Basic foundation

.github/workflows/main.yml

@@ -0,0 +1,17 @@
+name: Run CI
+
+on: [push, pull_request]
+
+jobs:
+  tox:
+    name: Run Tox
+    steps:
+    - uses: actions/checkout@v2
+    - name: Run all envs
+      uses: fedora-python/tox-github-action@master
+      with:
+        tox_env: ${{ matrix.tox_env }}
+    strategy:
+      matrix:
+        tox_env: [black, isort, flake8, mypy]
+    runs-on: ubuntu-latest

.gitignore

@@ -0,0 +1,132 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+pip-wheel-metadata/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+junit.xml
+nosetests.xml
+coverage.xml
+*.cover
+.hypothesis/
+.pytest_cache/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+staticfiles/
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+.python-version
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+.env
+.env-enterprise
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# IDEs and editors
+.idea/
+.project
+.pydevproject
+.vscode
+
+# UMB certificates
+*.key
+*.crt
+
+# ripgrep-specific ignore file
+.rgignore
+
+# SonarQube
+.scannerwork/

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2023 Red Hat Product Security
+Copyright (c) 2023 Jim Fuller
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

Makefile

@@ -0,0 +1,41 @@
+python3=`which python3`
+tox=`which tox`
+pc=`which pip-compile`
+ps=`which pip-sync`
+openssl=`which openssl`
+
+test-all:
+	$(tox)
+
+test:
+	$(tox) -e griffon
+
+compile-deps:
+	$(pc) --generate-hashes --allow-unsafe requirements/base.in
+	$(pc) --generate-hashes --allow-unsafe requirements/test.in
+	$(pc) --generate-hashes --allow-unsafe requirements/lint.in
+	$(pc) --generate-hashes --allow-unsafe requirements/dev.in
+
+install:
+	pip install .
+
+install-dev-deps:
+	pip3 install -r requirements/dev.txt
+
+sync-dev-deps:
+	pip-sync requirements/dev.txt
+
+shell:
+	ipython
+
+venv:
+	virtualenv --python=/usr/bin/python3.9 venv
+
+docs:
+	tox -e manpages
+
+clean:
+	rm -Rf dist
+	rm -Rf man
+	rm -Rf griffon.egg-info
+	rm -Rf build

README.md

@@ -1,2 +1,118 @@
-# griffon
-Red Hat Product Security CLI 
+# ![](docs/image/griffon.jpg) Ǥriffon
+
+**WARNING- NOT PROD (yet), no releases, if you use this you are running with scissors ...**  
+
+Red Hat Product Security CLI providing:
+
+* Set of core entity operations on flaws, affects, components, products, etc... for 
+searching, listing and retrieving entities.
+* Set of read only query service operations answering 'canned' product security related queries
+* Set of process service operations (mutation) automating away manual 'drudgery'
+* Dynamic, extensible set of custom plugin operations for interacting with external services 
+
+The CLI provides a simple 'facade' over coarse grained security related data services allowing 
+for easier aggregation and narrowing of information providing a good security 'signal' 
+for end users.
+
+
+```commandline
+Usage: griffon [OPTIONS] COMMAND [ARGS]...
+
+  Red Hat Product Security CLI
+
+Options:
+  --debug
+  --help   Show this message and exit.
+
+Commands:
+  docs           Links to useful docs.
+  entities       List and retrieve entities operations.
+  manage         Manage operations.
+  process        Process operations.
+  queries        Query operations.
+  z_fcc          FCC plugin
+  z_osv          OSV plugin
+
+
+```
+
+[User guide (quickstart)](docs/user_guide.md)
+
+[Tutorial](docs/tutorial.md)
+
+[Developer guide](docs/developer_guide.md)
+
+
+## Entity operations
+
+Low level (ex. list, get) entity operations.
+
+```commandline
+> griffon entities
+Usage: griffon entities [OPTIONS] COMMAND [ARGS]...
+
+  List and retrieve entities operations.
+
+Options:
+  --help  Show this message and exit.
+
+Commands:
+  affects          https://<OSIDB_API_URL>/osidb/api/v1/affects
+  components       https://<CORGI_API_URL>/api/v1/components
+  flaws            https://<CORGI_API_URL>/osidb/api/v1/flaws
+  product-streams  ...
+  trackers         https://<CORGI_API_URL>/osidb/api/v1/trackers
+
+```
+
+## Query operations
+
+Read only service operations
+
+```commandline
+Usage: griffon queries [OPTIONS] COMMAND [ARGS]...
+
+  Query operations.
+
+Options:
+  --help  Show this message and exit.
+
+Commands:
+  component_cves                  List CVEs affecting a component.
+  components_affected_by_cve      List components affected by CVE.
+  components_in_product_stream    List components of product version.
+  cves_for_product_version        List CVEs of a product version.
+  product_versions_affected_by_cve
+                                  List product versions affected by a CVE.
+
+```
+
+## Process operations
+
+Service operations that update entities.
+
+```commandline
+Usage: griffon process [OPTIONS] COMMAND [ARGS]...
+
+  Mutation operations.
+
+Options:
+  --help  Show this message and exit.
+
+Commands:
+  generate_affects_for_component  Generate affects for component.
+
+```
+
+#### Some Useful questions to answer
+
+* Which unfixed CVE are affecting a component?
+* Which unfixed CVE are affecting a product + version + stream?
+* Given a CVE ID, what products are affected?
+* Given a CVE ID, what components are affected?
+* What products + version + stream contain a given component (e.g. full text search)? 
+* What are the fixed CVEs for a product + version + stream?
+* What are the fixed CVEs for a component?
+* What are the won’t fix CVEs for a component?
+* What are the won’t fix CVEs for a product?
+* How many CVE’s are filed against a product + version

docs/developer_guide.md

@@ -0,0 +1,30 @@
+## Setup 
+
+```commandline
+> make venv
+```
+
+```commandline
+> pip install pip-tools
+```
+
+```commandline
+> make install-dev-deps
+```
+
+## Run tests
+
+```commandline
+> make test
+```
+
+test target runs
+
+```commandline
+> tox -e griffon
+```
+
+
+## CI
+
+github actions

docs/tutorial.md

@@ -0,0 +1,2 @@
+
+## Tutorial