Update READMEs to reflect audit tool usage

Signed-off-by: Ashish Bijlani <ashish@ossillate.com>
ossillate-inc · Sep 10, 2022 · 0e45832 · 0e45832
1 parent 8459f22
commit 0e45832
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 12 deletions.
diff --git a/README.md b/README.md
@@ -34,10 +34,15 @@ options:
 
 Packj audits open-source software packages for "risky" attributes that make them vulnerable to supply chain attacks. For instance, packages with expired email domains (lacking 2FA), large release time gap, sensitive APIs or access permissions, etc. are flagged as risky. 
 
-Please find details on risky attributes and how to use at [Audit README](https://github.com/ossillate-inc/packj/blob/main/audit/README.md).
+Auditing the following is supported:
+
+- multiple packages: `python3 main.py -p pypi:requests rubygems:overcommit`
+- dependency files: `python3 main.py -f npm:package.json pypi:requirements.txt`
+
+Audit can also be performed in Docker/Podman containers. Please find details on risky attributes and how to use at [Audit README](https://github.com/ossillate-inc/packj/blob/main/audit/README.md).
 
 ```
-$ docker run -v /tmp:/tmp/packj -it ossillate/packj:latest audit --trace npm browserify
+$ docker run -v /tmp:/tmp/packj -it ossillate/packj:latest audit --trace -p npm:browserify
 
 [+] Fetching 'browserify' from npm...OK [ver 17.0.0]
 [+] Checking version...ALERT [598 days old]
@@ -135,7 +140,7 @@ Installing ri documentation for overcommit-0.59.1
 We found over 40 malicious packages on PyPI using this tool. A number of them been taken down. Refer to an example below:
 
 ```
-$ python3 main.py audit pypi krisqian
+$ python3 main.py audit pypi:krisqian
 [+] Fetching 'krisqian' from pypi...OK [ver 0.0.7]
 [+] Checking version...OK [256 days old]
 [+] Checking release history...OK [7 version(s)]

diff --git a/audit/README.md b/audit/README.md
@@ -15,12 +15,18 @@ Packj audits open-source software packages for "risky" attributes that make them
 Packj supports PyPI, NPM, and RubyGems package registries. To audit a package, you need to provide the folowing command line arguments:
 
 ```
-python3 main.py audit <pm-name> <pkg-name> [<ver-str> <--trace>]
+python3 main.py audit [-t] (-p PACKAGES [PACKAGES ...] | -f DEPFILES [DEPFILES ...])
 
-options:
-  pm_name      Package manager (e.g., pypi, npm, rubygems)
-  pkg_name     Package name (e.g., requests, browserify, overcommit)
-  ver_str      Package version (e.g., 0.0.1), default: latest
+optional arguments:
+  -t, --trace           Install package(s) and collect dynamic/runtime traces
+
+required arguments (mutually exclusive):
+
+  -p PACKAGES [PACKAGES ...], --packages PACKAGES [PACKAGES ...]
+                        Audit packages (e.g., npm:browserify pypi:requests), optionally version (e.g., rubygems:overcommit:1.0)
+
+  -f DEPFILES [DEPFILES ...], --depfiles DEPFILES [DEPFILES ...]
+                        Audit dependencies (e.g., npm:./package.json pypi:~/packj/requirements.txt)
 ```
 
 Under the covers, Packj performs the following analyses:
@@ -37,7 +43,7 @@ The best way to use Packj is to run it inside Docker (or Podman) container. **Re
 **NOTE** that `-v /tmp:/tmp/packj` is needed for containerized runs under Docker so that final report is available under `/tmp` on the host. 
 
 ```
-$ docker run -v /tmp:/tmp/packj -it ossillate/packj:latest audit --trace npm browserify
+$ docker run -v /tmp:/tmp/packj -it ossillate/packj:latest audit --trace -p npm:browserify
 [+] Fetching 'browserify' from npm...OK [ver 17.0.0]
 [+] Checking version...ALERT [598 days old]
 [+] Checking release history...OK [484 version(s)]
@@ -73,7 +79,7 @@ $ docker run -v /tmp:/tmp/packj -it ossillate/packj:latest audit --trace npm bro
 Specific package versions to be vetted could also be specified. Please refer to the example below
 
 ```
-$ docker run -v /tmp:/tmp/packj -it ossillate/packj:latest audit pypi requests 2.18.4
+$ docker run -v /tmp:/tmp/packj -it ossillate/packj:latest audit -p pypi:requests:2.18.4
 [+] Fetching 'requests' from pypi...OK [ver 2.18.4]
 [+] Checking version...ALERT [1750 days old]
 [+] Checking release history...OK [142 version(s)]
@@ -121,7 +127,7 @@ Alternatively, you can install Python/Ruby dependencies locally and test it.
 	- `gem install google-protobuf:3.21.2 rubocop:1.31.1`
 
 ```
-$ python3 main.py audit npm eslint
+$ python3 main.py audit -p npm:eslint
 [+] Fetching 'eslint' from npm...OK [ver 8.16.0]
 [+] Checking version...OK [10 days old]
 [+] Checking release history...OK [305 version(s)]

diff --git a/options.py b/options.py
@@ -26,7 +26,7 @@ def __init__(self, argv):
 				help="Install package(s) and collect dynamic/runtime traces", action="store_true")
 
 		# Audit positional args
-		parser_audit_group = parser_audit.add_argument_group(title='required arguments', description='Either --package or --deps must be chosen.')
+		parser_audit_group = parser_audit.add_argument_group(title='required arguments', description='Either --packages or --depfiles must be chosen.')
 		parser_audit_arg = parser_audit_group.add_mutually_exclusive_group(required=True)
 		parser_audit_arg.add_argument('-p', '--packages', nargs='+', help='Audit packages (e.g., npm:react, pypi:torch), optionally version (e.g., rubygems:overcommit:1.0)', action='store', default=[])
 		parser_audit_arg.add_argument('-f', '--depfiles', nargs='+', help='Audit dependencies (e.g., npm:package.json, pypi:requirements.txt)', action='store', default=[])