As part of #73, #72, it has become clear that yaspin (a direct dependency) relies upon termcolor which has no binary/wheel distribution available.

As suggested by @bollwyvl on #72, this issue is tracking replacing yaspin with rich. Given rich also supports table display, we are also planning to remove terminaltables and use rich's support for this.

cc @bhamail / @DarthHater

Describe the bug
When finding a vulnerability having a CWE, jake 1.4.1 seems to assume the CWE ID is numerical, and fails with a ValueError.

To Reproduce
Steps to reproduce the behavior:

1. Run a docker container with image python:3.6-slim: docker run --rm -it --name jaketest python:3.6-slim bash
2. Inside the container, install and activate a virtual environment. The version of pip inside that environment will be 18.1 which has known vulnerabilities.
3. Install jake inside the virtual environment
4. Run jake ddt
5. jake produces the error ValueError: invalid literal for int() with base 10: 'CWE-22', see https://gitlab.com/j2c-bce/helloworld-fastapi/-/jobs/2028565003 for an example

Expected behavior
Jake produces a vulnerability report. In the same environment as above, this worked with jake==1.1.5.

Screenshots

Jake Version: 1.4.1
Put your Python dependencies in a chokehold

🐍 Collected 26 packages from your environment                       ━━━━━━━━━━━━━━━━━━ 100% 0:00:00
🐍 Successfully queried OSS Index for package and vulnerability info ━━━━━━━━━━━━━━━━━━ 100% 0:00:00
🐍 Sane number of results from OSS Index                             ━━━━━━━━━━━━━━━━━━ 100% 0:00:00
🐍 Munching & crunching data...                                      ━━╺━━━━━━━━━━━━━━━  12% 0:00:01
Traceback (most recent call last):
  File "/venv/bin/jake", line 11, in <module>
    sys.exit(main())
  File "/venv/lib/python3.6/site-packages/jake/app.py", line 124, in main
    JakeCmd().execute()
  File "/venv/lib/python3.6/site-packages/jake/app.py", line 69, in execute
    exit_code: int = command.execute(arguments=self._arguments)
  File "/venv/lib/python3.6/site-packages/jake/command/__init__.py", line 45, in execute
    return self.handle_args()
  File "/venv/lib/python3.6/site-packages/jake/command/oss.py", line 137, in handle_args
    cwes=[int(oic_vulnerability.get_cwe())] if oic_vulnerability.get_cwe() else None,
ValueError: invalid literal for int() with base 10: 'CWE-22'

Desktop (please complete the following information):

• OS: Linux x86-64
• Python Version: 3.6.15
• Version: 1.4.1

Describe the bug
when using jake bom, versions in generated bom end in ?extension=tar.gz

To Reproduce

$ jake sbom | xmllint --format -
<?xml version="1.0"?>
<bom xmlns:v="http://cyclonedx.org/schema/ext/vulnerability/1.0" xmlns="http://cyclonedx.org/schema/bom/1.1" version="1">
  <components>
    <component type="library" bom-ref="pkg:pypi/[email protected]?extension=tar.gz">
      <name>yaspin</name>
      <version>0.16.0?extension=tar.gz</version>
      <purl>pkg:pypi/[email protected]?extension=tar.gz</purl>
    </component>
...

Expected behavior
just the version in the version tag, yet to define if bom-ref attribute should have the extension parameter or not

$ jake sbom | xmllint --format -
<?xml version="1.0"?>
<bom xmlns:v="http://cyclonedx.org/schema/ext/vulnerability/1.0" xmlns="http://cyclonedx.org/schema/bom/1.1" version="1">
  <components>
    <component type="library" bom-ref="pkg:pypi/[email protected]?extension=tar.gz">
      <name>yaspin</name>
      <version>0.16.0</version>
      <purl>pkg:pypi/[email protected]?extension=tar.gz</purl>
    </component>
...

Whilst we are confident Python 3.10 is supported by jake, we need to make sure.

• Add CI test executions on Python 3.10
• Update package classifiers
• Update documentation

cc @bhamail / @DarthHater

• What are you trying to do?
  Scan dependencies determined by a requirements file without having to actually having these dependencies installed

• What feature or behavior is this required for?
  The jake installation itself has its own dependencies, and in certain cases these dependencies conflict with the dependencies of the scanned project (see https://gitlab.com/j2c-bce/helloworld-fastapi/-/jobs/2033667516 for an example situation. I solved it by upgrading the project dependencies in this case, but there might exist situation where that is not an option)

• How could we solve this issue? (Not knowing is okay!)
  Idk, maybe generate a SBOM from the requirements file and use that to look for vulnerabilities?

• Anything else?

cc @bhamail / @DarthHater

jake is built upon cyclonedx-python which supports consuming dependencies in multiple forms:

• Current Python Environment (jake ddt already supports this)
• requirements.txt
• Pipfile.lock
• poetry.lock
• Output from conda list
• Output from conda list --json

This feature will delivery the ability to consume dependencies from all of the above formats when running either jake ddt or jake iq.

cc @bhamail / @DarthHater

Docs are the best. So we want to get ours awesome and user friendly.

This feature will get good docs published to Read The Docs.

cc @bhamail / @DarthHater

While troubleshooting the internal CI build that uses Lifecycle/IQ premium datasets to scan Jake, some vulns are detected. Need to investigate and resolve these.

Looks like implicating PIP, which Jake does not use.

@bhamail @DarthHater

• Jake puts log and cache files in the ${HOME}/.ossindex directory. There are some cases where this isn't optimal. For example, in a CI environment with multiple executors on the same agent there may be multiple simultaneous jake invocations. It would be helpful in this situation if there was a JAKE_HOME or JAKE_WORKDIR environment variable that could be set to override the default location.

• This is mostly useful for CI but there may be other automation cases where the home directory for a daemon user isn't writable.

• Something like environ.get('JAKE_WORKDIR', Path.home()) should do the trick. I think there are a few places that change would need to be made. I don't quite know how to test it since my Python knowledge is not great.

cc @bhamail / @DarthHater

GitHub actions should be removed as we utilise CircleCI.

cc @bhamail / @DarthHater

Reported by @maurycupitt where if the directory you try to output the sbom to doesn't exist

Should be a quick fix to attempt to create the directory if it doesn't exist, and handle the error if it can't be created

@DarthHater

We are writing some tests, so let's run them in CircleCI!

Hi all, not sure if this is even a bug but I encountered this when trying to set up pre-commit scans that were warn-only. When running Jake scans, the warn option is strictly positional.

Steps to reproduce the behavior:

1. Run jake ddt -w
2. See error jake: error: unrecognized arguments: -w

Expected behavior
jake -h ddt is identical to jake ddt -x
According to this jake -w ddt should be same as jake ddt -w

Screenshots

Desktop (please complete the following information):

• OS: WSL/Ubuntu 20.04 LTS
• Uname -a: Linux bruce-banner 5.10.60.1-microsoft-standard-WSL2 #1 SMP Wed Aug 25 23:20:18 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
• Python Version: Python 3.10.1
• Version jake 1.4.3

Additional context
os-release:

NAME="Ubuntu"
VERSION="20.04.3 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.3 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

I scanned jake using itself and I also scanned Jake's requirements.txt with the CLI since we use PyYAML.

In the Jake scan we get no data back:

The PyYAML package entry from the CLI scan:

So it looks like the name of the package in the purl is Case Sensitive for IQ and needs to have the correct capitalization

I also think that this is the root cause of #32

@DarthHater @bhamail @bryanwhyte

Jake pins the versions, so when the host apps installs the updated secure library, jake comes in and uninstalls the secure library and installs an insecure library.

• PyYAML [required: ==5.3.1, installed: 5.3.1]

Ref to vulnerability bulletin: https://snyk.io/vuln/pip:pyyaml

Please stop pinning versions, or if you really like pinning versions you need to update your pinned versions the day that safety publishes vulnerabilities and get your version out to pypi.

• What are you trying to do?
  Update the CI config of the jake project to run jake against itself and report any vulnerabilities found. CI should fail if vulnerabilities are found.

• What feature or behavior is this required for?
  Yummy dog food.

• How could we solve this issue? (Not knowing is okay!)
  Update CI with yummy goodness

• Anything else?
  Dunno

cc @bhamail / @DarthHater

Doco: Add note to README.md to direct users who wish to locally build/develop Jake to read the ci-setup.sh (and maybe ci-run.sh) file for a quick way to get going with local development.

Also note how to run the local Jake (rather than an older pre-built version).
How to run the tests, etc.

cc @bhamail / @DarthHater

Support the forthcoming CycloneDX 1.4 standard by adopting the latest version of cyclonedx-python-lib.

cc @bhamail / @DarthHater

Right now we just make requests to OSS Index with no auth.

OSS Index can accept basic auth requests with:

To make authenticated requests use HTTP Basic authentication.

Email address is used for HTTP Basic authentication user name, NOT nickname.

API Token can be used in place of password.

From: https://ossindex.sonatype.org/doc/rest

Essentially, we should allow a user to configure their username and "password" for jake and have that go with requests if they've configured it.

add a python code format check to the CI build to help us keep the formatting purty.

• What are you trying to do?
  When Jake runs, it should check to see if a newer version of Jake has been released. If a new release exists, prompt the user to upgrade to the latest release. The prompt should include a command to perform the upgrade, e.g. pip install jake --upgrade

some learnings from similar efforts:

• provide a way to bypass the check (via CLI flag). see: sonatype-nexus-community/nancy#217
  and sonatype-nexus-community/nancy#218
  The ability to skip the check when a given ENV VAR is set is also useful in CI systems.
• cache the date/time when the last check was performed, and only check again in say 28 hours.
• also include the command to perform the upgrade in the application help (and maybe the README.md?).

cc @bhamail / @DarthHater

• What are you trying to do?

https://github.com/conda-incubator/conda-lock/ includes a transitive pinned list of packages to install in a Conda environment, to allow for reproducible builds. I am fairly certain it contains the same information as conda list.

It would be nice to be able to scan for vulnerabilities using this file, because then one wouldn't have to actually install the packages to check for vulnerabilities.

Unlike environment.yml, it should contain a complete list of packages that will be installed, so there's no worry about extra dependencies being installed and not scanned for vulnerable releases.

• How could we solve this issue? (Not knowing is okay!)

Write a parser for conda-lock output files. Should be pretty simple:

# platform: linux-64
# env_hash: 27bd039b2991103d63cefc823705756d66514e1c6bf6f156bc6eb3bd87679676

@EXPLICIT

https://conda.anaconda.org/conda-forge/linux-64/_libgcc_mutex-0.1-conda_forge.tar.bz2#d7c89558ba9fa0495403155b64376d81
https://conda.anaconda.org/conda-forge/linux-64/ca-certificates-2021.5.30-ha878542_0.tar.bz2#6a777890e94194dc94a29a76d2a7e721
https://conda.anaconda.org/conda-forge/linux-64/ld_impl_linux-64-2.35.1-hed1e6ac_0.tar.bz2#d0cf77c331382475133dc6c34e7461d7
https://conda.anaconda.org/conda-forge/linux-64/libgfortran5-9.3.0-he4bcb1c_17.tar.bz2#0c15349375fc3d0cb2114fcabe2f0aba

• Anything else?

Thank you for writing this tool! I'm writing a blog post about it right now.

cc @bhamail / @DarthHater

• What are you trying to do?
  We seem to be doing the flaming hoops dance with pip etc... and it sure seems Poetry is very good at handling all the bad stuff that pip is not good at handling

• What feature or behavior is this required for?
  Separating out dev deps, reproducible builds, etc...

• How could we solve this issue? (Not knowing is okay!)
  Get it building and creating something awesome using poetry!

• Anything else?
  Just have fun!

cc @bhamail / @DarthHater

Describe the bug
When running a Jake scan it crashes out attempting to call an int object somewhere in TinyDB.

To Reproduce
Steps to reproduce the behavior:

1. Clone the repository https://github.com/arichtman/foxOps
2. Enter the virtual environment and run Jake poetry run jake ddt
3. See error

Expected behavior
Normal execution of Jake OSS Index-backed scan

Screenshots

Desktop (please complete the following information):

• OS: WSL2 Ubuntu 20.04 LTS
• Uname -a: Linux bruce-banner 5.10.60.1-microsoft-standard-WSL2 #1 SMP Wed Aug 25 23:20:18 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
• Python Version: 3.10.1
• Version 1.4.3

Additional context
os-release:

NAME="Ubuntu"
VERSION="20.04.3 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.3 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

The human-readable header information appears to cause an exception due to windows-incompatible characters being output.

I'm attempting to run jake on a windows machine through a batch file against a conda environment.
There's a line in the batch file as follows:

conda list | jake ddt -c -q

This should pass the conda list of packages through to jake and generate the usual output. However, this throws the following exception instead:

Exception in thread Thread-1:
Traceback (most recent call last):
  File "c:\users\win10_64bit\.conda\envs\jake-test\lib\threading.py", line 916, in _bootstrap_inner
    self.run()
  File "c:\users\win10_64bit\.conda\envs\jake-test\lib\threading.py", line 864, in run
    self._target(*self._args, **self._kwargs)
  File "c:\users\win10_64bit\.conda\envs\jake-test\lib\site-packages\yaspin\core.py", line 360, in _spin
    sys.stdout.write(out)
  File "c:\users\win10_64bit\.conda\envs\jake-test\lib\site-packages\colorama\ansitowin32.py", line 41, in write
    self.__convertor.write(text)
  File "c:\users\win10_64bit\.conda\envs\jake-test\lib\site-packages\colorama\ansitowin32.py", line 162, in write
    self.write_and_convert(text)
  File "c:\users\win10_64bit\.conda\envs\jake-test\lib\site-packages\colorama\ansitowin32.py", line 187, in write_and_convert
    self.write_plain_text(text, cursor, start)
  File "c:\users\win10_64bit\.conda\envs\jake-test\lib\site-packages\colorama\ansitowin32.py", line 195, in write_plain_text
    self.wrapped.write(text[start:end])
  File "c:\users\win10_64bit\.conda\envs\jake-test\lib\encodings\cp1252.py", line 19, in encode
    return codecs.charmap_encode(input,self.errors,encoding_table)[0]
UnicodeEncodeError: 'charmap' codec can't encode character '\u280b' in position 0: character maps to <undefined>

Traceback (most recent call last):
  File "c:\users\win10_64bit\.conda\envs\jake-test\lib\runpy.py", line 193, in _run_module_as_main
    "__main__", mod_spec)
  File "c:\users\win10_64bit\.conda\envs\jake-test\lib\runpy.py", line 85, in _run_code
    exec(code, run_globals)
  File "C:\Users\Win10_64bit\.conda\envs\jake-test\Scripts\jake.exe\__main__.py", line 9, in <module>
  File "c:\users\win10_64bit\.conda\envs\jake-test\lib\site-packages\click\core.py", line 829, in __call__
    return self.main(*args, **kwargs)
  File "c:\users\win10_64bit\.conda\envs\jake-test\lib\site-packages\click\core.py", line 782, in main
    rv = self.invoke(ctx)
  File "c:\users\win10_64bit\.conda\envs\jake-test\lib\site-packages\click\core.py", line 1259, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "c:\users\win10_64bit\.conda\envs\jake-test\lib\site-packages\click\core.py", line 1066, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "c:\users\win10_64bit\.conda\envs\jake-test\lib\site-packages\click\core.py", line 610, in invoke
    return callback(*args, **kwargs)
  File "c:\users\win10_64bit\.conda\envs\jake-test\lib\site-packages\jake\__main__.py", line 233, in ddt
    spinner.ok("?? ")
  File "c:\users\win10_64bit\.conda\envs\jake-test\lib\site-packages\yaspin\core.py", line 325, in ok
    self._freeze(_text)
  File "c:\users\win10_64bit\.conda\envs\jake-test\lib\site-packages\yaspin\core.py", line 344, in _freeze
    sys.stdout.write(self._last_frame)
  File "c:\users\win10_64bit\.conda\envs\jake-test\lib\site-packages\colorama\ansitowin32.py", line 41, in write
    self.__convertor.write(text)
  File "c:\users\win10_64bit\.conda\envs\jake-test\lib\site-packages\colorama\ansitowin32.py", line 162, in write
    self.write_and_convert(text)
  File "c:\users\win10_64bit\.conda\envs\jake-test\lib\site-packages\colorama\ansitowin32.py", line 187, in write_and_convert
    self.write_plain_text(text, cursor, start)
  File "c:\users\win10_64bit\.conda\envs\jake-test\lib\site-packages\colorama\ansitowin32.py", line 195, in write_plain_text
    self.wrapped.write(text[start:end])
  File "c:\users\win10_64bit\.conda\envs\jake-test\lib\encodings\cp1252.py", line 19, in encode
    return codecs.charmap_encode(input,self.errors,encoding_table)[0]
UnicodeEncodeError: 'charmap' codec can't encode character '\U0001f40d' in position 0: character maps to <undefined>

The culprit is this information at the top of the output:

�[?25h??  Collecting Dependencies
�[?25h??  Querying OSS Index
�[?25h??  Auditing results from OSS Index

If the output is set to JSON then the error no longer occurs (because that's no longer output). Note that this works when issued as a command at the command prompt as expected - it's only when it's run via a batch file that this exception is thrown, for some reason.

• OS: Windows 10 Pro
• Python Version: 3.6.2
• Jake Version: 0.2.77

One simple option would be to strip that heading information away and only leave the reasults when '-q' is used as a switch, but the preferred option would probably be to use characters that wouldn't cause problems under windows at all.

Describe the bug
I have requirements.in and requirements-dev.in files where I track my dependencies via pip-tools.
I added jake into requirements-dev.in file and when I tried to compile requirements via pip-compile --upgrade && pip-compile requirements-dev.in -o requirements-dev.txt --upgrade I got next error:

Could not find a version that matches pyyaml<6.0.0,==6.0,>=5.1,>=5.4.1 (from -r requirements.txt (line 611))
Tried: 3.10, 3.10, 3.11, 3.11, 3.12, 3.12, 3.13, 5.1, 5.1.1, 5.1.2, 5.2, 5.3, 5.3.1, 5.4, 5.4, 5.4.1, 5.4.1, 6.0, 6.0
Skipped pre-versions: 3.13b1, 3.13rc1, 4.2b1, 4.2b2, 4.2b4, 5.1b1, 5.1b3, 5.1b5, 5.2b1, 5.3b1, 5.4b1, 5.4b1, 5.4b2, 5.4b2, 6.0b1, 6.0b1
There are incompatible versions in the resolved dependencies:
pyyaml==6.0 (from -r requirements.txt (line 611))
PyYAML<6.0.0,>=5.4.1 (from jake==1.1.3->-r requirements-dev.in (line 21))
PyYAML>=5.1 (from uvicorn[standard]==0.15.0->-r requirements.txt (line 728))
pyyaml>=5.1 (from pre-commit==2.15.0->-r requirements-dev.in (line 16))

Expected behavior
The PyYAML version 6.0 should be installed.

Desktop (please complete the following information):

• OS: Ubuntu v20
• Python Version: 3.8.10
• Version 1.1.3

Describe the bug
jake is a build tool, and it isn't the only one. jake must be installed in the same venv as the packages it is trying to check, same as other tools like pytest. (I verified jake has to be installed in the same venv as the code under test, if I install to pipx & run jake, it will tell me about jake's dependencies). If a tool that must share the same venv as other tools pins all of its dependencies to an exact version (e.g. ==2.1.1) then you get conflicts. Yes, you can ignore conflicts until something comes along, I don't know says a vulnerability a package & you have update that package to the secure one.

pip check
jake 0.2.65 has requirement idna==2.10, but you have idna 2.8.
jake 0.2.65 has requirement requests==2.25.0, but you have requests 2.22.0.
jake 0.2.65 has requirement urllib3==1.26.2, but you have urllib3 1.25.11.

I recommend you change your requirements to something more like library>=1.5.0

This won't make the problem go away, but it makes dependency hell more manageable, especially over time as the other tools in the ecosystem move on to higher dependency version numbers, sometimes before jake does.

Describe the bug
Since v1.2.0, jake always exit with exit code 0, even when vulnerabilities are found

To Reproduce
Steps to reproduce the behavior:

pip install pyjwt==1.3.0 jake==1.2.2
jake ddt
echo $?

Output:

❯ jake ddt
                   ___           ___           ___     
       ___        /  /\         /  /\         /  /\    
      /__/\      /  /::\       /  /:/        /  /::\   
      \__\:\    /  /:/\:\     /  /:/        /  /:/\:\  
  ___ /  /::\  /  /::\ \:\   /  /::\____   /  /::\ \:\ 
 /__/\  /:/\/ /__/:/\:\_\:\ /__/:/\:::::\ /__/:/\:\ \:\
 \  \:\/:/~~  \__\/  \:\/:/ \__\/~|:|~~~~ \  \:\ \:\_\/
  \  \::/          \__\::/     |  |:|      \  \:\ \:\  
   \__\/           /  /:/      |  |:|       \  \:\_\/  
                  /__/:/       |__|:|        \  \:\    
                  \__\/         \__\|         \__\/    

                                                  
            /)                     /)             
        _/_(/    _     _  __   _  (/_   _         
 o   o  (__/ )__(/_   /_)_/ (_(_(_/(___(/_ o   o  
                                                  
                                                  

Jake Version: 1.2.2
Put your Python dependencies in a chokehold

🐍 Collected 29 packages from your environment                       ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% -:--:--
🐍 Successfully queried OSS Index for package and vulnerability info ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% -:--:--
🐍 Sane number of results from OSS Index                             ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% -:--:--

[15/29] - pkg:pypi/[email protected] [VULNERABLE]
Vulnerability Details for pkg:pypi/[email protected]                                                                                                                                                                                                                                              
└── ⚠  ID: 4dc8bf86-e2ee-45b0-881f-bb4f03748b5b                                                                                                                                                                                                                                             
    └── ╭─ CVE-2017-11424 ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
        │                                                                                                                                                                                                                                                                                  │
        │ In PyJWT 1.5.0 and below the `invalid_strings` check in `HMACAlgorithm.prepare_key` does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string `-----BEGIN RSA PUBLIC KEY-----` which  │
        │ is not accounted for. This enables symmetric/asymmetric key confusion attacks against users using the PKCS1 PEM encoded public keys, which would allow an attacker to craft JWTs from scratch.                                                                                   │
        │                                                                                                                                                                                                                                                                                  │
        │ Details:                                                                                                                                                                                                                                                                         │
        │   - CVSS Score: 7.5 - High                                                                                                                                                                                                                                                       │
        │   - CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N                                                                                                                                                                                                                    │
        │   - CWE: Unknown                                                                                                                                                                                                                                                                 │
        │                                                                                                                                                                                                                                                                                  │
        │ References:                                                                                                                                                                                                                                                                      │
        │   - https://ossindex.sonatype.org/vulnerability/4dc8bf86-e2ee-45b0-881f-bb4f03748b5b?component-type=pypi&component-name=pyjwt&utm_source=python-oss-index-lib%400.2.1&utm_medium=integration                                                                                     │
        │   - https://github.com/jpadilla/pyjwt/pull/277                                                                                                                                                                                                                                   │
        │   - https://nvd.nist.gov/vuln/detail/CVE-2017-11424                                                                                                                                                                                                                              │
        │                                                                                                                                                                                                                                                                                  │
        ╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯

                    Summary                     
┏━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Audited Dependencies ┃ Vulnerabilities Found ┃
┡━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━┩
│ 29                   │ 1                     │
└──────────────────────┴───────────────────────┘
(test-jake) 
/tmp via 🐍 v3.8.11 (test-jake) on ☁️  (eu-central-1) 
❯ echo $?
0

Expected behavior
Jake should exit with a code 1.
This works when using jake==1.1.5

Desktop (please complete the following information):

• OS: MacOS 12.1 / Debian11
• Python Version: 3.8.11 / 3.9.9
• Version 1.2+

OSS Index does not like getting more than 128 coordinates, so if we have more than that, chunk up the requests and append results.

Currently, we rely upon unit tests in the upstream libraries:

• cyclonedx-bom
• cyclonedx-python-lib
• ossindex-lib

We should have some end to end tests in jake too, but a refactor is required to enable this.

cc @bhamail / @DarthHater

Describe the bug
A clear and concise description of what the bug is.
I'm not sure that this is a bug. Has this been tested through an outbound web proxy?

jake ddt works flawlessly through standard gateways, but fails with broken pipe when executed through web proxy.

To Reproduce
Steps to reproduce the behavior:
export http_proxy/https_proxy variables pointing to outbound web proxy.
conda list | jake ddt

Expected behavior
I expect it to scan and present vulnerabilities for all install modules (534). Instead, it lists 371 modules and no vulnerabilities.

Screenshots
If applicable, add screenshots to help explain your problem.

>>>>>>>>>>>>>>>>>>>>>> ERROR REPORT <<<<<<<<<<<<<<<<<<<<<<

Traceback (most recent call last):

  File "/opt/conda/lib/python3.8/site-packages/conda/exceptions.py", line 1079, in __call__

    return func(*args, **kwargs)

  File "/opt/conda/lib/python3.8/site-packages/conda/cli/main.py", line 84, in _main

    exit_code = do_call(args, p)

  File "/opt/conda/lib/python3.8/site-packages/conda/cli/conda_argparse.py", line 83, in do_call

    return getattr(module, func_name)(args, parser)

  File "/opt/conda/lib/python3.8/site-packages/conda/cli/main_list.py", line 141, in execute

    exitcode = print_packages(prefix, regex, format, piplist=args.pip,

  File "/opt/conda/lib/python3.8/site-packages/conda/cli/main_list.py", line 85, in print_packages

    print('\n'.join(map(text_type, output)))

BrokenPipeError: [Errno 32] Broken pipe

$ /opt/conda/bin/conda list

environment variables:

             CIO_TEST=<not set>

           CONDA_ROOT=/opt/conda

       CURL_CA_BUNDLE=<not set>

          HTTPS_PROXY=<set>

           HTTP_PROXY=<set>

             NO_PROXY=<set>

                 PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/ec2-user/.loca
                      l/bin:/home/ec2-user/bin:/opt/conda/bin

   REQUESTS_CA_BUNDLE=<not set>

        SSL_CERT_FILE=<not set>

           http_proxy=<set>

          https_proxy=<set>

             no_proxy=<set>



 active environment : None

   user config file : /home/ec2-user/.condarc

populated config files : /home/ec2-user/.condarc

      conda version : 4.8.4

conda-build version : 3.19.2

     python version : 3.8.2.final.0

   virtual packages : __glibc=2.26

   base environment : /opt/conda  (writable)

       channel URLs : http://x.x.x.x/condarepo/linux-64

                      http://x.x.x.x/condarepo/noarch

      package cache : /opt/conda/pkgs

                      /home/ec2-user/.conda/pkgs

   envs directories : /opt/conda/envs

                      /home/ec2-user/.conda/envs

           platform : linux-64

         user-agent : conda/4.8.4 requests/2.23.0 CPython/3.8.2 Linux/4.14.186-146.268.amzn2.x86_64 amzn/2 glibc/2.26

            UID:GID : 1000:1000

         netrc file : None

       offline mode : False

An unexpected error has occurred. Conda has prepared the above report.

Desktop (please complete the following information):

• OS: [e.g. iOS] Amazon Linux 2
• Python Version: [e.g. 3.7.6] 3.8.2
• Version [e.g. 22] 0.2.24

Additional context
Add any other context about the problem here.
Appears to be a code issue, but unsure. tcpdump seems to exonerate the proxy.

Given the point raised in #72, we need to assess all dependencies used in jake and confirm if they are required, maintained, supported etc..

This may lead to vendorising some packages that are no longer maintained and/or removing them from jake if their value is not important enough.

Describe the bug
Python packages come in two sorts, sdist and wheels. Sdist runs on installation setup.py, which allows for running malicious code. Wheels do not run setup.py on install, they just unpack the code & a user would have to invoke the malicious code intentionally via import or the like.

Jake has a dependency on termcolor, which doesn't not have a wheel. https://pypi.org/project/termcolor/#files

To Reproduce

export PIP_ONLY_BINARY=:all:
pipenv install jake --skip-lock --verbose

Or
pip install jake --only-binary=:all:
(The flag names are misleading, because when the flag is active, it installs only the wheel version & will ignore sdist for the package and ALL dependencies, even if they are all pure python)

Expected behavior
Jake should install without having to run setup.py for it or any dependency. The audience of jake is enterprises who are taking supply chain risks serious, probably because they have something valuable to protect. If I were a malicious hacker, I'd target termcolor on pypi (just need to guess their password), upload a malicious sdist and then steal valuables from jake users when setup.py runs.

Screenshots

[pipenv.exceptions.InstallError]: Collecting jake==1.1.3
[pipenv.exceptions.InstallError]:   Using cached jake-1.1.3-py3-none-any.whl (25 kB)
[pipenv.exceptions.InstallError]: Collecting PyYAML<6.0.0,>=5.4.1
[pipenv.exceptions.InstallError]:   Using cached PyYAML-5.4.1-cp39-cp39-win_amd64.whl (213 kB)
[pipenv.exceptions.InstallError]: ERROR: Could not find a version that satisfies the requirement termcolor<2.0.0,>=1.1.0 (from jake) (from versions: none)
[pipenv.exceptions.InstallError]: ERROR: No matching distribution found for termcolor<2.0.0,>=1.1.0
ERROR: Couldn't install package: jake
 Package installation failed...

I would recommend vendorizing your entire dependency chain (or at least the wheel-less one), but that is just because I'm paranoid about supply chain risks.

Describe the bug
Version <= 1.4.1 produce wrong references in the CycloneDX JSON report.

To Reproduce
Steps to reproduce the behavior:

1. Run jake ddt -o ~/dd2/unittests/scans/cyclonedx/jake2.json --output-format json --schema-version 1.4 --clear-cache
2. check the report data

Expected behavior

According to the specification, references like CVE identifier should be like this:

      "references": [
        {
          "id": "CVE-2018-7489",
          "source": {
            "name": "NVD",
            "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9997"
          }
        }
      ],

But current format is like this which is not compliant with the schema of the spec:

            "references": [
                {
                    "source": {
                        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33203"
                    }
                }
            ],

A lot of data are missing. I'm interested in the source > name and the id which critical to know it's CVE by program.

Desktop (please complete the following information):

• OS: Arch
• Python Version: 3.9
• Version 1.4.1

Additional context
I'm working with reports of Jake/CycloneDX JSON 1.4 format

jake v0.2.66
Nexus IQ Server 103

Describe the bug
Running conda list | jake iq -c leads to completely different results in comparison to jake iq without stdout piping

Example environment environment.yml:

name: testenv
channels:
  - conda-forge
  - defaults
dependencies:
  - python
  - pyjwt>=1.6.4,<2.0
  - pandas
  - pip
  - openssl
  - py
  - bleach
  - pip:
    - numpy

To Reproduce

1. Create and activate a conda environment including some packages from conda-forge, for example "pandas".

conda env create -f environment.yml
conda activate testenv
pip install jake

2. Setup a Nexus-IQ-Server.
3. Submit test results to the Nexus IQ server via conda list | jake iq -c and jake iq.
4. Check the results in the printed nexus-iq link. Notice, that the vulnarability result is completely different.

I expect the result to be identical. It shouldn't matter if I pipe the output of conda list to the tool or let Jake find out the dependencies in the currently activated environment.

Screenshots
conda list | jake iq -c results in:

jake iq results in:

• What are you trying to do?

It would nice to have a whitelist where certain vulnerabilities / packages that are ignored in the evaluation of the error code.

• What feature or behavior is this required for?

There might be packages that have known vulnerabilities but are patched manually or not used in a fashion that makes them vulnerable. In these cases it would be nice to have a kind of "whitelist".
This is especially relevant if the error code returned by jake is relevant in some way or another (pre commit hook for example).

• How could we solve this issue? (Not knowing is okay!)

auditjs has a "whitelist" option that might be applicable here as well:
https://github.com/sonatype-nexus-community/auditjs#whitelisting

jake ddt --whitelist .jake.json 

or something similar.

cc @bhamail / @DarthHater

• What are you trying to do?
  The list of dependencies that is installed together with Jake at the moment is extremely long. Not all of these requirements are needed for running Jake, but only for its development.

• What feature or behavior is this required for?
  Having a lightweight environment to run Jake from, e.g. as part of a CI process.

• How could we solve this issue? (Not knowing is okay!)
  Revising the list of dependencies installed via install_requires, only including the minimum set necessary for running Jake. Other dependencies can be moved to tests_requires, if they are necessary to run the tests.

• Anything else?
  As a follow-up step, it might make sense to relax the defined versions, to make Jake play nicer with other projects installed in the same repo.

cc @bhamail / @DarthHater

I can't find a good way to prioritize which site package gets prioritized on the system path. Gonna have to go into the tubes and figure it out but i imagine it'll be a few lines. Would be really cool to have jake manage it and let a user shuffle those around.

cc @bhamail / @DarthHater

Allow Jake to read OSSI and/or IQ credentials from environment variables.

For consistency, should follow the same naming as nancy, eg:

export [email protected]
export OSSI_TOKEN=A4@k3@p1T0k3n

and for IQ:

export [email protected]
export OSSI_TOKEN=A4@k3@p1T0k3n
export IQ_USERNAME=nondefaultuser
export IQ_TOKEN=yourtoken
export IQ_SERVER=http://adifferentserverurl:port

may relate to Issue #37

cc @bhamail / @DarthHater

Describe the bug
When finding a vulnerability having a CWE, jake 1.4.3 now produces a TypeError (seems to be a followup error of the #95 bugfix)

To Reproduce
Steps to reproduce the behavior:

1. Run a docker container with image python:3.6-slim: docker run --rm -it --name jaketest python:3.6-slim bash
2. Inside the container, install and activate a virtual environment. The version of pip inside that environment will be 18.1 which has known vulnerabilities.
3. Install jake inside the virtual environment
4. Run jake ddt
5. jake produces the error TypeError: sequence item 0: expected str instance, int found

Expected behavior
Jake produces a vulnerability report.

Screenshots

(jake143) root@0163a4bf5553:/# pip show pip
Name: pip
Version: 18.1
Summary: The PyPA recommended tool for installing Python packages.
Home-page: https://pip.pypa.io/
Author: The pip developers
Author-email: [email protected]
License: MIT
Location: /jake143/lib/python3.6/site-packages
Requires: 
Required-by: 
(jake143) root@0163a4bf5553:/# jake ddt
                   ___           ___           ___     
       ___        /  /\         /  /\         /  /\    
      /__/\      /  /::\       /  /:/        /  /::\   
      \__\:\    /  /:/\:\     /  /:/        /  /:/\:\  
  ___ /  /::\  /  /::\ \:\   /  /::\____   /  /::\ \:\ 
 /__/\  /:/\/ /__/:/\:\_\:\ /__/:/\:::::\ /__/:/\:\ \:\
 \  \:\/:/~~  \__\/  \:\/:/ \__\/~|:|~~~~ \  \:\ \:\_\/
  \  \::/          \__\::/     |  |:|      \  \:\ \:\  
   \__\/           /  /:/      |  |:|       \  \:\_\/  
                  /__/:/       |__|:|        \  \:\    
                  \__\/         \__\|         \__\/    

                                                  
            /)                     /)             
        _/_(/    _     _  __   _  (/_   _         
 o   o  (__/ )__(/_   /_)_/ (_(_(_/(___(/_ o   o  
                                                  
                                                  

Jake Version: 1.4.3
Put your Python dependencies in a chokehold

🐍 Collected 26 packages from your environment                       ━━━━━━━━━━━━━━━━━━ 100% 0:00:00
🐍 Successfully queried OSS Index for package and vulnerability info ━━━━━━━━━━━━━━━━━━ 100% 0:00:00
🐍 Sane number of results from OSS Index                             ━━━━━━━━━━━━━━━━━━ 100% 0:00:00
🐍 Munching & crunching data...                                      ━━━━━━━━━━━━━━━━━━ 100% 0:00:00

[4/26] - [email protected] [VULNERABLE]
Traceback (most recent call last):
  File "/jake143/bin/jake", line 11, in <module>
    sys.exit(main())
  File "/jake143/lib/python3.6/site-packages/jake/app.py", line 124, in main
    JakeCmd().execute()
  File "/jake143/lib/python3.6/site-packages/jake/app.py", line 69, in execute
    exit_code: int = command.execute(arguments=self._arguments)
  File "/jake143/lib/python3.6/site-packages/jake/command/__init__.py", line 45, in execute
    return self.handle_args()
  File "/jake143/lib/python3.6/site-packages/jake/command/oss.py", line 174, in handle_args
    self._print_oss_index_report(components=components)
  File "/jake143/lib/python3.6/site-packages/jake/command/oss.py", line 239, in _print_oss_index_report
    OssCommand._print_vulnerability(tree=tree, v=v)
  File "/jake143/lib/python3.6/site-packages/jake/command/oss.py", line 298, in _print_vulnerability
    """
  File "/jake143/lib/python3.6/site-packages/jake/command/oss.py", line 292, in <listcomp>
    f'CWEs: {",".join(v.cwes) if v.cwes else "Not Recorded"}[bright_white]' for rating in v.ratings])}
TypeError: sequence item 0: expected str instance, int found
(jake143) root@0163a4bf5553:/# 

Desktop (please complete the following information):

• OS: Linux x86-64
• Python Version: 3.6.15
• Version: 1.4.3

Additional context
In a Python 3.9.10 virtual environment with no additional packages installed, jake 1.4.3 exits with the error TypeError: 'int' object is not callable – probably also caused by the #95 fix.

When generating report in version 1.4 in JSON format, an attribute is missing in the components data.

According to the specification of CycloneDX a vulnerability reference a component by his bom-ref. So the components should have bom-ref.

My advice is to use the PURL string as a bom-ref

Renamed with txt because github
jake.json.txt

Version

• Python 3.9
• Jake 1.4.0
• cmd jake ddt --output-format cyclonedx-json --schema-version 1.4 -o ~/dd2/jake.json

Trying to point to a requirements file and having issues. Am I missing something dumb? Thanks <3

Description
Running jake on Windows produces the following error:

> jake --help
Traceback (most recent call last):
  File "...\lib\runpy.py", line 193, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "...\lib\runpy.py", line 86, in _run_code
    exec(code, run_globals)
  File "...\Scripts\jake.exe\__main__.py", line 4, in <module>
  File "...\lib\site-packages\jake\__main__.py", line 22, in <module>
    from os import _exit, EX_OSERR, path, mkdir
ImportError: cannot import name 'EX_OSERR' from 'os' (...\lib\os.py)
Exception ignored in: <_io.TextIOWrapper name='<stdout>' mode='w' encoding='cp1252'>
OSError: [Errno 22] Invalid argument

Desktop:

• OS: Windows 10 - 1903
• Python: 3.6
• Version 0.1.7

When we are doing releases, we should have CI bump the version as needed.

see: semantic-release

and _version.py file.

The yaml format in which we store credentials has changed in Nancy v1.0.0. Jake should be updated to be able to read the same files so such credentials can be shared across the tools.

cc @bhamail / @DarthHater

• Pre-commit is a popular Python tool for managing, using, and sharing Git hooks. Presently there appear to be no shared hooks for Jake.

• This supports using Jake for local feedback in an automated fashion

• The impact of not implementing is higher barriers to uptake of Jake, as well as some minor duplication of work with developers implementing something locally

• PR incoming. No further comment.

cc @bhamail / @DarthHater

Comparing Jake w/ IQ to IQ CLI results on the home-assistant project. Jake didn't trigger the License-Banned policy that CLI identified.

https://github.com/home-assistant/home-assistant.git
Jake w/ IQ:

IQ CLI:

Jake did identify the same component "PyMata 2.20 (.tar.gz)" but shows no violations.

• What are you trying to do?

Similar to what we did on Nancy, output vulnerabilities in a table format.

• What feature or behavior is this required for?

Not really required, but just a nice UX improvement. @ChurchRyan can answer questions if necessary!

• How could we solve this issue? (Not knowing is okay!)

On the branch Summary I have started a bit of this work, and used a table to output a Summary. If you follow that approach, you can replicate this for Vulnerabilities in audit.py in the print_vulnerability method.

• Anything else?

HAVE A BLAST!!!!

cc @bhamail / @DarthHater

In the earlier versions of jake e.g. 0.2.77 I was able to scan non-python conda packages which show up in a "conda list" but not in "pip list" output. This was very useful for looking for vulnerabilities in packages from conda-forge which are not available in conda main. The command used was:
conda list | jake ddt -c
In more recent versions support for the -c flag appears to have been removed. Does anyone know why this was removed and if it can be restored?

Jake exits with an exit code which is the number of vulnerabilities. The problem is that exit codes have a limit, and when that limit is exceeded unexpected things happen.

$ python -c "import sys; sys.exit(12)" || echo $?
12
$ python -c "import sys; sys.exit(100)" || echo $?
100
$ python -c "import sys; sys.exit(200)" || echo $?
200
$ python -c "import sys; sys.exit(300)" || echo $?
44
$ python -c "import sys; sys.exit(255)" || echo $?
255
$ python -c "import sys; sys.exit(256)" || echo $?
$ python -c "import sys; sys.exit(256)" && echo $?
0

If someone is unlucky enough to have a number of vulnerabilities that is a multiple of 256, the exit code will be zero, indicating everything is fine...

You probably want to do something like code = min(audit.audit_results(), 255) instead of just using the result of audit_results() as is.