| Name | yardstick JSON |
| Version |
0.12.1
JSON |
| download |
| home_page | None |
| Summary | Tool for comparing the results from vulnerability scanners |
| upload_time | 2025-01-10 21:54:33 |
| maintainer | None |
| docs_url | None |
| author | None |
| requires_python | <=3.13,>=3.11 |
| license | Apache 2.0 |
| keywords |
grype
vulnerability
|
| VCS |
 |
| bugtrack_url |
|
| requirements |
No requirements were recorded.
|
| Travis-CI |
No Travis.
|
| coveralls test coverage |
No coveralls.
|
# yardstick
A tool that can parse and compare the results of vulnerability scanner tools.
Manage and explore scan results:
```
# capture a new scan result for a specific tool and image
yardstick result capture --image ubuntu:20.04 -t grype@v0.11.0
# list all scan results that have been captured
yardstick result list
# explore the scan results interactively
yardstick result explore <UUID>
```
Manage true positive / false positive labels for images:
```
# explore labels applied to specific scan-result matches for an image and tool pair
yardstick label explore <UUID>
# list all managed labels
yardstick label list
```
Supported scanners:
- `grype`
- `syft`
### F.A.Q.
*"Why is syft on this list? It's not a vulnerability scanner!"*
Right you are, however, capturing SBOM results that can be fed into grype or for
reference during analysis is quite useful!
*"Yardstick doesn't support vulnerability scanner X..."*
PR's are welcome! The goal of this tool is to provide the analysis capabilities
to understand how we can make these scanners better.
## Result Sets
Result sets can be useful to operate on and track results from scans taken at the same time. For instance:
```yaml
# .yardstick.yaml
result-sets:
example:
matrix:
images:
- ubuntu:20.04
tools:
- name: grype
version: v0.32.0
- name: grype
version: v0.48.0
```
```bash
# capture results for all tools
$ yardstick result capture -r example
# see the specific result details
$ yardstick result list -r example
# perform a label comparison using all tooling
$ yardstick label compare -r example
```
## Configuration
Sample application config:
```yaml
# .yardstick.yaml
x-ref:
images: &images
- docker.io/cloudbees/cloudbees-core-mm:2.346.4.1@sha256:b8ec61aad2f5f9be2dc9c68923eab1de0e8b026176093ad2e0742fca310bf3bf
result-sets:
pr-vs-latest:
description: "latest released grype vs grype from the current build"
matrix:
images: *images
tools:
- name: syft # go ahead and capture an SBOM each time to help analysis later
version: v0.54.0
produces: SBOM
- name: grype # from the latest published github release
version: latest
takes: SBOM
- name: grype:pr # from a local PR checkout install (feed via an environment variable)
version: env:CURRENT_GRYPE_COMMIT
takes: SBOM
```
## CLI Commands
```
config show the application config
label manage match labels
add add a match label indication for an image
apply see which labels apply to the given image and...
compare compare a scan result against labeled data
compare-by-ecosystem show TPs/FPs/Precision from label comparison...
explore interact with an label results for a single image...
images show all images derived from label data
list show all labels
remove remove a match label indication for an image
set-image-parent set the parent image for a given image
show-image-lineage show all parents and children for the given image
result manage image scan results
capture capture all tool output for the given image
clear remove all results and result sets
compare show a comparison between tool output
explore interact with an image scan result
images list images in results
import import results for a tool that were run externally
list list stored results
sets list configured result sets
show show a the results for a single scan + tool
tools list tools in results
```
Raw data
{
"_id": null,
"home_page": null,
"name": "yardstick",
"maintainer": null,
"docs_url": null,
"requires_python": "<=3.13,>=3.11",
"maintainer_email": null,
"keywords": "grype, vulnerability",
"author": null,
"author_email": "Alex Goodman <alex.goodman@anchore.com>",
"download_url": "https://files.pythonhosted.org/packages/b9/45/5528fbfb6a364614d7fb071affd9878ea13b087c274e8ad20fd7c0db0126/yardstick-0.12.1.tar.gz",
"platform": null,
"description": "# yardstick\n\nA tool that can parse and compare the results of vulnerability scanner tools.\n\nManage and explore scan results:\n```\n# capture a new scan result for a specific tool and image\nyardstick result capture --image ubuntu:20.04 -t grype@v0.11.0\n\n# list all scan results that have been captured\nyardstick result list\n\n# explore the scan results interactively\nyardstick result explore <UUID>\n```\n\nManage true positive / false positive labels for images:\n```\n# explore labels applied to specific scan-result matches for an image and tool pair\nyardstick label explore <UUID>\n\n# list all managed labels\nyardstick label list\n```\n\nSupported scanners:\n- `grype`\n- `syft`\n\n### F.A.Q.\n\n*\"Why is syft on this list? It's not a vulnerability scanner!\"*\n\nRight you are, however, capturing SBOM results that can be fed into grype or for\nreference during analysis is quite useful!\n\n\n*\"Yardstick doesn't support vulnerability scanner X...\"*\n\nPR's are welcome! The goal of this tool is to provide the analysis capabilities\nto understand how we can make these scanners better.\n\n\n\n## Result Sets\n\nResult sets can be useful to operate on and track results from scans taken at the same time. For instance:\n```yaml\n# .yardstick.yaml\nresult-sets:\n example:\n matrix:\n images:\n - ubuntu:20.04\n tools:\n - name: grype\n version: v0.32.0\n - name: grype\n version: v0.48.0\n```\n\n```bash\n# capture results for all tools\n$ yardstick result capture -r example\n\n# see the specific result details\n$ yardstick result list -r example\n\n# perform a label comparison using all tooling\n$ yardstick label compare -r example\n```\n\n\n## Configuration\n\nSample application config:\n```yaml\n# .yardstick.yaml\n\nx-ref:\n images: &images\n - docker.io/cloudbees/cloudbees-core-mm:2.346.4.1@sha256:b8ec61aad2f5f9be2dc9c68923eab1de0e8b026176093ad2e0742fca310bf3bf\n\nresult-sets:\n pr-vs-latest:\n description: \"latest released grype vs grype from the current build\"\n matrix:\n images: *images\n tools:\n - name: syft # go ahead and capture an SBOM each time to help analysis later\n version: v0.54.0\n produces: SBOM\n\n - name: grype # from the latest published github release\n version: latest\n takes: SBOM\n\n - name: grype:pr # from a local PR checkout install (feed via an environment variable)\n version: env:CURRENT_GRYPE_COMMIT\n takes: SBOM\n```\n\n## CLI Commands\n\n```\n config show the application config\n\n label manage match labels\n\n add add a match label indication for an image\n apply see which labels apply to the given image and...\n compare compare a scan result against labeled data\n compare-by-ecosystem show TPs/FPs/Precision from label comparison...\n explore interact with an label results for a single image...\n images show all images derived from label data\n list show all labels\n remove remove a match label indication for an image\n set-image-parent set the parent image for a given image\n show-image-lineage show all parents and children for the given image\n\n result manage image scan results\n\n capture capture all tool output for the given image\n clear remove all results and result sets\n compare show a comparison between tool output\n explore interact with an image scan result\n images list images in results\n import import results for a tool that were run externally\n list list stored results\n sets list configured result sets\n show show a the results for a single scan + tool\n tools list tools in results\n```\n",
"bugtrack_url": null,
"license": "Apache 2.0",
"summary": "Tool for comparing the results from vulnerability scanners",
"version": "0.12.1",
"project_urls": {
"repository": "https://github.com/anchore/yardstick"
},
"split_keywords": [
"grype",
" vulnerability"
],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "483d008b9ca22873aeca5da68184ae63ccce9b37503bba97d4ef01c7415a1085",
"md5": "11a1f47503711498f1d3c01635bdc3d7",
"sha256": "481ddf04cd535f8e2dc8dea4526c9dbfb007f1d18ad4a38cbc9d55f4762a15d0"
},
"downloads": -1,
"filename": "yardstick-0.12.1-py3-none-any.whl",
"has_sig": false,
"md5_digest": "11a1f47503711498f1d3c01635bdc3d7",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": "<=3.13,>=3.11",
"size": 93499,
"upload_time": "2025-01-10T21:54:31",
"upload_time_iso_8601": "2025-01-10T21:54:31.084918Z",
"url": "https://files.pythonhosted.org/packages/48/3d/008b9ca22873aeca5da68184ae63ccce9b37503bba97d4ef01c7415a1085/yardstick-0.12.1-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": null,
"digests": {
"blake2b_256": "b9455528fbfb6a364614d7fb071affd9878ea13b087c274e8ad20fd7c0db0126",
"md5": "235231ed68c49a0c101ddcb5bf29f8c4",
"sha256": "eecf2885b9fae42bffa06d12031639bd11495b74079cff1a938d586a7e853969"
},
"downloads": -1,
"filename": "yardstick-0.12.1.tar.gz",
"has_sig": false,
"md5_digest": "235231ed68c49a0c101ddcb5bf29f8c4",
"packagetype": "sdist",
"python_version": "source",
"requires_python": "<=3.13,>=3.11",
"size": 142074,
"upload_time": "2025-01-10T21:54:33",
"upload_time_iso_8601": "2025-01-10T21:54:33.466224Z",
"url": "https://files.pythonhosted.org/packages/b9/45/5528fbfb6a364614d7fb071affd9878ea13b087c274e8ad20fd7c0db0126/yardstick-0.12.1.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-01-10 21:54:33",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "anchore",
"github_project": "yardstick",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "yardstick"
}
