Metadata-Version: 2.1
Name: shouldi
Version: 0.1.0
Summary: Meta static analysis tool for Python packages
Home-page: https://github.com/intel/dffml/blob/master/examples/shouldi/README.md
Author: John Andersen
Author-email: john.s.andersen@intel.com
Maintainer: John Andersen
Maintainer-email: john.s.andersen@intel.com
License: MIT
Keywords: dffml
Platform: UNKNOWN
Classifier: Development Status :: 3 - Alpha
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: MIT License
Classifier: Natural Language :: English
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3 :: Only
Classifier: Programming Language :: Python :: 3.7
Classifier: Programming Language :: Python :: Implementation :: CPython
Classifier: Programming Language :: Python :: Implementation :: PyPy
Description-Content-Type: text/markdown
Requires-Dist: dffml (>=0.4.0)
Requires-Dist: dffml-feature-git (>=0.3.0)
Requires-Dist: aiohttp (>=3.5.4)
Requires-Dist: bandit (>=1.6.2)
Requires-Dist: safety (>=1.8.5)
Requires-Dist: PyYAML (>=5.1.2)

# shouldi

![shouldi](https://github.com/intel/dffml/raw/master/examples/shouldi/shouldi.jpg)

## What Is ShouldI?

`shouldi` is a tool that runs static analysis tools to let you know if there are
any issues in any of the python packages you were thinking of installing.

`shouldi` is similar to things like [Go Report Card](https://goreportcard.com/).

> `shouldi` is in its very early stages. Expect things to change.

## Installation

```console
$ python3 -m pip install -U shouldi
```

## Usage

There are several different subcommands of `shoudli`

- [install](#install-command)
  - Analogous to `pip install` but runs checks to tell you if you should install
- [use](#use-command)
  - Point this command at any Git URL or directory and it will run appropriate
    static analysis tools for that language
- [project](#project-command)
  - Auto discover projects and depedencies of those projects within a directory

### Install Command

Run bandit and safety. Tell the person who ran the command not to install the
Python package if there were any issues found by either tool.

```console
$ shouldi install insecure-package bandit
bandit is okay to install
Do not install insecure-package! {'safety_check_number_of_issues': 1}
```

### Use Command

Given a Git URL or a directory, figure out what the language the codebase is and
run the appropriate static analysis tools for that language.

Tools for each language are as follows.

**You must have the following tools installed on the system**

- golang
  - [golangci-lint](https://github.com/golangci/golangci-lint/blob/master/README.md)
- java
  - [dependency-check](https://owasp.org/www-project-dependency-check/)
- javascript
  - [npm-audit](https://docs.npmjs.com/cli/audit)
- python
  - [safety](https://pyup.io/safety/)
  - [bandit](https://pypi.org/project/bandit/)
- rust
  - [cargo-audit](https://github.com/RustSec/cargo-audit)

```console
$ shouldi use https://github.com/trekhleb/javascript-algorithms
{'static_analysis': SAResultsSpec(critical=1, high=2941, medium=16, low=41049, report={'npm_audit_output': {'info': 0, 'low': 41049, 'moderate': 16, 'high': 2941, 'critical': 1}})}
```

### Project Command

Given a directory, output a JSON describing the dependencies found within that
directory.

At the moment it will auto discover Python dependencies listed in `setup.py`'s
`install_requires` section or within `requirements.txt`

Dependencies which cannot be automatically identified can be specified in YAML
files.

```yaml
dependencies:
  python:
    name: Python
    url: https://python.org
    license: Python License 2.0
```

Here's an example of running the project command on the `shouldi` codebase with
the above `deps.yaml` adding in dependencies that couldn't be auto discovered.

```console
$ shouldi project create -add deps.yaml -- .
{
    "dependencies": [
        {
            "extra": {
                "pypi": {
                    "euuid": "7bd67f47-9972-57fd-8da1-233783b35321",
                    "license": "Apache 2",
                    "name": "aiohttp",
                    "url": "https://pypi.org/pypi/aiohttp",
                    "uuid": null
                }
            },
            "license": "Apache 2",
            "name": "aiohttp",
            "url": "https://github.com/aio-libs/aiohttp",
            "uuid": "a6172a74-11ca-5624-bbf4-2e064084ee95"
        },
        {
            "extra": {
                "pypi": {
                    "euuid": "8ce644e4-20ef-5a24-85bb-0449fb8e2c94",
                    "license": "",
                    "name": "bandit",
                    "url": "https://pypi.org/pypi/bandit",
                    "uuid": null
                }
            },
            "license": null,
            "name": "bandit",
            "url": "https://bandit.readthedocs.io/en/latest/",
            "uuid": "1fa385fc-91ae-59c5-8d4c-220b9820f173"
        },
        {
            "extra": {
                "pypi": {
                    "euuid": "c09eaab1-7676-55b8-96fd-cb50f5dc125c",
                    "license": "MIT license",
                    "name": "safety",
                    "url": "https://pypi.org/pypi/safety",
                    "uuid": null
                }
            },
            "license": "MIT license",
            "name": "safety",
            "url": "https://github.com/pyupio/safety",
            "uuid": "f2cc3711-8652-584d-8d46-7e060398eff4"
        },
        {
            "extra": {
                "pypi": {
                    "euuid": "5143b2bf-be54-5688-8077-efbd038fbdc5",
                    "license": "MIT",
                    "name": "PyYAML",
                    "url": "https://pypi.org/pypi/PyYAML",
                    "uuid": null
                }
            },
            "license": "MIT",
            "name": "PyYAML",
            "url": "https://github.com/yaml/pyyaml",
            "uuid": "406495d7-1ba9-5a7e-bec9-f2a1119d3913"
        },
        {
            "extra": {},
            "license": "Python License 2.0",
            "name": "Python",
            "url": "https://python.org",
            "uuid": "807b7876-01ec-5fef-ad5a-4cc588b97719"
        },
    ]
}
```

## License

shouldi is distributed under the [MIT License](https://spdx.org/licenses/MIT.html).

#### What's This Really Called

The real name of this package is "DFFML Evaluator for PyPi Packages". `shouldi`
is mearly the command line invokation, and we claim `shouldi`, the package name
on PyPi, to avoid a supply chain attack.


