Metadata-Version: 2.4
Name: bdsca-analysis-config-file
Version: 0.1.6
Summary: Tools and CLI for handling BDSCA analysis configuration file(s).
Author: Jouni Lehto
License-Expression: MIT
Project-URL: Homepage, https://github.com/lejouni/bdsca-analysis-config-file
Project-URL: Repository, https://github.com/lejouni/bdsca-analysis-config-file
Keywords: bdsca,analysis,config,yaml,cli
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3 :: Only
Classifier: Operating System :: OS Independent
Requires-Python: >=3.9
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: PyYAML>=6.0
Requires-Dist: jsonschema>=4.17.0
Provides-Extra: dev
Requires-Dist: pytest>=7.4; extra == "dev"
Requires-Dist: pytest-cov>=4.1; extra == "dev"
Requires-Dist: ruff>=0.5.0; extra == "dev"
Requires-Dist: black>=24.3.0; extra == "dev"
Requires-Dist: mypy>=1.10.0; extra == "dev"
Requires-Dist: types-setuptools>=68.0.0.3; extra == "dev"
Requires-Dist: pre-commit>=3.7.0; extra == "dev"
Dynamic: license-file


# bdsca-analysis-config-file

Utilities and CLI to validate and work with BDSCA analysis configuration files (YAML).

This tool supports:
- Validating config files with friendly error output
- Adding missing components to a project BOM
- Overwriting component versions in the BOM
- Triaging vulnerabilities (by CVE or BDSA), including filters by vendor and SHA

It also supports dry-run mode to preview changes, and paginated search when resolving components by name/version.

## CLI usage

All commands are available via the `bdsca-config` CLI.

### Show version

```
bdsca-config --version
```

### Validate a YAML configuration file

```
bdsca-config validate <config.yaml> [--output yaml|json|summary] [--target]
```

- Validates the file and prints errors in a table if invalid.
- `--output` pretty-prints the file in YAML, JSON, or a concise summary.
- `--target` prints the effective change target (project info).

### Add missing components to BOM

```
bdsca-config add-components <config.yaml> --base-url <BLACKDUCK_URL> --api-token <TOKEN> [--insecure] [--verbosity info|debug] [--dryrun]
```

- Adds missing components from `componentAdditions` to each target project.
- Each `componentAdditions` entry can identify a component by:
  - purl
  - name (with optional version and vendor)

Examples:

```
componentAdditions:
  - component:
      purl: pkg:maven/org.apache.commons/commons-lang3@3.12.0
  - component:
      name: commons-io
      version: "2.13.0"
      vendor: maven
```

### Remediate vulnerabilities

```
bdsca-config remediate <config.yaml> --base-url <BLACKDUCK_URL> --api-token <TOKEN> [--insecure] [--verbosity info|debug] [--dryrun]
```

- Validates the file and performs remediation using Black Duck.
- `vulnerabilityTriages` can identify a component by any of:
  - purl
  - name + version
  - sha (file/component SHA)
- Each triage uses either `cve` or `bdsa`, plus a `resolution` and optional `comment`.
- `--dryrun` previews changes without making updates.

Example excerpt:

```
vulnerabilityTriages:
  - component:
      name: lodash
      version: "4.17.21"
      vendor: npmjs
    triages:
      - cve: CVE-2020-8203
        resolution: NOT_AFFECTED
        comment: Affected code not used
  - component:
      sha: 5e884898da28047151d0e56f8dc6292773603d0d
    triages:
      - bdsa: BDSA-2024-1234
        resolution: PATCHED
        comment: Fixed by upstream
```

### Overwrite component version

```
bdsca-config overwrite <config.yaml> --base-url <BLACKDUCK_URL> --api-token <TOKEN> [--insecure] [--verbosity info|debug] [--dryrun]
```

- Reads the `overrides` section and updates matching BOM components.
- A component can be identified by `purl` OR by `name` (with optional `version` and `vendor`).
- Set `newVersion` to the desired component version.
- `--dryrun` previews without making changes.

Example excerpt:

```
overrides:
  - component:
      name: Apache Commons IO
      version: "2.2"
      vendor: maven
    newVersion: "2.3"
  - component:
      purl: pkg:npm/semver@5.7.2
    newVersion: "5.7.1"
```

Notes:
- The `vendor` should match the origin name in Black Duck (e.g., `maven`, `npmjs`).
- The tool resolves component versions and origins; for name-based lookups it paginates results when necessary.

### Module usage

You can also run commands via Python module execution:

```
python -m bdsca_analysis_config_file --version
python -m bdsca_analysis_config_file validate examples/example.yaml
```

## Configuration reference

High-level structure:

```
specVersion: "1"
changeTarget:
  - project: { name: <string>, version: <string> }
componentAdditions: []
overrides: []
vulnerabilityTriages: []
```

Targets (one or more projects):

```
changeTarget:
  - project:
      name: example-project
      version: "1.0"
  - project:
      name: another-project
      version: "main"
```

Component additions:

```
componentAdditions:
  - component:
      purl: pkg:pypi/sample@1.0.0
  - component:
      name: sample-lib
      version: "2.0.0"
      vendor: maven
```

Overrides:

```
overrides:
  - component:
      name: example-component
      vendor: ExampleVendor
      version: "1.0.0"
    newVersion: "1.0.1"
```

Vulnerability triages:

```
vulnerabilityTriages:
  - component:
      purl: pkg:maven/org.example/foo@1.2.3
    triages:
      - cve: CVE-2024-0001
        resolution: PATCHED
        comment: fixed upstream
  - component:
      name: lib-a
      version: "1.2.3"
      vendor: vendor-a
    triages:
      - bdsa: BDSA-2024-1111
        resolution: IGNORED
        comment: Not in our threat model
  - component:
      sha: 0123456789abcdef0123456789abcdef01234567
    triages:
      - cve: CVE-2023-9999
        resolution: MITIGATED
        comment: Mitigated by sandboxing
```

See `examples/example_all.yaml` for a comprehensive sample covering all flows.

## Output examples

Single project summary:

```
bdsca-config validate examples/example.yaml --output summary --target
...
target: project name='example-project' version='1.0'
```

Multiple projects summary:

```
bdsca-config validate examples/example2.yaml --output summary --target
...
target:
  - project name='HippotechOrg/sampleapp' version='main'
  - project name='HippotechOrg/anotherapp' version='1.2.3'
```

## Features

- Modern `src/` layout with `pyproject.toml`
- CLI with validate, add-components, remediate, overwrite
- Tests via pytest; lint via ruff/black; typing via mypy
- Dry-run support for safe previews
- Pagination when searching components by name/version

## Quickstart

Install in editable mode and run tests:

```
python -m venv .venv
.venv\Scripts\Activate.ps1
pip install -U pip
pip install -e .[dev]
pytest
```

## Installation

Local build and install:

```
python -m build
pip install dist/bdsca_analysis_config_file-<version>-py3-none-any.whl
```

Replace `<version>` with the actual version (e.g., `0.1.2`).

From PyPI or TestPyPI:

```
pip install bdsca-analysis-config-file
```

or

```
pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple bdsca-analysis-config-file
```

## Release documentation

See the dedicated guide in `docs/release.md` for release workflow and options.

## Dry-run mode

- Use the `--dryrun` flag with `remediate` or `overwrite` to preview changes.
- The CLI prints current values alongside the new values that would be applied.
- No PUT requests are sent in dry-run mode.

## License

MIT © Jouni Lehto
