-
Notifications
You must be signed in to change notification settings - Fork 9
/
README.Rmd
114 lines (80 loc) · 4.92 KB
/
README.Rmd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
---
output: github_document
editor_options:
chunk_output_type: console
---
<!-- README.md is generated from README.Rmd. Please edit that file -->
# oysteR <a href="https://github.com/sonatype-nexus-community/oysteR"><img src="man/figures/logo.png" align="right" height="138.5" /></a>
[![CRAN status](https://www.r-pkg.org/badges/version/oysteR)](https://CRAN.R-project.org/package=oysteR)
[![R-CMD-check](https://github.com/sonatype-nexus-community/oysteR/workflows/R-CMD-check/badge.svg)](https://github.com/sonatype-nexus-community/oysteR/actions)
[![CircleCI](https://circleci.com/gh/sonatype-nexus-community/oysteR.svg?style=shield)](https://circleci.com/gh/sonatype-nexus-community/oysteR)
[![Codecov test coverage](https://codecov.io/gh/sonatype-nexus-community/oysteR/branch/master/graph/badge.svg)](https://codecov.io/gh/sonatype-nexus-community/oysteR?branch=master)
[![Gitter](https://badges.gitter.im/sonatype-nexus-community/oysteR.svg)](https://gitter.im/sonatype-nexus-community/oysteR?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge)
```{r, include = FALSE}
knitr::opts_chunk$set(
collapse = TRUE,
eval = FALSE,
comment = "#>"
)
```
## Overview
This package aims to secure your R projects against insecure dependencies using [OSS Index](https://ossindex.sonatype.org/). Essentially, we check R packages for
any _known_ security vulnerabilities. For a more in-depth discussion check out [this detailed walkthrough](https://www.jumpingrivers.com/blog/r-package-vulnerabilities-security/) by Colin Gillespie, one of the co-authors of `{oysteR}`.
The package has a few key functions for determining vulnerabilities:
* `audit_installed_r_pkgs()` for scanning all currently installed R packages
* `audit_description()` for scanning all packages (and their dependencies) in a DESCRIPTION file
* Similarly, `audit_renv_lock()` and `audit_req_txt()`
* `expect_secure()` for use within `{testthat}`
All of these functions ultimately parse relevant files and call the `audit()` function.
## Usage
To get started, install the package and simply scan your installed packages
```{r, eval = FALSE}
library("oysteR")
audit = audit_installed_r_pkgs()
```
To extract the vulnerabilities into a nice data frame, use
```{r, eval = FALSE}
get_vulnerabilities(audit)
```
### Within testthat
You can include this as part of your Unit testing framework, via {testthat}.
Simply create a file in tests/testthat and add
```
test_that("Test expect_secure", {
skip_on_cran()
## Tests function and this package
oysteR::expect_secure("PKG_NAME")
})
```
This test will pass if there are no known vulnerabilities.
Remember to add {oysteR} under Suggests in your DESCRIPTION file.
### Authentication
Heavy use against OSS Index will likely run you into rate limiting (yikes!), but you can:
- Register for an account on [OSS Index](https://ossindex.sonatype.org/)
- Retrieve your API token after registering (on the User Settings page)
Set the following environment variables in your `.Renviron` file:
- `OSSINDEX_USER` (this is set to your email address)
- `OSSINDEX_TOKEN` (this is set to your API token)
Or create a config file at `~/.ossindex/.oss-index-config` and add
```
# This config file is picked up by other Sonatype apps
ossi:
Username: XXXX
Token: YYY
```
These will be used by `{oysteR}` to authenticate with OSS Index, bumping up the amount of requests you can make.
## Contributing
We care a lot about making the world a safer place, and that's why we continue to work on this and other plugins for Sonatype OSS Index. If you as well want to speed up the pace of software development by working on this project, jump on in! Before you start work, create a [new issue](https://github.com/sonatype-nexus-community/oysteR/issues), or comment on an existing issue, to let others know you are!
## Reporting Missing Vulnerabilities
OSS Index contains data from public advisories. We do our best to keep it up to date, but from time to time things may slip through the cracks. If you notice some missing or incorrect data, please let us know! To report missing or incorrect vulnerabilities in OSS Index data, create an issue in the [vulnerability reporting project](https://github.com/OSSIndex/vulns).
## Getting help
If you need help, then feel free to join us on the [oysteR Gitter](https://gitter.im/sonatype-nexus-community/oysteR) or raise an an [issue](https://github.com/sonatype-nexus-community/oysteR/issues)
## The Fine Print
It is worth noting that this is **NOT SUPPORTED** by Sonatype, and is a contribution of ours
to the open source community (read: you!)
Remember:
- Use this contribution at the risk tolerance that you have
- Do NOT file Sonatype support tickets related to `{oysteR}`
- DO file issues here on GitHub, so that the community can pitch in
Phew, that was easier than I thought. Last but not least of all:
Have fun creating and using this extension and [Sonatype OSS Index](https://ossindex.sonatype.org/), we are glad to have you here!