Metadata-Version: 2.4
Name: grummage
Version: 2.0.0
Summary: Interactive terminal frontend for Grype to view vulnerabilities.
Project-URL: Homepage, https://github.com/popey/grummage
Project-URL: Repository, https://github.com/popey/grummage
Project-URL: Issues, https://github.com/popey/grummage/issues
Project-URL: Documentation, https://github.com/popey/grummage#readme
Author-email: Alan Pope <alan@popey.com>
License: MIT License
        
        Copyright (c) 2024 Alan Pope
        
        Permission is hereby granted, free of charge, to any person obtaining a copy
        of this software and associated documentation files (the "Software"), to deal
        in the Software without restriction, including without limitation the rights
        to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
        copies of the Software, and to permit persons to whom the Software is
        furnished to do so, subject to the following conditions:
        
        The above copyright notice and this permission notice shall be included in all
        copies or substantial portions of the Software.
        
        THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
        IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
        FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
        AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
        LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
        OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
        SOFTWARE.
License-File: LICENSE
Keywords: sbom,security,supply-chain,terminal,tui
Classifier: Development Status :: 4 - Beta
Classifier: Environment :: Console
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: System Administrators
Classifier: License :: OSI Approved :: MIT License
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.8
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Quality Assurance
Classifier: Topic :: System :: Systems Administration
Classifier: Topic :: Terminals
Classifier: Topic :: Text Processing :: Markup :: XML
Requires-Python: >=3.8
Requires-Dist: textual>=0.85.0
Description-Content-Type: text/markdown

# Grummage

Grype + Rummage = Grummage.

Grummage is an interactive terminal frontend to [Grype](https://github.com/anchore/grype).

![A short video showing Grummage](./grummage.gif)

## Introduction

[Grype](https://github.com/anchore/grype) is an awesome vulnerability scanner. It produces minimal textual output, or verbose JSON files. I wanted something to rummage around in the json, without having to learn arcane jq syntax ;).

So Grummage was born.

## Installation

Grummage is written in Python and requires Python 3.8 or later.

### Pre-requisites

Grummage requires the [Grype](https://github.com/anchore/grype) binary in your path to function.

You may want to confirm the Grype command line works, and has updated the vulnerability database first.

```shell
grype --version
```

```
grype 0.84.0
```

```shell
grype db update
```

```
  ✔ Vulnerability DB                [no update available]
 No vulnerability database update available
```

### From PyPI (Recommended)

The easiest way to install grummage is from PyPI:

```shell
pip install grummage
```

### From GitHub Releases

Download the latest release from the [GitHub releases page](https://github.com/popey/grummage/releases).

### Using Homebrew (macOS/Linux)

```shell
brew tap popey/grummage
brew install grummage
```

### Using Docker

Note: `-it` is required for interaction with the application. Setting the `TERM` variable allows for better colour support.

```shell
docker run --rm -it -e TERM=xterm-256color -v $(pwd):/data ghcr.io/popey/grummage:latest /data/your-sbom.json
```

### Using Snap

```shell
sudo snap install grummage
```

### From Source

For development or if you prefer to install from source:

```shell
git clone https://github.com/popey/grummage
cd grummage
pip install -e .
```

### Using uv (Alternative)

If you use [uv](https://github.com/astral-sh/uv) for Python environment management:

```shell
git clone https://github.com/popey/grummage
cd grummage
uv venv
source .venv/bin/activate  # On Windows: .venv\Scripts\activate
uv pip install -e .
```

## Usage

Point grummage at an SBOM (Software Bill of Materials):

```shell
grummage ./example_sboms/nextcloud-latest-syft-sbom.json
```

Grummage will check the grype vulnerability database, update it if needed, then load the SBOM and analyze it with Grype. A loading screen shows progress during these operations.

Once loaded, use the cursor keys or mouse to navigate the tree on the left pane.
Press Enter or mouse click on a vulnerability to obtain limited details.

### Keys:

**Navigation:**
* Arrow keys or `h`/`j`/`k`/`l` - Navigate the tree
* Enter - Select item

**Views:**
* `p` - View by package name
* `v` - View by vulnerability ID
* `t` - View by package type
* `s` - View by severity

**Search:**
* `/` - Search within current view
* `n` - Find next result
* `N` - Find previous result

**Actions:**
* `e` - Request further details via `grype explain`
* `q` - Quit

## Making SBOMs

I use [Syft](https://github.com/anchore/syft) to generate SBOMs, but other tools are available. For example:

```shell
syft nextcloud:latest -o syft-json=nextcloud-latest-syft-sbom.json
```

```
 ✔ Loaded image       nextcloud:latest
 ✔ Parsed image       sha256:44c884988b43e01e1434a66f58943dc809a193abf1a6df0f2cebad450e587ad7
 ✔ Cataloged contents bdca3ed5b303726bba5579564ab8fe5df700d637ae04f00689443260b26cc832
   ├── ✔ Packages                        [418 packages]
   ├── ✔ File digests                    [10,605 files]
   ├── ✔ File metadata                   [10,605 locations]
   └── ✔ Executables                     [1,317 executables]
```

## Distribution

Grummage is available through multiple distribution channels:

- **PyPI**: `pip install grummage`
- **Homebrew**: `brew tap popey/grummage && brew install grummage`
- **Docker**: `ghcr.io/popey/grummage:latest`
- **Snap**: `sudo snap install grummage`
- **GitHub Releases**: Pre-built packages available

## Caveats

I am an open-source enthusiast and self-taught coder creating projects driven by curiosity and a love for problem-solving. The code may have bugs or sharp edges. Kindly let me know if you find one, via an [issue](https://github.com/popey/grummage/issues). Thanks.
