Initial move to Cobra, and start using go-sona-types

[DarthHater]

Basically, start using Cobra to do all of our CLI fun stuff, and leverage the new go-sona-types project

To show this working for multiple commands, I've done a very basic IQ implementation atm

This pull request makes the following changes: A SLEW

cc @bhamail / @DarthHater

[zendern]

First things first branch name on point 👍

[zendern]

note: module requires Go 1.12# github.com/sonatype-nexus-community/go-sona-types/ossindex/internal/cache travis needs some fiddling....its not happy that its only building/testing with version 1.11.

[zendern]

zender [projects/oss/ahab]  CobraCommander ✔ → ./ahab chase                                                                                        [af36664]
 ______      __                    __
/\  _  \    /\ \                  /\ \
\ \ \L\ \   \ \ \___       __     \ \ \____
 \ \  __ \   \ \  _ `\   /'__`\    \ \ '__`\
  \ \ \/\ \   \ \ \ \ \ /\ \L\.\_   \ \ \L\ \
   \ \_\ \_\   \ \_\ \_\\ \__/.\_\   \ \_,__/
    \/_/\/_/    \/_/\/_/ \/__/\/_/    \/___/
  _        _                           _    _
 /_)      /_` _  _  _ _/_     _  _    (/   /_` _ . _  _   _/  _
/_) /_/  ._/ /_// //_|/  /_/ /_//_'  (_X  /   / / /_'/ //_/ _\
    _/                   _/ /
Ahab version: development

Do you know if we can fix this case when nothing is passed in?? So that it prints the help for chase instead?? Super edge case but again would be useful if you do something wrong.

zender [projects/oss/ahab]  CobraCommander ✔ → ./ahab chase --help                                                                                 [af36664]
chase is used for auditing projects with OSS Index

Usage:
  ahab chase [flags]

Flags:
  -v, -- count          Set log level, higher is more verbose
      --clean-cache
  -h, --help            help for chase
      --loud
      --no-color
      --os string        (default "debian")
      --output string    (default "text")
      --quiet
      --token string
      --user string
      --whales string

[zendern]

Sooo tests currently pass on this branch so thats a thing (ignoring travisci for me) but doing some manual testing looks like things are not as I would expect see output from Dockerfile that is in the project. So as with all my PR reviews....probably need mo' tests :)

Step 7/7 : RUN dpkg-query --show --showformat='${Package} ${Version}\n' | ./ahab chase
 ---> Running in f17bfe693657
 ______      __                    __
/\  _  \    /\ \                  /\ \
\ \ \L\ \   \ \ \___       __     \ \ \____
 \ \  __ \   \ \  _ `\   /'__`\    \ \ '__`\
  \ \ \/\ \   \ \ \ \ \ /\ \L\.\_   \ \ \L\ \
   \ \_\ \_\   \ \_\ \_\\ \__/.\_\   \ \_,__/
    \/_/\/_/    \/_/\/_/ \/__/\/_/    \/___/
  _        _                           _    _
 /_)      /_` _  _  _ _/_     _  _    (/   /_` _ . _  _   _/  _
/_) /_/  ._/ /_// //_|/  /_/ /_//_'  (_X  /   / / /_'/ //_/ _\
    _/                   _/ /
Ahab version: development

Vulnerable Packages

[1/5]   pkg:deb/debian/bzip2@1.0.6
2 known vulnerabilities affecting installed version
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ [CVE-2019-12900] BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds  ┃
┃ write...                                                                                         ┃
┣━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Description        ┃ BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds  ┃
┃                    ┃ write when there are many selectors.                                        ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ OSS Index ID       ┃ 91d1f1ed-9b9c-44ec-bf86-55fc87897ecb                                        ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Score         ┃ 9.8/10 (Critical)                                                           ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Vector        ┃ CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H                                ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Link for more info ┃ https://ossindex.sonatype.org/vuln/91d1f1ed-9b9c-44ec-bf86-55fc87897ecb     ┃
┗━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ [CVE-2016-3189] Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attack ┃
┃ ...                                                                                              ┃
┣━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Description        ┃ Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote   ┃
┃                    ┃ attackers to cause a denial of service (crash) via a crafted bzip2 file,    ┃
┃                    ┃ related to block ends set to before the start of the block.                 ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ OSS Index ID       ┃ 78ccb4aa-3ae1-4f9e-b192-d2ee53776e8a                                        ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Score         ┃ 6.5/10 (Medium)                                                             ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Vector        ┃ CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H                                ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Link for more info ┃ https://ossindex.sonatype.org/vuln/78ccb4aa-3ae1-4f9e-b192-d2ee53776e8a     ┃
┗━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
[2/5]   pkg:deb/debian/coreutils@8.28
1 known vulnerabilities affecting installed version
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ [CVE-2017-18018] In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent ┃
┃  ...                                                                                             ┃
┣━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Description        ┃ In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not     ┃
┃                    ┃ prevent replacement of a plain file with a symlink during use of the POSIX  ┃
┃                    ┃ "-R -L" options, which allows local users to modify the ownership of        ┃
┃                    ┃ arbitrary files by leveraging a race condition.                             ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ OSS Index ID       ┃ 2a76fef2-abd2-49ff-9459-3cee41443b4a                                        ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Score         ┃ 4.7/10 (Medium)                                                             ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Vector        ┃ CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N                                ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Link for more info ┃ https://ossindex.sonatype.org/vuln/2a76fef2-abd2-49ff-9459-3cee41443b4a     ┃
┗━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
[3/5]   pkg:deb/debian/openssl@1.1.1
4 known vulnerabilities affecting installed version
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ [CVE-2018-16395]  Data Handling                                                                  ┃
┣━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Description        ┃ An issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2.4.x  ┃
┃                    ┃ before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. When two ┃
┃                    ┃ OpenSSL::X509::Name objects are compared using ==, depending on the         ┃
┃                    ┃ ordering, non-equal objects may return true. When the first argument is one ┃
┃                    ┃ character longer than the second, or the second argument contains a         ┃
┃                    ┃ character that is one less than a character in the same position of the     ┃
┃                    ┃ first argument, the result of == will be true. This could be leveraged to   ┃
┃                    ┃ create an illegitimate certificate that may be accepted as legitimate and   ┃
┃                    ┃ then used in signing or encryption operations.                              ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ OSS Index ID       ┃ 9ac68536-0a39-4e94-b3d5-6a5726be91ad                                        ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Score         ┃ 9.8/10 (Critical)                                                           ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Vector        ┃ CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H                                ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Link for more info ┃ https://ossindex.sonatype.org/vuln/9ac68536-0a39-4e94-b3d5-6a5726be91ad     ┃
┗━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ [CVE-2019-0190]  Improper Input Validation                                                       ┃
┣━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Description        ┃ A bug exists in the way mod_ssl handled client renegotiations. A remote     ┃
┃                    ┃ attacker could send a carefully crafted request that would cause mod_ssl to ┃
┃                    ┃ enter a loop leading to a denial of service. This bug can be only triggered ┃
┃                    ┃ with Apache HTTP Server version 2.4.37 when using OpenSSL version 1.1.1 or  ┃
┃                    ┃ later, due to an interaction in changes to handling of renegotiation        ┃
┃                    ┃ attempts.                                                                   ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ OSS Index ID       ┃ d3c31c2b-1117-49a6-990e-e8b16d530582                                        ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Score         ┃ 7.5/10 (High)                                                               ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Vector        ┃ CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H                                ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Link for more info ┃ https://ossindex.sonatype.org/vuln/d3c31c2b-1117-49a6-990e-e8b16d530582     ┃
┗━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ [CVE-2018-0734] The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing  ┃
┃ ...                                                                                              ┃
┣━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Description        ┃ The OpenSSL DSA signature algorithm has been shown to be vulnerable to a    ┃
┃                    ┃ timing side channel attack. An attacker could use variations in the signing ┃
┃                    ┃ algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected     ┃
┃                    ┃ 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL   ┃
┃                    ┃ 1.0.2q (Affected 1.0.2-1.0.2p).                                             ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ OSS Index ID       ┃ 61b37c84-9c43-42dd-8c52-047b06031fd8                                        ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Score         ┃ 5.9/10 (Medium)                                                             ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Vector        ┃ CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N                                ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Link for more info ┃ https://ossindex.sonatype.org/vuln/61b37c84-9c43-42dd-8c52-047b06031fd8     ┃
┗━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ [CVE-2018-0735] The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timin ┃
┃ ...                                                                                              ┃
┣━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Description        ┃ The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a  ┃
┃                    ┃ timing side channel attack. An attacker could use variations in the signing ┃
┃                    ┃ algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected     ┃
┃                    ┃ 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1).                    ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ OSS Index ID       ┃ 61538021-1545-4bc3-a154-15b7441d11c3                                        ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Score         ┃ 5.9/10 (Medium)                                                             ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Vector        ┃ CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N                                ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Link for more info ┃ https://ossindex.sonatype.org/vuln/61538021-1545-4bc3-a154-15b7441d11c3     ┃
┗━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
[4/5]   pkg:deb/debian/procps@3.3.12
1 known vulnerabilities affecting installed version
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ [CVE-2018-1121]  Concurrent Execution using Shared Resource with Improper Synchronization ("Race ┃
┃  Condition")                                                                                     ┃
┣━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Description        ┃ procps-ng, procps is vulnerable to a process hiding through race condition. ┃
┃                    ┃ Since the kernel's proc_pid_readdir() returns PID entries in ascending      ┃
┃                    ┃ numeric order, a process occupying a high PID can use inotify events to     ┃
┃                    ┃ determine when the process list is being scanned, and fork/exec to obtain a ┃
┃                    ┃ lower PID, thus avoiding enumeration. An unprivileged attacker can hide a   ┃
┃                    ┃ process from procps-ng's utilities by exploiting a race condition in        ┃
┃                    ┃ reading /proc/PID entries. This vulnerability affects procps and procps-ng  ┃
┃                    ┃ up to version 3.3.15, newer versions might be affected also.                ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ OSS Index ID       ┃ 0e6c2220-d7e7-43c7-8ff8-aae35b71fc49                                        ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Score         ┃ 5.9/10 (Medium)                                                             ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Vector        ┃ CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N                                ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Link for more info ┃ https://ossindex.sonatype.org/vuln/0e6c2220-d7e7-43c7-8ff8-aae35b71fc49     ┃
┗━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
[5/5]   pkg:deb/debian/tar@1.29
3 known vulnerabilities affecting installed version
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ [CVE-2016-6321]  Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal")  ┃
┣━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Description        ┃ Directory traversal vulnerability in the safer_name_suffix function in GNU  ┃
┃                    ┃ tar 1.14 through 1.29 might allow remote attackers to bypass an intended    ┃
┃                    ┃ protection mechanism and write to arbitrary files via vectors related to    ┃
┃                    ┃ improper sanitization of the file_name parameter, aka POINTYFEATHER.        ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ OSS Index ID       ┃ 807371fb-f829-4c4b-b949-7e8ef5667f61                                        ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Score         ┃ 7.5/10 (High)                                                               ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Vector        ┃ CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N                                ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Link for more info ┃ https://ossindex.sonatype.org/vuln/807371fb-f829-4c4b-b949-7e8ef5667f61     ┃
┗━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ [CVE-2019-9923]  NULL Pointer Dereference                                                        ┃
┣━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Description        ┃ pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer     ┃
┃                    ┃ dereference when parsing certain archives that have malformed extended      ┃
┃                    ┃ headers.                                                                    ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ OSS Index ID       ┃ 3995432e-6d34-4c8d-85f0-6133ced353ee                                        ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Score         ┃ 7.5/10 (High)                                                               ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Vector        ┃ CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H                                ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Link for more info ┃ https://ossindex.sonatype.org/vuln/3995432e-6d34-4c8d-85f0-6133ced353ee     ┃
┗━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━���━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ [CVE-2018-20482]  Out-of-bounds Read                                                             ┃
┣━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Description        ┃ GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage      ┃
┃                    ┃ during read access, which allows local users to cause a denial of service   ┃
┃                    ┃ (infinite read loop in sparse_dump_region in sparse.c) by modifying a file  ┃
┃                    ┃ that is supposed to be archived by a different user's process (e.g., a      ┃
┃                    ┃ system backup running as root).                                             ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ OSS Index ID       ┃ fa771d50-21f3-4cf6-a97d-f5ecd9437e2a                                        ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Score         ┃ 4.7/10 (Medium)                                                             ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Vector        ┃ CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H                                ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Link for more info ┃ https://ossindex.sonatype.org/vuln/fa771d50-21f3-4cf6-a97d-f5ecd9437e2a     ┃
┗━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Summary                      ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━┫
┃ Audited Dependencies    ┃ 92 ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━━┫
┃ Vulnerable Dependencies ┃ 0  ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━┻━━━━┛Removing intermediate container f17bfe693657
 ---> 345545471461
Successfully built 345545471461

There are 5 vulnerable deps....but it says that vulnerable deps is 0 and it still let the docker container build. Master shows 5/92 deps (not going to paste output....its alot :) ) and exits and doesn't allow the docker container to build.

[DarthHater]

@zendern I believe I just fixed all the Docker stuff in: af8c1a5

[zendern]

@zendern I believe I just fixed all the Docker stuff in: af8c1a5

👍 ....looks good on my machine.

┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Summary                      ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━┫
┃ Audited Dependencies    ┃ 92 ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━━┫
┃ Vulnerable Dependencies ┃ 5  ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━┻━━━━┛The command '/bin/sh -c dpkg-query --show --showformat='${Package} ${Version}\n' | ./ahab chase' returned a non-zero code: 1

[DarthHater]

@zendern @bhamail I'm walking away from this as of this moment, because if I sit at my desk any longer I'll just scope creep the hell out of this PR. As it sits:

• Rewrote entirely to use Cobra (at least the basics for now)
• Uses go-sona-types entirely, no more Nancy dependency
• Removed whales command line arg from chase, figured this was likely not used
• Added IQ functionality
• Setup logger
• Simplified a lot of the code I wrote when I initially pieced this together

If y'all dig this I'll merge it and then pick off CircleCI, etc...

[zendern]

I give my unofficial 👍 . I'm cool with this only thing is this change.

Removed whales command line arg from chase, figured this was likely not used

I'm guessing you are right but since we probably dont have any stats on it we dont know....... so should we 1.0.0 this to be good open source citizens and let the people know its going to be broken if they are in fact using it.