sonatype-nexus-community / ahab Goto Github PK
View Code? Open in Web Editor NEWahab is a tool to check for vulnerabilities in your apt, apk, or yum powered operating systems, powered by Sonatype OSS Index.
License: Apache License 2.0
ahab is a tool to check for vulnerabilities in your apt, apk, or yum powered operating systems, powered by Sonatype OSS Index.
License: Apache License 2.0
Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.
OSSIndex supports Chocolatey so feels like a good fit to add in.
What feature or behavior is this required for?
Windows docker images that are building by managing packages with Chocolatey
Anything else?
https://chocolatey.org/docs/commandslist
^^^ How to get a list of installed packages looks to be this command. We would of course have to take that output parse it and then send that over to ossi and iq.
cc @bhamail / @DarthHater / @ken-duck
See: https://github.com/sonatype-nexus-community/nancy/blob/prepare-1.0.0/internal/configuration/set.go#L60 for an example of wrapping a config struct that gets "marshalled" to yaml.
Also, move path/file names for config files into go-sona-types library.
cc @bhamail / @DarthHater / @ken-duck
Vulnerabilities
DepShield reports that this application's usage of github.com/gorilla:websocket:1.4.0 results in the following vulnerability(s):
Occurrences
github.com/gorilla:websocket:1.4.0 is a transitive dependency introduced by the following direct dependency(s):
• github.com/spf13:cobra:1.0.0
└─ github.com/spf13:viper:1.4.0
└─ github.com/gorilla:websocket:1.4.0
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerabilities
DepShield reports that this application's usage of golang.org/x:net:0.0.0-20190620200207-3b0461eec859 results in the following vulnerability(s):
Occurrences
golang.org/x:net:0.0.0-20190620200207-3b0461eec859 is a transitive dependency introduced by the following direct dependency(s):
• github.com/spf13:viper:1.7.1
└─ github.com/bketelsen:crypt:0.0.3-0.20200106085610-5cbc8cc4026c
└─ cloud.google.com/go:firestore:1.1.0
└─ cloud.google.com:go:0.46.3
└─ cloud.google.com/go:bigquery:1.0.1
└─ cloud.google.com:go:0.44.2
└─ golang.org/x:net:0.0.0-20190620200207-3b0461eec859
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ golang.org/x:net:0.0.0-20190620200207-3b0461eec859
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ golang.org/x:net:0.0.0-20190620200207-3b0461eec859
└─ cloud.google.com/go:pubsub:1.0.1
└─ cloud.google.com:go:0.45.1
└─ golang.org/x:net:0.0.0-20190620200207-3b0461eec859
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ golang.org/x:net:0.0.0-20190620200207-3b0461eec859
└─ cloud.google.com/go:bigquery:1.0.1
└─ cloud.google.com:go:0.44.2
└─ golang.org/x:net:0.0.0-20190620200207-3b0461eec859
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ golang.org/x:net:0.0.0-20190620200207-3b0461eec859
└─ golang.org/x:exp:0.0.0-20190829153037-c13cbed26979
└─ golang.org/x:tools:0.0.0-20190816200558-6889da9d5479
└─ golang.org/x:net:0.0.0-20190620200207-3b0461eec859
└─ golang.org/x:net:0.0.0-20190620200207-3b0461eec859
└─ golang.org/x:tools:0.0.0-20190911174233-4f2ddba30aff
└─ golang.org/x:net:0.0.0-20190620200207-3b0461eec859
└─ cloud.google.com/go:storage:1.0.0
└─ cloud.google.com:go:0.46.3
└─ cloud.google.com/go:bigquery:1.0.1
└─ cloud.google.com:go:0.44.2
└─ golang.org/x:net:0.0.0-20190620200207-3b0461eec859
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ golang.org/x:net:0.0.0-20190620200207-3b0461eec859
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ golang.org/x:net:0.0.0-20190620200207-3b0461eec859
└─ cloud.google.com/go:pubsub:1.0.1
└─ cloud.google.com:go:0.45.1
└─ golang.org/x:net:0.0.0-20190620200207-3b0461eec859
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ golang.org/x:net:0.0.0-20190620200207-3b0461eec859
└─ cloud.google.com/go:bigquery:1.0.1
└─ cloud.google.com:go:0.44.2
└─ golang.org/x:net:0.0.0-20190620200207-3b0461eec859
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ golang.org/x:net:0.0.0-20190620200207-3b0461eec859
└─ golang.org/x:exp:0.0.0-20190829153037-c13cbed26979
└─ golang.org/x:tools:0.0.0-20190816200558-6889da9d5479
└─ golang.org/x:net:0.0.0-20190620200207-3b0461eec859
└─ golang.org/x:net:0.0.0-20190620200207-3b0461eec859
└─ golang.org/x:tools:0.0.0-20190911174233-4f2ddba30aff
└─ golang.org/x:net:0.0.0-20190620200207-3b0461eec859
└─ golang.org/x:exp:0.0.0-20191030013958-a1ab85dbe136
└─ golang.org/x:tools:0.0.0-20191012152004-8de300cfc20a
└─ golang.org/x:net:0.0.0-20190620200207-3b0461eec859
└─ golang.org/x:tools:0.0.0-20191112195655-aa38f8e97acc
└─ golang.org/x:net:0.0.0-20190620200207-3b0461eec859
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerabilities
DepShield reports that this application's usage of golang.org/x:crypto:0.0.0-20190308221718-c2843e01d9a2 results in the following vulnerability(s):
Occurrences
golang.org/x:crypto:0.0.0-20190308221718-c2843e01d9a2 is a transitive dependency introduced by the following direct dependency(s):
• golang.org/x:net:0.0.0-20190827160401-ba9fcec4b297
└─ golang.org/x:crypto:0.0.0-20190308221718-c2843e01d9a2
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.
deb, rpm, apk, etc
was added. See here sonatype-nexus-community/nancy#175We should do the same for ahab. And also get it into its corresponding repos like in sonatype-nexus-community/nancy#177
If those get completed first they can probably be a blueprint on how to do them here or vice versa.
What feature or behavior is this required for?
Making it even easier to install and use ahab
How could we solve this issue? (Not knowing is okay!)
goreleaser does lots of magic so maybe that and there is probably some work to do to be able to publish something to said yum/apk/apt repos.
cc @bhamail / @DarthHater / @ken-duck
Vulnerabilities
DepShield reports that this application's usage of golang.org/x:net:0.0.0-20190603091049-60506f45cf65 results in the following vulnerability(s):
Occurrences
golang.org/x:net:0.0.0-20190603091049-60506f45cf65 is a transitive dependency introduced by the following direct dependency(s):
• github.com/spf13:viper:1.7.1
└─ github.com/bketelsen:crypt:0.0.3-0.20200106085610-5cbc8cc4026c
└─ cloud.google.com/go:firestore:1.1.0
└─ cloud.google.com:go:0.46.3
└─ cloud.google.com/go:bigquery:1.0.1
└─ cloud.google.com:go:0.44.2
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:appengine:1.6.1
└─ golang.org/x:net:0.0.0-20190603091049-60506f45cf65
└─ google.golang.org:appengine:1.6.1
└─ golang.org/x:net:0.0.0-20190603091049-60506f45cf65
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:appengine:1.6.1
└─ golang.org/x:net:0.0.0-20190603091049-60506f45cf65
└─ google.golang.org:appengine:1.6.1
└─ golang.org/x:net:0.0.0-20190603091049-60506f45cf65
└─ cloud.google.com/go:pubsub:1.0.1
└─ cloud.google.com:go:0.45.1
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:appengine:1.6.1
└─ golang.org/x:net:0.0.0-20190603091049-60506f45cf65
└─ google.golang.org:appengine:1.6.1
└─ golang.org/x:net:0.0.0-20190603091049-60506f45cf65
└─ cloud.google.com/go:bigquery:1.0.1
└─ cloud.google.com:go:0.44.2
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:appengine:1.6.1
└─ golang.org/x:net:0.0.0-20190603091049-60506f45cf65
└─ google.golang.org:appengine:1.6.1
└─ golang.org/x:net:0.0.0-20190603091049-60506f45cf65
└─ cloud.google.com/go:storage:1.0.0
└─ cloud.google.com:go:0.46.3
└─ cloud.google.com/go:bigquery:1.0.1
└─ cloud.google.com:go:0.44.2
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:appengine:1.6.1
└─ golang.org/x:net:0.0.0-20190603091049-60506f45cf65
└─ google.golang.org:appengine:1.6.1
└─ golang.org/x:net:0.0.0-20190603091049-60506f45cf65
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:appengine:1.6.1
└─ golang.org/x:net:0.0.0-20190603091049-60506f45cf65
└─ google.golang.org:appengine:1.6.1
└─ golang.org/x:net:0.0.0-20190603091049-60506f45cf65
└─ cloud.google.com/go:pubsub:1.0.1
└─ cloud.google.com:go:0.45.1
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:appengine:1.6.1
└─ golang.org/x:net:0.0.0-20190603091049-60506f45cf65
└─ google.golang.org:appengine:1.6.1
└─ golang.org/x:net:0.0.0-20190603091049-60506f45cf65
└─ cloud.google.com/go:bigquery:1.0.1
└─ cloud.google.com:go:0.44.2
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:appengine:1.6.1
└─ golang.org/x:net:0.0.0-20190603091049-60506f45cf65
└─ google.golang.org:appengine:1.6.1
└─ golang.org/x:net:0.0.0-20190603091049-60506f45cf65
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
During a live demo ;) we learned the total count of vulnerabilities does not appear to decrease when vulnerabilities are excluded via CLI.
cc @bhamail / @DarthHater / @ken-duck
Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.
What are you trying to do?
it has been hard to me to run ahab because of strange error:
Error: An error occurred: Unable to communicate with Nexus IQ Server, err: Unable to communicate with Nexus IQ Server, status code returned is: 500
I finally discovered that it was just the password CLI argument that was wrong
What feature or behavior is this required for?
UX when bad password...
have an explicit message "bad credentials" or something like that
cc @bhamail / @DarthHater / @ken-duck
Vulnerabilities
DepShield reports that this application's usage of golang.org/x:net:0.0.0-20200625001655-4c5254603344 results in the following vulnerability(s):
Occurrences
golang.org/x:net:0.0.0-20200625001655-4c5254603344 is a transitive dependency introduced by the following direct dependency(s):
• github.com/spf13:cobra:1.0.0
└─ github.com/spf13:viper:1.4.0
└─ github.com/prometheus:client_golang:0.9.3
└─ github.com/prometheus:common:0.26.0
└─ golang.org/x:net:0.0.0-20200625001655-4c5254603344
• github.com/spf13:viper:1.7.1
└─ github.com/prometheus:client_golang:0.9.3
└─ github.com/prometheus:common:0.26.0
└─ golang.org/x:net:0.0.0-20200625001655-4c5254603344
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.
What are you trying to do?
So we added auto detect of your os/package manager in #24 but it currently has a dependency on which
being installed. This is fine for now but with plans to maybe support windows images in #32 thats not going to work. It would also be nice to not have people install which
in there image if they dont really need to.
What feature or behavior is this required for?
Less dependencies in the auto detect process.
How could we solve this issue? (Not knowing is okay!)
Maybe regex?? Maybe it looks something more like this https://unix.stackexchange.com/a/46086
cc @bhamail / @DarthHater / @ken-duck
Steps to reproduce
Pull latest alpine distribution of the ghost image:
docker pull ghost:alpine
Make sure that the image distro is alpine:
$ docker run -it ghost:alpine cat /etc/os-release
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.11.6
PRETTY_NAME="Alpine Linux v3.11"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://bugs.alpinelinux.org/"
Run the alpine package list command from the help docs:
$ docker run -it ghost:alpine apk info -vv | sort
WARNING: Ignoring APKINDEX.70f61090.tar.gz: No such file or directory
WARNING: Ignoring APKINDEX.ca2fea5b.tar.gz: No such file or directory
alpine-baselayout-3.2.0-r3 - Alpine base dir structure and init scripts
alpine-keys-2.1-r2 - Public keys for Alpine Linux packages
apk-tools-2.10.5-r0 - Alpine Package Keeper - package manager for alpine
bash-5.0.11-r1 - The GNU Bourne Again shell
busybox-1.31.1-r9 - Size optimized toolbox of many common UNIX utilities
ca-certificates-cacert-20191127-r1 - Mozilla bundled certificates
libc-utils-0.7.2-r0 - Meta package to pull in correct libc
libcrypto1.1-1.1.1g-r0 - Crypto library from openssl
libgcc-9.2.0-r4 - GNU C compiler runtime libraries
libssl1.1-1.1.1g-r0 - SSL shared libraries
libstdc++-9.2.0-r4 - GNU C++ standard runtime library
libtls-standalone-2.9.1-r0 - libtls extricated from libressl sources
musl-1.1.24-r2 - the musl c library (libc) implementation
musl-utils-1.1.24-r2 - the musl c library (libc) implementation
ncurses-libs-6.1_p20200118-r4 - Ncurses libraries
ncurses-terminfo-base-6.1_p20200118-r4 - Descriptions of common terminals
readline-8.0.1-r0 - GNU readline library
scanelf-1.2.4-r0 - Scan ELF binaries for stuff
ssl_client-1.31.1-r9 - EXternal ssl_client for busybox wget
su-exec-0.2-r1 - switch user and group id, setgroups and exec
zlib-1.2.11-r3 - A compression/decompression Library
Piping the above output does not work because of those two warning lines but the error message isn't the most helpful here:
$ docker run -it ghost:alpine apk info -vv | sort | ./ahab chase
Uh oh, an error occurred, if this persists try rerunning with -v, -vv, or -vvv to get more information in the logs
Error: An error occurred: [400 Bad Request] error accessing OSS Index
Check log file at /home/artie/.ossindex/ahab.combined.log for more information
artie@ArtieSonaDell:~/git_repos/ahab$ cat /home/artie/.ossindex/ahab.combined.log
{"level":"error","msg":"Error: exit status 1\n","time":"2020-09-07T20:02:29-04:00"}
{"level":"error","msg":"Error: exit status 1\n","time":"2020-09-07T20:02:29-04:00"}
{"level":"error","msg":"Error: exit status 1\n","time":"2020-09-07T20:02:29-04:00"}
{"level":"error","msg":"Error accessing OSS Index","resp_status_code":"400 Bad Request","time":"2020-09-07T20:02:30-04:00"}
{"level":"error","msg":"An error occurred: [400 Bad Request] error accessing OSS Index","time":"2020-09-07T20:02:30-04:00"}
So I pipe it to a file and remove the two warnings at the top, then pipe that to ahab:
$ cat ghost.txt
alpine-baselayout-3.2.0-r3 - Alpine base dir structure and init scripts
alpine-keys-2.1-r2 - Public keys for Alpine Linux packages
apk-tools-2.10.5-r0 - Alpine Package Keeper - package manager for alpine
bash-5.0.11-r1 - The GNU Bourne Again shell
busybox-1.31.1-r9 - Size optimized toolbox of many common UNIX utilities
ca-certificates-cacert-20191127-r1 - Mozilla bundled certificates
libc-utils-0.7.2-r0 - Meta package to pull in correct libc
libcrypto1.1-1.1.1g-r0 - Crypto library from openssl
libgcc-9.2.0-r4 - GNU C compiler runtime libraries
libssl1.1-1.1.1g-r0 - SSL shared libraries
libstdc++-9.2.0-r4 - GNU C++ standard runtime library
libtls-standalone-2.9.1-r0 - libtls extricated from libressl sources
musl-1.1.24-r2 - the musl c library (libc) implementation
musl-utils-1.1.24-r2 - the musl c library (libc) implementation
ncurses-libs-6.1_p20200118-r4 - Ncurses libraries
ncurses-terminfo-base-6.1_p20200118-r4 - Descriptions of common terminals
readline-8.0.1-r0 - GNU readline library
scanelf-1.2.4-r0 - Scan ELF binaries for stuff
ssl_client-1.31.1-r9 - EXternal ssl_client for busybox wget
su-exec-0.2-r1 - switch user and group id, setgroups and exec
zlib-1.2.11-r3 - A compression/decompression Library
$ cat ghost.txt | ./ahab chase --loud
______ __ __
/\ _ \ /\ \ /\ \
\ \ \L\ \ \ \ \___ __ \ \ \____
\ \ __ \ \ \ _ `\ /'__`\ \ \ '__`\
\ \ \/\ \ \ \ \ \ \ /\ \L\.\_ \ \ \L\ \
\ \_\ \_\ \ \_\ \_\\ \__/.\_\ \ \_,__/
\/_/\/_/ \/_/\/_/ \/__/\/_/ \/___/
_ _ _ _
/_) /_` _ _ _ _/_ _ _ (/ /_` _ . _ _ _/ _
/_) /_/ ._/ /_// //_|/ /_/ /_//_' (_X / / / /_'/ //_/ _\
_/ _/ /
Ahab version: development
Non Vulnerable Packages
[1/21] pkg:deb/debian/alpine-baselayout-3.2.0-r3@-
[2/21] pkg:deb/debian/alpine-keys-2.1-r2@-
[3/21] pkg:deb/debian/apk-tools-2.10.5-r0@-
[4/21] pkg:deb/debian/bash-5.0.11-r1@-
[5/21] pkg:deb/debian/busybox-1.31.1-r9@-
[6/21] pkg:deb/debian/ca-certificates-cacert-20191127-r1@-
[7/21] pkg:deb/debian/libc-utils-0.7.2-r0@-
[8/21] pkg:deb/debian/libcrypto1.1-1.1.1g-r0@-
[9/21] pkg:deb/debian/libgcc-9.2.0-r4@-
[10/21] pkg:deb/debian/libssl1.1-1.1.1g-r0@-
[11/21] pkg:deb/debian/libtls-standalone-2.9.1-r0@-
[12/21] pkg:deb/debian/musl-1.1.24-r2@-
[13/21] pkg:deb/debian/musl-utils-1.1.24-r2@-
[14/21] pkg:deb/debian/ncurses-libs-6.1_p20200118-r4@-
[15/21] pkg:deb/debian/ncurses-terminfo-base-6.1_p20200118-r4@-
[16/21] pkg:deb/debian/readline-8.0.1-r0@-
[17/21] pkg:deb/debian/scanelf-1.2.4-r0@-
[18/21] pkg:deb/debian/ssl_client-1.31.1-r9@-
[19/21] pkg:deb/debian/su-exec-0.2-r1@-
[20/21] pkg:deb/debian/zlib-1.2.11-r3@-
[21/21] pkg:deb/debian/libstdc%20%20-9.2.0-r4@-
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Summary ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━┫
┃ Audited Dependencies ┃ 21 ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━━┫
┃ Vulnerable Dependencies ┃ 0 ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━┻━━━━┛
And the alpine packages are reported as debian packages, and formatted all funky.
Here's what the IQ report looks like for the same input:
cc @bhamail / @DarthHater / @ken-duck / @zendern
Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.
What are you trying to do?
Instead of passing in a list of packages, have Ahab figure them out for me
What feature or behavior is this required for?
To allow me to be lazy
How could we solve this issue? (Not knowing is okay!)
Have Ahab call the appropriate apt
/yum
commands itself
Anything else?
nah
cc @bhamail / @DarthHater / @ken-duck
When building purls to be sent over we currently use different formats for debian, alpine, fedora, etc.
From the docs here
https://ossindex.sonatype.org/doc/coordinates
It appears we should be passing like we do in the debian case but for the others.
The goal of this issue is
To help move this forward, I've decoupled the purl format updates. Maybe we can tackle that as a separate PR. Since we're not passing os anymore, apt.go has to hard code Debian while both Alpine and Fedora don't include OS at all. It feels like we should be consistent one way or the other, but that doesn't need decided here.
To avoid strewing os references all over, I just updated the switch to support either --os or --package-manager strings. Seems to work locally, and also updated tests to cover both until the deprecated bits can be fully removed.
Originally posted by @deadlysyn in #42 (comment)
Vulnerabilities
DepShield reports that this application's usage of github.com/coreos:etcd:3.3.13 results in the following vulnerability(s):
Occurrences
github.com/coreos:etcd:3.3.13 is a transitive dependency introduced by the following direct dependency(s):
• github.com/spf13:viper:1.7.1
└─ github.com/bketelsen:crypt:0.0.3-0.20200106085610-5cbc8cc4026c
└─ github.com/coreos:etcd:3.3.13
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.
https://github.com/sonatype-nexus-community/ahab#installation
What feature or behavior is this required for?
Better usage so you dont have to have golang in you docker image
How could we solve this issue? (Not knowing is okay!)
We use goreleaser now so maybe just add some instructions on how to download a version and use it and have an example.
Anything else?
Nah dawg
cc @bhamail / @DarthHater / @ken-duck
Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.
sonatype-nexus-community
are no using CircleCi to do their builds. Probably time to move this one over ya???What feature or behavior is this required for?
Nothing really just consistency
How could we solve this issue? (Not knowing is okay!)
Use CircleCi :)
Anything else?
I mean you CCCOOOUUULLLDDD use CircleCi :)
cc @bhamail / @DarthHater / @ken-duck
Vulnerabilities
DepShield reports that this application's usage of golang.org/x:net:0.0.0-20181114220301-adae6a3d119a results in the following vulnerability(s):
Occurrences
golang.org/x:net:0.0.0-20181114220301-adae6a3d119a is a transitive dependency introduced by the following direct dependency(s):
• github.com/spf13:cobra:1.0.0
└─ github.com/spf13:viper:1.4.0
└─ github.com/prometheus:client_golang:0.9.3
└─ github.com/prometheus:common:0.4.0
└─ golang.org/x:net:0.0.0-20181114220301-adae6a3d119a
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerabilities
DepShield reports that this application's usage of github.com/coreos:etcd:3.3.10 results in the following vulnerability(s):
Occurrences
github.com/coreos:etcd:3.3.10 is a transitive dependency introduced by the following direct dependency(s):
• github.com/spf13:cobra:1.0.0
└─ github.com/spf13:viper:1.4.0
└─ github.com/coreos:etcd:3.3.10
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerabilities
DepShield reports that this application's usage of golang.org/x:net:0.0.0-20181023162649-9b4f9f5ad519 results in the following vulnerability(s):
Occurrences
golang.org/x:net:0.0.0-20181023162649-9b4f9f5ad519 is a transitive dependency introduced by the following direct dependency(s):
• github.com/spf13:viper:1.7.1
└─ github.com/bketelsen:crypt:0.0.3-0.20200106085610-5cbc8cc4026c
└─ github.com/hashicorp/consul:api:1.1.0
└─ github.com/hashicorp:serf:0.8.2
└─ github.com/hashicorp:mdns:1.0.0
└─ golang.org/x:net:0.0.0-20181023162649-9b4f9f5ad519
└─ github.com/hashicorp:memberlist:0.1.3
└─ golang.org/x:net:0.0.0-20181023162649-9b4f9f5ad519
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerabilities
DepShield reports that this application's usage of golang.org/x:crypto:0.0.0-20180904163835-0709b304e793 results in the following vulnerability(s):
Occurrences
golang.org/x:crypto:0.0.0-20180904163835-0709b304e793 is a transitive dependency introduced by the following direct dependency(s):
• github.com/spf13:cobra:1.0.0
└─ github.com/spf13:viper:1.4.0
└─ github.com/prometheus:client_golang:0.9.3
└─ github.com/prometheus:common:0.4.0
└─ github.com/sirupsen:logrus:1.2.0
└─ golang.org/x:crypto:0.0.0-20180904163835-0709b304e793
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerabilities
DepShield reports that this application's usage of github.com/hashicorp/consul:api:1.1.0 results in the following vulnerability(s):
Occurrences
github.com/hashicorp/consul:api:1.1.0 is a transitive dependency introduced by the following direct dependency(s):
• github.com/spf13:viper:1.7.1
└─ github.com/bketelsen:crypt:0.0.3-0.20200106085610-5cbc8cc4026c
└─ github.com/hashicorp/consul:api:1.1.0
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerabilities
DepShield reports that this application's usage of golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c results in the following vulnerability(s):
Occurrences
golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c is a transitive dependency introduced by the following direct dependency(s):
• github.com/spf13:viper:1.7.1
└─ github.com/bketelsen:crypt:0.0.3-0.20200106085610-5cbc8cc4026c
└─ google.golang.org:api:0.13.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ cloud.google.com/go:firestore:1.1.0
└─ cloud.google.com:go:0.46.3
└─ cloud.google.com/go:bigquery:1.0.1
└─ google.golang.org:api:0.8.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ cloud.google.com:go:0.44.2
└─ google.golang.org:api:0.8.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:api:0.8.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ google.golang.org:api:0.7.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:api:0.8.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ google.golang.org:api:0.7.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ cloud.google.com/go:pubsub:1.0.1
└─ google.golang.org:api:0.9.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ cloud.google.com:go:0.45.1
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:api:0.8.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ google.golang.org:api:0.7.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ cloud.google.com/go:bigquery:1.0.1
└─ google.golang.org:api:0.8.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ cloud.google.com:go:0.44.2
└─ google.golang.org:api:0.8.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:api:0.8.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ google.golang.org:api:0.7.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ google.golang.org:api:0.9.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ google.golang.org:api:0.9.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ cloud.google.com/go:storage:1.0.0
└─ cloud.google.com:go:0.46.3
└─ cloud.google.com/go:bigquery:1.0.1
└─ google.golang.org:api:0.8.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ cloud.google.com:go:0.44.2
└─ google.golang.org:api:0.8.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:api:0.8.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ google.golang.org:api:0.7.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:api:0.8.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ google.golang.org:api:0.7.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ cloud.google.com/go:pubsub:1.0.1
└─ google.golang.org:api:0.9.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ cloud.google.com:go:0.45.1
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:api:0.8.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ google.golang.org:api:0.7.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ cloud.google.com/go:bigquery:1.0.1
└─ google.golang.org:api:0.8.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ cloud.google.com:go:0.44.2
└─ google.golang.org:api:0.8.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:api:0.8.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ google.golang.org:api:0.7.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ google.golang.org:api:0.9.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ google.golang.org:api:0.9.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ google.golang.org:api:0.9.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
└─ google.golang.org:api:0.13.0
└─ golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.
What are you trying to do?
I'm trying to run ahab on my Mac
What feature or behavior is this required for?
I'm extracting package list from a Docker container, but it's easier to avoid installing ahab inside the container by running it directly from the host OS (a Mac in my case):
docker run --rm my-docker-image dpkg-query --show --showformat='${Package} ${Version}\n' | ahab --package-manager dpkg
How could we solve this issue? (Not knowing is okay!)
I tested by building ahab myself, it works
now it's just about providing a binary to users instead of letting them build ahab
Anything else?
cc @bhamail / @DarthHater / @ken-duck
^^^ View from sonatype-nexus-community listing
cc @bhamail / @DarthHater / @ken-duck
Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.
What are you trying to do?
I mean we should really be using nancy on this project since well its golang project :)
What feature or behavior is this required for?
DOOOOGGGGFOOOODDINNNGGG IT :)
How could we solve this issue? (Not knowing is okay!)
Add nancy to the build process of the project
cc @bhamail / @DarthHater / @ken-duck
Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.
ahab chase --i <docker image:tag>
ahab iq --i <docker image:tag>
And it would just do the magic for me.
Lets explore that and figure out how we might do it.
What feature or behavior is this required for?
Using ahab scan of existing docker image instead of being embedded in the build process.
How could we solve this issue? (Not knowing is okay!)
So golang has a docker sdk/client that could be used to do this magic. I fiddled with it some here
https://github.com/zendern/testing-docker-sdk/blob/master/main.go
But that program does the following :
cc @bhamail / @DarthHater / @ken-duck / @ButterB0wl
Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.
What are you trying to do?
Use Ahab without explicitly passing in an OS argument
What feature or behavior is this required for?
To allow me to be lazy
How could we solve this issue? (Not knowing is okay!)
Detect if apt
/yum
binaries exist?
Anything else?
cc @bhamail / @DarthHater / @ken-duck
Running yum list installed | ./ahab chase -vv --os fedora
or yum list installed | ./ahab chase -vv --os centos
should run perfectly fine, this is being called in a docker build file but fails. The reason it fails is due to the fact on centos it has a plugin's line which makes Ahab fail.
Example output
Loaded plugins: fastestmirror, ovl
Installed Packages
acl.x86_64 2.2.51-15.el7 @CentOS
audit-libs.x86_64 2.8.5-4.el7 @CentOS
basesystem.noarch 10.0-7.el7.centos @CentOS
bash.x86_64 4.2.46-34.el7 @CentOS
bind-license.noarch 32:9.11.4-16.P2.el7_8.6 @updates
binutils.x86_64 2.27-43.base.el7_8.1 @updates
bzip2-libs.x86_64 1.0.6-13.el7 @CentOS
ca-certificates.noarch 2020.2.41-70.0.el7_8 @updates
centos-release.x86_64 7-8.2003.0.el7.centos @CentOS
chkconfig.x86_64 1.7.4-1.el7 @CentOS
coreutils.x86_64 8.22-24.el7 @CentOS
cpio.x86_64 2.11-27.el7 @CentOS
cracklib.x86_64 2.9.0-11.el7 @CentOS
cracklib-dicts.x86_64 2.9.0-11.el7 @CentOS
cryptsetup-libs.x86_64 2.0.3-6.el7 @CentOS
curl.x86_64 7.29.0-57.el7 @CentOS
cyrus-sasl-lib.x86_64 2.1.26-23.el7 @CentOS
dbus.x86_64 1:1.10.24-13.el7_6 @CentOS
dbus-glib.x86_64 0.100-7.el7 @CentOS
dbus-libs.x86_64 1:1.10.24-13.el7_6 @CentOS
dbus-python.x86_64 1.1.1-9.el7 @CentOS
device-mapper.x86_64 7:1.02.164-7.el7_8.2 @updates
device-mapper-libs.x86_64 7:1.02.164-7.el7_8.2 @updates
diffutils.x86_64 3.3-5.el7 @CentOS
dracut.x86_64 033-568.el7 @CentOS
elfutils-default-yama-scope.noarch 0.176-4.el7 @CentOS
elfutils-libelf.x86_64 0.176-4.el7 @CentOS
elfutils-libs.x86_64 0.176-4.el7 @CentOS
expat.x86_64 2.1.0-11.el7 @CentOS
file-libs.x86_64 5.11-36.el7 @CentOS
filesystem.x86_64 3.2-25.el7 @CentOS
findutils.x86_64 1:4.5.11-6.el7 @CentOS
fipscheck.x86_64 1.4.1-6.el7 @base
fipscheck-lib.x86_64 1.4.1-6.el7 @base
gawk.x86_64 4.0.2-4.el7_3.1 @CentOS
gdbm.x86_64 1.10-8.el7 @CentOS
geoipupdate.x86_64 2.5.0-1.el7 @CentOS
git.x86_64 1.8.3.1-23.el7_8 @updates
glib2.x86_64 2.56.1-5.el7 @CentOS
glibc.x86_64 2.17-307.el7.1 @CentOS
glibc-common.x86_64 2.17-307.el7.1 @CentOS
gmp.x86_64 1:6.0.0-15.el7 @CentOS
gnupg2.x86_64 2.0.22-5.el7_5 @CentOS
gobject-introspection.x86_64 1.56.1-1.el7 @CentOS
gpgme.x86_64 1.3.2-5.el7 @CentOS
grep.x86_64 2.20-3.el7 @CentOS
groff-base.x86_64 1.22.2-8.el7 @base
gzip.x86_64 1.5-10.el7 @CentOS
hardlink.x86_64 1:1.0-19.el7 @CentOS
hostname.x86_64 3.13-3.el7_7.1 @CentOS
info.x86_64 5.1-5.el7 @CentOS
iputils.x86_64 20160308-10.el7 @CentOS
json-c.x86_64 0.11-4.el7_0 @CentOS
keyutils-libs.x86_64 1.5.8-3.el7 @CentOS
kmod.x86_64 20-28.el7 @CentOS
kmod-libs.x86_64 20-28.el7 @CentOS
kpartx.x86_64 0.4.9-131.el7 @CentOS
krb5-libs.x86_64 1.15.1-46.el7 @CentOS
less.x86_64 458-9.el7 @base
libacl.x86_64 2.2.51-15.el7 @CentOS
libassuan.x86_64 2.1.0-3.el7 @CentOS
libattr.x86_64 2.4.46-13.el7 @CentOS
libblkid.x86_64 2.23.2-63.el7 @CentOS
libcap.x86_64 2.22-11.el7 @CentOS
libcap-ng.x86_64 0.7.5-4.el7 @CentOS
libcom_err.x86_64 1.42.9-17.el7 @CentOS
libcurl.x86_64 7.29.0-57.el7 @CentOS
libdb.x86_64 5.3.21-25.el7 @CentOS
libdb-utils.x86_64 5.3.21-25.el7 @CentOS
libedit.x86_64 3.0-12.20121213cvs.el7 @base
libffi.x86_64 3.0.13-19.el7 @CentOS
libgcc.x86_64 4.8.5-39.el7 @CentOS
libgcrypt.x86_64 1.5.3-14.el7 @CentOS
libgpg-error.x86_64 1.12-3.el7 @CentOS
libidn.x86_64 1.28-4.el7 @CentOS
libmount.x86_64 2.23.2-63.el7 @CentOS
libpwquality.x86_64 1.2.3-5.el7 @CentOS
libselinux.x86_64 2.5-15.el7 @CentOS
libsemanage.x86_64 2.5-14.el7 @CentOS
libsepol.x86_64 2.5-10.el7 @CentOS
libsmartcols.x86_64 2.23.2-63.el7 @CentOS
libssh2.x86_64 1.8.0-3.el7 @CentOS
libstdc++.x86_64 4.8.5-39.el7 @CentOS
libtasn1.x86_64 4.10-1.el7 @CentOS
libuser.x86_64 0.60-9.el7 @CentOS
libutempter.x86_64 1.1.6-4.el7 @CentOS
libuuid.x86_64 2.23.2-63.el7 @CentOS
libverto.x86_64 0.2.5-4.el7 @CentOS
libxml2.x86_64 2.9.1-6.el7.4 @CentOS
libxml2-python.x86_64 2.9.1-6.el7.4 @CentOS
lua.x86_64 5.1.4-15.el7 @CentOS
lz4.x86_64 1.7.5-3.el7 @CentOS
ncurses.x86_64 5.9-14.20130511.el7_4 @CentOS
ncurses-base.noarch 5.9-14.20130511.el7_4 @CentOS
ncurses-libs.x86_64 5.9-14.20130511.el7_4 @CentOS
nspr.x86_64 4.21.0-1.el7 @CentOS
nss.x86_64 3.44.0-7.el7_7 @CentOS
nss-pem.x86_64 1.0.3-7.el7 @CentOS
nss-softokn.x86_64 3.44.0-8.el7_7 @CentOS
nss-softokn-freebl.x86_64 3.44.0-8.el7_7 @CentOS
nss-sysinit.x86_64 3.44.0-7.el7_7 @CentOS
nss-tools.x86_64 3.44.0-7.el7_7 @CentOS
nss-util.x86_64 3.44.0-4.el7_7 @CentOS
openldap.x86_64 2.4.44-21.el7_6 @CentOS
openssh.x86_64 7.4p1-21.el7 @base
openssh-clients.x86_64 7.4p1-21.el7 @base
openssl-libs.x86_64 1:1.0.2k-19.el7 @CentOS
p11-kit.x86_64 0.23.5-3.el7 @CentOS
p11-kit-trust.x86_64 0.23.5-3.el7 @CentOS
pam.x86_64 1.1.8-23.el7 @CentOS
passwd.x86_64 0.79-6.el7 @CentOS
pcre.x86_64 8.32-17.el7 @CentOS
perl.x86_64 4:5.16.3-295.el7 @base
perl-Carp.noarch 1.26-244.el7 @base
perl-Encode.x86_64 2.51-7.el7 @base
perl-Error.noarch 1:0.17020-2.el7 @base
perl-Exporter.noarch 5.68-3.el7 @base
perl-File-Path.noarch 2.09-2.el7 @base
perl-File-Temp.noarch 0.23.01-3.el7 @base
perl-Filter.x86_64 1.49-3.el7 @base
perl-Getopt-Long.noarch 2.40-3.el7 @base
perl-Git.noarch 1.8.3.1-23.el7_8 @updates
perl-HTTP-Tiny.noarch 0.033-3.el7 @base
perl-PathTools.x86_64 3.40-5.el7 @base
perl-Pod-Escapes.noarch 1:1.04-295.el7 @base
perl-Pod-Perldoc.noarch 3.20-4.el7 @base
perl-Pod-Simple.noarch 1:3.28-4.el7 @base
perl-Pod-Usage.noarch 1.63-3.el7 @base
perl-Scalar-List-Utils.x86_64 1.27-248.el7 @base
perl-Socket.x86_64 2.010-5.el7 @base
perl-Storable.x86_64 2.45-3.el7 @base
perl-TermReadKey.x86_64 2.30-20.el7 @base
perl-Text-ParseWords.noarch 3.29-4.el7 @base
perl-Time-HiRes.x86_64 4:1.9725-3.el7 @base
perl-Time-Local.noarch 1.2300-2.el7 @base
perl-constant.noarch 1.27-2.el7 @base
perl-libs.x86_64 4:5.16.3-295.el7 @base
perl-macros.x86_64 4:5.16.3-295.el7 @base
perl-parent.noarch 1:0.225-244.el7 @base
perl-podlators.noarch 2.5.1-3.el7 @base
perl-threads.x86_64 1.87-4.el7 @base
perl-threads-shared.x86_64 1.43-6.el7 @base
pinentry.x86_64 0.8.1-17.el7 @CentOS
pkgconfig.x86_64 1:0.27.1-4.el7 @CentOS
popt.x86_64 1.13-16.el7 @CentOS
procps-ng.x86_64 3.3.10-27.el7 @CentOS
pth.x86_64 2.0.7-23.el7 @CentOS
pygpgme.x86_64 0.3-9.el7 @CentOS
pyliblzma.x86_64 0.5.3-11.el7 @CentOS
python.x86_64 2.7.5-88.el7 @CentOS
python-chardet.noarch 2.2.1-3.el7 @CentOS
python-gobject-base.x86_64 3.22.0-1.el7_4.1 @CentOS
python-iniparse.noarch 0.4-9.el7 @CentOS
python-kitchen.noarch 1.1.1-5.el7 @CentOS
python-libs.x86_64 2.7.5-88.el7 @CentOS
python-pycurl.x86_64 7.19.0-19.el7 @CentOS
python-urlgrabber.noarch 3.10-10.el7 @CentOS
pyxattr.x86_64 0.5.1-5.el7 @CentOS
qrencode-libs.x86_64 3.4.1-3.el7 @CentOS
readline.x86_64 6.2-11.el7 @CentOS
rootfiles.noarch 8.1-11.el7 @CentOS
rpm.x86_64 4.11.3-43.el7 @CentOS
rpm-build-libs.x86_64 4.11.3-43.el7 @CentOS
rpm-libs.x86_64 4.11.3-43.el7 @CentOS
rpm-python.x86_64 4.11.3-43.el7 @CentOS
rsync.x86_64 3.1.2-10.el7 @base
sed.x86_64 4.2.2-6.el7 @CentOS
setup.noarch 2.8.71-11.el7 @CentOS
shadow-utils.x86_64 2:4.6-5.el7 @CentOS
shared-mime-info.x86_64 1.8-5.el7 @CentOS
sqlite.x86_64 3.7.17-8.el7_7.1 @CentOS
systemd.x86_64 219-73.el7_8.6 @updates
systemd-libs.x86_64 219-73.el7_8.6 @updates
tar.x86_64 2:1.26-35.el7 @CentOS
tzdata.noarch 2020a-1.el7 @Updates
unzip.x86_64 6.0-21.el7 @base
ustr.x86_64 1.0.4-16.el7 @CentOS
util-linux.x86_64 2.23.2-63.el7 @CentOS
vim-minimal.x86_64 2:7.4.629-6.el7 @CentOS
wget.x86_64 1.14-18.el7_6.1 @base
xz.x86_64 5.2.2-1.el7 @CentOS
xz-libs.x86_64 5.2.2-1.el7 @CentOS
yum.noarch 3.4.3-167.el7.centos @CentOS
yum-metadata-parser.x86_64 1.1.4-10.el7 @CentOS
yum-plugin-fastestmirror.noarch 1.1.31-54.el7_8 @updates
yum-plugin-ovl.noarch 1.1.31-54.el7_8 @updates
yum-utils.noarch 1.1.31-54.el7_8 @updates
zlib.x86_64 1.2.7-18.el7 @CentOS
Use Ahab to parse yum install packages on Centos 7
Update the code to ignore lines above Installed Packages
or update the read me for Centos to include a second pipe that only pipes in the lines after plugins. Like so yum list installed | sed '0,/^Installed Packages$/d' | ./ahab chase -vv --os centos
I think updating the code would be nice but there is a quick fix at-least ;-)
Keep up the good work, nice little tool.
cc @bhamail / @DarthHater / @ken-duck
Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.
What are you trying to do?
So ahab scan docker containers at build time, yah?? well macosx running in docker isn't really a thing so producing binaries for mac (aka darwin) i a little confusing at best.
What feature or behavior is this required for?
Just clean things up a little
How could we solve this issue? (Not knowing is okay!)
Should be able to fiddle the goreleaser configs so that these are no longer output. Windows (even though not yet supported but after #32 it will be) and linux binaries must remain.
Anything else?
cc @bhamail / @DarthHater / @ken-duck
Vulnerabilities
DepShield reports that this application's usage of golang.org/x:net:0.0.0-20200226121028-0de0cce0169b results in the following vulnerability(s):
Occurrences
golang.org/x:net:0.0.0-20200226121028-0de0cce0169b is a transitive dependency introduced by the following direct dependency(s):
• github.com/spf13:cobra:1.0.0
└─ github.com/spf13:viper:1.4.0
└─ github.com/prometheus:client_golang:0.9.3
└─ github.com/prometheus:tsdb:0.7.1
└─ github.com/gogo:protobuf:1.1.1
└─ github.com/kisielk:errcheck:1.5.0
└─ golang.org/x:tools:0.0.0-20200619180055-7c47624df98f
└─ golang.org/x:net:0.0.0-20200226121028-0de0cce0169b
└─ github.com/prometheus:common:0.4.0
└─ github.com/gogo:protobuf:1.1.1
└─ github.com/kisielk:errcheck:1.5.0
└─ golang.org/x:tools:0.0.0-20200619180055-7c47624df98f
└─ golang.org/x:net:0.0.0-20200226121028-0de0cce0169b
└─ github.com/gogo:protobuf:1.2.1
└─ github.com/kisielk:errcheck:1.5.0
└─ golang.org/x:tools:0.0.0-20200619180055-7c47624df98f
└─ golang.org/x:net:0.0.0-20200226121028-0de0cce0169b
• github.com/spf13:viper:1.7.1
└─ github.com/prometheus:client_golang:0.9.3
└─ github.com/prometheus:tsdb:0.7.1
└─ github.com/gogo:protobuf:1.1.1
└─ github.com/kisielk:errcheck:1.5.0
└─ golang.org/x:tools:0.0.0-20200619180055-7c47624df98f
└─ golang.org/x:net:0.0.0-20200226121028-0de0cce0169b
└─ github.com/prometheus:common:0.4.0
└─ github.com/gogo:protobuf:1.1.1
└─ github.com/kisielk:errcheck:1.5.0
└─ golang.org/x:tools:0.0.0-20200619180055-7c47624df98f
└─ golang.org/x:net:0.0.0-20200226121028-0de0cce0169b
└─ github.com/gogo:protobuf:1.2.1
└─ github.com/kisielk:errcheck:1.5.0
└─ golang.org/x:tools:0.0.0-20200619180055-7c47624df98f
└─ golang.org/x:net:0.0.0-20200226121028-0de0cce0169b
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.
Similar to what we did in nancy
, add the ability to exclude vulnerabilities from failing a build!
sonatype-nexus-community/nancy#30
sonatype-nexus-community/nancy#28
sonatype-nexus-community/nancy#35
sonatype-nexus-community/nancy#29
This will allow someone to review what vulnerabilities they are affected by, and then exclude the ones they don't find a risk to their project.
I would imagine the best way is to take the functionality we wrote in Nancy, and make it so that Ahab can just leverage it, that way if other projects want to implement this in the future, they can easily do so!
FUN!
cc @bhamail / @DarthHater / @ken-duck
While working on #45 it was discovered that both dnf and yum can output lines which do not always meet the format expected by parse/yum.go
. Full details in the PR, but tl;dr parsing is index based and can panic when name/version info gets split across lines (observed on both fedora:latest and centos:latest).
Reliably reading package lists on fedora-based distros.
I initially started to make parsing more defensive. Depending how paranoid you get, this can be pretty ugly.
It dawned on me this may be a case of GIGO. We could reduce defensive boilerplate + simplify the OS detection bits if we used rpm vs dnf/yum to read package lists on fedora distros. This would be similar to using dpkg vs apt on Debian distros. Then we could be more certain of the data received (probably still sanity check a bit more and add more tests as part of this):
# rpm -qa --queryformat "%{NAME}.%{ARCH} %{VERSION}\n" | grep elf
elfutils-libelf.x86_64 0.178
elfutils-libs.x86_64 0.178
elfutils-default-yama-scope.noarch 0.178
Not really, the prior PR comments have lots of detail including how to repro (surfaced while trying to add more test coverage):
cc @bhamail / @DarthHater / @ken-duck / @zendern
Vulnerabilities
DepShield reports that this application's usage of golang.org/x:net:0.0.0-20190311183353-d8887717615a results in the following vulnerability(s):
Occurrences
golang.org/x:net:0.0.0-20190311183353-d8887717615a is a transitive dependency introduced by the following direct dependency(s):
• github.com/spf13:cobra:1.0.0
└─ github.com/spf13:viper:1.4.0
└─ google.golang.org:grpc:1.21.0
└─ golang.org/x:lint:0.0.0-20190313153728-d0100b6bd8b3
└─ golang.org/x:tools:0.0.0-20190311212946-11955173bddd
└─ golang.org/x:net:0.0.0-20190311183353-d8887717615a
└─ golang.org/x:net:0.0.0-20190311183353-d8887717615a
└─ golang.org/x:tools:0.0.0-20190311212946-11955173bddd
└─ golang.org/x:net:0.0.0-20190311183353-d8887717615a
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerabilities
DepShield reports that this application's usage of golang.org/x:net:0.0.0-20180826012351-8a410e7b638d results in the following vulnerability(s):
Occurrences
golang.org/x:net:0.0.0-20180826012351-8a410e7b638d is a transitive dependency introduced by the following direct dependency(s):
• github.com/spf13:cobra:1.0.0
└─ github.com/spf13:viper:1.4.0
└─ github.com/grpc-ecosystem:grpc-gateway:1.9.0
└─ google.golang.org:grpc:1.19.0
└─ golang.org/x:net:0.0.0-20180826012351-8a410e7b638d
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerabilities
DepShield reports that this application's usage of golang.org/x:crypto:0.0.0-20181029021203-45a5f77698d3 results in the following vulnerability(s):
Occurrences
golang.org/x:crypto:0.0.0-20181029021203-45a5f77698d3 is a transitive dependency introduced by the following direct dependency(s):
• github.com/spf13:viper:1.7.1
└─ github.com/bketelsen:crypt:0.0.3-0.20200106085610-5cbc8cc4026c
└─ github.com/hashicorp/consul:api:1.1.0
└─ github.com/hashicorp:serf:0.8.2
└─ github.com/hashicorp:mdns:1.0.0
└─ golang.org/x:crypto:0.0.0-20181029021203-45a5f77698d3
└─ github.com/hashicorp:memberlist:0.1.3
└─ golang.org/x:crypto:0.0.0-20181029021203-45a5f77698d3
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerabilities
DepShield reports that this application's usage of golang.org/x:net:0.0.0-20190404232315-eb5bcb51f2a3 results in the following vulnerability(s):
Occurrences
golang.org/x:net:0.0.0-20190404232315-eb5bcb51f2a3 is a transitive dependency introduced by the following direct dependency(s):
• github.com/spf13:cobra:1.0.0
└─ github.com/spf13:viper:1.4.0
└─ github.com/prometheus:client_golang:0.9.3
└─ github.com/prometheus:common:0.4.0
└─ github.com/sirupsen:logrus:1.2.0
└─ golang.org/x:crypto:0.0.0-20180904163835-0709b304e793
└─ golang.org/x:net:0.0.0-20190404232315-eb5bcb51f2a3
└─ golang.org/x:net:0.0.0-20190522155817-f3200d17e092
└─ golang.org/x:crypto:0.0.0-20190308221718-c2843e01d9a2
└─ golang.org/x:net:0.0.0-20190404232315-eb5bcb51f2a3
└─ google.golang.org:grpc:1.21.0
└─ golang.org/x:lint:0.0.0-20190313153728-d0100b6bd8b3
└─ golang.org/x:tools:0.0.0-20190311212946-11955173bddd
└─ golang.org/x:net:0.0.0-20190311183353-d8887717615a
└─ golang.org/x:crypto:0.0.0-20190308221718-c2843e01d9a2
└─ golang.org/x:net:0.0.0-20190404232315-eb5bcb51f2a3
└─ golang.org/x:net:0.0.0-20190311183353-d8887717615a
└─ golang.org/x:crypto:0.0.0-20190308221718-c2843e01d9a2
└─ golang.org/x:net:0.0.0-20190404232315-eb5bcb51f2a3
└─ golang.org/x:tools:0.0.0-20190311212946-11955173bddd
└─ golang.org/x:net:0.0.0-20190311183353-d8887717615a
└─ golang.org/x:crypto:0.0.0-20190308221718-c2843e01d9a2
└─ golang.org/x:net:0.0.0-20190404232315-eb5bcb51f2a3
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerabilities
DepShield reports that this application's usage of golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e results in the following vulnerability(s):
Occurrences
golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e is a transitive dependency introduced by the following direct dependency(s):
• github.com/spf13:viper:1.7.1
└─ github.com/bketelsen:crypt:0.0.3-0.20200106085610-5cbc8cc4026c
└─ google.golang.org:api:0.13.0
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com/go:firestore:1.1.0
└─ cloud.google.com:go:0.46.3
└─ cloud.google.com/go:bigquery:1.0.1
└─ google.golang.org:api:0.8.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com:go:0.44.2
└─ google.golang.org:api:0.8.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:api:0.8.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ google.golang.org:api:0.7.0
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:api:0.8.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ google.golang.org:api:0.7.0
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com/go:pubsub:1.0.1
└─ google.golang.org:api:0.9.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com:go:0.45.1
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:api:0.8.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ google.golang.org:api:0.7.0
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com/go:bigquery:1.0.1
└─ google.golang.org:api:0.8.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com:go:0.44.2
└─ google.golang.org:api:0.8.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:api:0.8.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ google.golang.org:api:0.7.0
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ google.golang.org:api:0.9.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ google.golang.org:api:0.9.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com/go:storage:1.0.0
└─ cloud.google.com:go:0.46.3
└─ cloud.google.com/go:bigquery:1.0.1
└─ google.golang.org:api:0.8.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com:go:0.44.2
└─ google.golang.org:api:0.8.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:api:0.8.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ google.golang.org:api:0.7.0
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:api:0.8.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ google.golang.org:api:0.7.0
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com/go:pubsub:1.0.1
└─ google.golang.org:api:0.9.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com:go:0.45.1
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:api:0.8.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ google.golang.org:api:0.7.0
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com/go:bigquery:1.0.1
└─ google.golang.org:api:0.8.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com:go:0.44.2
└─ google.golang.org:api:0.8.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com/go:datastore:1.0.0
└─ cloud.google.com:go:0.44.1
└─ google.golang.org:api:0.8.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ google.golang.org:api:0.7.0
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ google.golang.org:api:0.9.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ google.golang.org:api:0.9.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ google.golang.org:api:0.9.0
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ google.golang.org:api:0.13.0
└─ golang.org/x:oauth2:0.0.0-20190604053449-0f29369cfe45
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ cloud.google.com:go:0.38.0
└─ google.golang.org:api:0.4.0
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
└─ golang.org/x:oauth2:0.0.0-20190226205417-e64efc72b421
└─ golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Thanks for creating an issue! Please fill out this form so we can be
sure to have all the information we need, and to minimize back and forth.
--os
to be able to pass in the operating system you want to target. Realistically the OS is not important but the package manager is more important.This is much less important now that auto detection is a thing but I would like to possibly do the following things.
-os
option-pm
--package-manager
option that allows for you to pass in yum
, dkpg
, apt
, dnf
, etc etc.See these comments here
Line 40 in 4279556
cc @bhamail / @DarthHater / @ken-duck
Vulnerabilities
DepShield reports that this application's usage of golang.org/x:net:0.0.0-20181201002055-351d144fa1fc results in the following vulnerability(s):
Occurrences
golang.org/x:net:0.0.0-20181201002055-351d144fa1fc is a transitive dependency introduced by the following direct dependency(s):
• github.com/spf13:viper:1.7.1
└─ github.com/bketelsen:crypt:0.0.3-0.20200106085610-5cbc8cc4026c
└─ github.com/hashicorp/consul:api:1.1.0
└─ github.com/hashicorp:serf:0.8.2
└─ golang.org/x:net:0.0.0-20181201002055-351d144fa1fc
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Trying to capture some of @DarthHater 's ideas for future Ahab enhancements.
It is great that Ahab scans OS packages (.rpm, .deb, .apk, etc), but there are also many cases where someone will curl
or wget
some binary file down and install it directly into the /usr/bin
folder (or somewhere on the PATH).
To detect these, Ahab could:
cc @bhamail / @DarthHater / @ken-duck / @ButterB0wl
I was running ahab against a list of packages, and it threw an exception whenever there was a package without a minor version. For example:
ca-certificates/now 20170717~16.04.2 all [installed,local]
libkmod2/now 22-1ubuntu5.2 amd64 [installed,local]
libsystemd0/now 229-4ubuntu21.22 amd64 [installed,local]
libudev1/now 229-4ubuntu21.22 amd64 [installed,local]
systemd/now 229-4ubuntu21.22 amd64 [installed,local]
systemd-sysv/now 229-4ubuntu21.22 amd64 [installed,local]
tzdata/now 2019b-0ubuntu0.16.04 all [installed,local]
usbutils/now 1:007-4 amd64 [installed,local]
cc @bhamail / @DarthHater / @ken-duck
Vulnerabilities
DepShield reports that this application's usage of golang.org/x:net:0.0.0-20190522155817-f3200d17e092 results in the following vulnerability(s):
Occurrences
golang.org/x:net:0.0.0-20190522155817-f3200d17e092 is a transitive dependency introduced by the following direct dependency(s):
• github.com/spf13:cobra:1.0.0
└─ github.com/spf13:viper:1.4.0
└─ golang.org/x:net:0.0.0-20190522155817-f3200d17e092
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
Vulnerabilities
DepShield reports that this application's usage of golang.org/x:net:0.0.0-20181220203305-927f97764cc3 results in the following vulnerability(s):
Occurrences
golang.org/x:net:0.0.0-20181220203305-927f97764cc3 is a transitive dependency introduced by the following direct dependency(s):
• github.com/spf13:cobra:1.0.0
└─ github.com/spf13:viper:1.4.0
└─ github.com/grpc-ecosystem:grpc-gateway:1.9.0
└─ golang.org/x:net:0.0.0-20181220203305-927f97764cc3
└─ gopkg.in:resty.v1:1.12.0
└─ golang.org/x:net:0.0.0-20181220203305-927f97764cc3
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.