Metadata-Version: 2.1
Name: blackduck-results
Version: 1.0.16
Summary: Recursively traverse subprojects and report libraries with vulnerable components in a format suitable for integration with other tools and human consumption.
Home-page: https://https://dsgithub.trendmicro.com/fabioa/blackduck-results
Author: Fabio Arciniegas
Author-email: fabio_arciniegas@trendmicro.com
Requires-Python: >=3.6
Description-Content-Type: text/markdown
License-File: LICENSE

# blackduck-results

Recursively collate library findings on a BlackDuck project and subprojects and return in a format suitable for integration with other tools such as Slack and JIRA.

## Quick Start

Create a ```.restconfig.json``` This is necessary for the blackduck REST API. DO NOT add this to any repository. The format is: 

```
        {
        "baseurl": "https://yourbd.com",
        "api_token": "YOUR_TOKEN_HERE",
        "insecure": false,
        "debug": false
        }
```

install the package

```
pip install blackduck-results
```

The package installation process left an executable ```bd-results``` which you can use directly to get the offending components in any project and version:


```
$bd-results project_name version_name
```


# Formats and cutoff points

```bd-results``` supports several options for formatting. The default is a short list of name and version of offending libraries, probably most useful for scripting and integration with slack, others are CSV, JSON, and PANDAS which gives a nice tabulation to stdout for quick manual checks.

Together with the cutoff parameter, one can inspect/integrate reports about offending projects in a variety of scenarios.e.g.

```
$ bd-results --cutoff high --format PANDAS sample_project Master 
                                 Component             Version  Critical Security Risk  High Security Risk  Total
54                         Apache ActiveMQ             5.15.12                       1                   1      2
279                               elliptic              v6.5.3                       0                   1      1
345                                 Gradle              4.10.3                       1                   2      3
986                                   y18n               4.0.0                       1                   0      1
```

# Tree

```bd-results``` allows you to see the recursive progress through subprojects as the results are being collected. e.g.

```
$bd-results --cutoff high --tree XX-YYY-XX-POC Latest
XX-YUY-XG-XRXC-Dynamo
	foo-dynamodb-backup
	foo-dynamodb-restore
	foo-library-ui-components
XX-YYY-XX-POC-entitlements
	infra-subscriptions
XX-YYY-XX-POC-UI
	XXC-foo-web-app-support 
	foo-library-ui-components
	foo-web-app-landing
Lodash 4.17.20
node-ini 1.3.5
Socket.IO Parser 3.3.1
axios v0.21.0
Lodash 4.17.19

```

# General Help

```
bd-results --help
usage: bd-results [-h] [-c {medium,high,critical,low}] [-f {SHORT,PANDAS,CSV,JSON}] [--tree] project_name version_name

Report the offending libraries from a given project+version in a short format suitable for jira/slack notifications. Note
blackduck connection depends on a .restconfig.json file which must be present in the current directory. It's format is: {
"baseurl": "https://foo.blackduck.xyz.com", "api_token": "YOUR_TOKEN_HERE", "insecure": true, "debug": false }

positional arguments: 
  project_name
  version_name

optional arguments:
  -h, --help            show this help message and exit
  -c {medium,high,critical,low}, --cutoff {medium,high,critical,low}
                        Minimum level of risk to report
  -f {SHORT,PANDAS,CSV,JSON}, --format {SHORT,PANDAS,CSV,JSON}
                        Report format
  --tree                Print tree of subprojects as stats are being gathered
  
Standard POSIX exit codes for OK, DATAERR, CONFIG
```


