Support for better parseable output format

[obfuscoder]

We use bundler audit regularly and it helps us a lot!

However, we would prefer a better parseable output format (activated via parameter) such as XML or JSON.

Most helpful would be the XML format as created by the OWASP Dependency Checker

https://www.owasp.org/index.php/OWASP_Dependency_Check

which then could be integrated in our continuous integration build infrastructure with the help of the Jenkins Dependency Check Plugin:

https://wiki.jenkins-ci.org/display/JENKINS/OWASP+Dependency-Check+Plugin

For the meantime we use our own CLI and call Scanner.new.scan.

[patbl]

Related PRs:

• Add support for json formatted output #162
• Added --json to output vulnerabilities in json format. #170
• Adding --json option which allows json only output. #176

[jborrey]

🙏

[postmodern]

@obfuscoder can you link me to the XSD file for the OWASP Dependency Checker output format?

I would like to create Report Formatter classes for handling plain-text, json, etc. Also would like to avoid depping in nokogiri for XML output; rexml has been moved out of stdlib as well. Perhaps we could lazy-load the Formatter class and have an optional bundler-audit-owasp gem?

[obfuscoder]

@postmodern If I am not mistaken, the current XSD for the depencency check can be found here:

https://github.com/jeremylong/DependencyCheck/blob/master/dependency-check-core/src/main/resources/schema/dependency-check.1.6.xsd

Requiring an additional gem for having this output format supported is fine with me.

[dnd]

I would give a +1 to creating a formatter class, and provide a way for people to hook in their own gems for formatting. Providing some common ones such as plain text, json, html in the main project would probably be good. Then for something more specific like OWASP have an optional gem like suggested.

[postmodern]

Sorry for the long pause. I did a code-spike and came up with an extendable interface for registering different "printers". Check it out: https://github.com/rubysec/bundler-audit/compare/cli-printers?expand=1

[uberspot]

Nice 👍 Are there plans to add json output as well in the printers? ^_^

[postmodern]

I'm still fiddling with the API. Adding a Report class, and thinking about supporting output to a file, so only the report data gets saved and not any output from git pull. Will probably add a very basic JSON formatter.

[postmodern]

OK, the API is now called CLI::Formats and is merged into the 0.7.0 branch. Going to start working on a JSON schema for the results.

[alexives]

This might sound weird, but it'd be super nice to have a junit xml output. Gitlab supports it without needing enterprise edition and it would be nice to get a merge request level report when vulnerabilities appear. For projects that use the gradle task https://www.owasp.org/index.php/OWASP_Dependency_Check, I actually have a custom task that converts it to junit so that it shows up.

Also, IIRC Jenkins supports junit output without a plugin, so it might be nice for people on jenkins too.

[salzig]

Hope #206 gets us some progress :)

[postmodern]

The Bundler::Audit::CLI::Formats API has been completed in the 0.8.0 branch and will be merged/released soon.

[postmodern]

bundler-audit 0.8.0.rc1 has been released! Please test and provide any QA feedback.

$ gem install --pre bundler-audit