com/common-nighthawk/go-figure v0.0.0-20200609044655-c4b36f998cf2
+	github.com/jedib0t/go-pretty/v6 v6.0.5
+	github.com/logrusorgru/aurora v2.0.3+incompatible
 	github.com/shopspring/decimal v1.2.0
-	github.com/sirupsen/logrus v1.6.0
-	github.com/sonatype-nexus-community/go-sona-types v0.0.2
+	github.com/sirupsen/logrus v1.7.0
+	github.com/sonatype-nexus-community/go-sona-types v0.0.7
 	github.com/spf13/cobra v1.0.0
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.6.1
-	golang.org/x/sys v0.0.0-20200602225109-6fdc65e7d980 // indirect
+	golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f // indirect
 )
 
 replace github.com/gorilla/websocket => github.com/gorilla/websocket v1.4.2
 
 replace golang.org/x/crypto => golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9
 
 replace golang.org/x/text => golang.org/x/text v0.3.3
+
+// fix vulnerability: CVE-2020-15114 in etcd v3.3.13+incompatible
+replace github.com/coreos/etcd => github.com/coreos/etcd v3.3.24+incompatible