Jake
Check your Python environments for vulnerable Open Source packages with OSS Index or Sonatype Nexus Lifecycle.
Install / Use
/learn @sonatype-nexus-community/JakeREADME
Jake
jake is a tool to check for your Python environments and applications that can:
- produce CycloneDX software bill-of-materials
- report on known vulnerabilities
jake is powered by Sonatype OSS Index and can also be used with
Sonatype's Nexus IQ Server.
Installation
Install from pypi.org as you would any other Python module:
pip install jake
or
poetry add jake
Other Python package managers are available.
Usage
Getting Started
jake can guide you...
> jake --help
usage: jake [-h] [-v] [-w] [-X] ...
Put your Python dependencies in a chokehold
optional arguments:
-h, --help show this help message and exit
-v, --version show which version of jake you are running
-w, --warn-only prevents exit with non-zero code when issues have been
detected
-X enable debug output
Jake sub-commands:
iq perform a scan backed by Nexus Lifecycle
ddt perform a scan backed by OSS Index
sbom generate a CycloneDX software-bill-of-materials (no
vulnerabilities)
jake will exit with code 0 under normal operation and 1 if vulnerabilities are found (OssIndex) or Policy
Violations are detected (Nexus IQ), unless you pass the -w flag in which case jake will always exit with code 0....
Generating an SBOM
jake can take data from various inputs (or just look at your current Python environment) and produce a CycloneDX for
you.
> jake sbom --help
usage: jake sbom [-h] [-f FILE_PATH] [-t TYPE] [-o PATH/TO/FILE]
[--output-format {json,xml}]
[--schema-version {1.0,1.1,1.2,1.3}]
optional arguments:
-h, --help show this help message and exit
-f FILE_PATH, --input FILE_PATH
Where to get input data from. If a path to a file is
not specified directly here,then we will attempt to
read data from STDIN. If there is no data on STDIN, we
will then fall back to looking for standard files in
the current directory that relate to the type of input
indicated by the -t flag.
-t TYPE, --type TYPE, -it TYPE, --input-type TYPE
how jake should find the packages from which to
generate your SBOM.ENV = Read from the current Python
Environment; CONDA = Read output from `conda list
--explicit`; CONDA_JSON = Read output from `conda list
--json`; PIP = read from a requirements.txt; PIPENV =
read from Pipfile.lock; POETRY = read from a
poetry.lock. (Default = ENV)
-o PATH/TO/FILE, --output-file PATH/TO/FILE
Specify a file to output the SBOM to
--output-format {json,xml}
SBOM output format (default = xml)
--schema-version {1.0,1.1,1.2,1.3}
CycloneDX schema version to use (default = 1.3)
Check out these examples using STDIN:
conda list --explicit --md5 | jake sbom -t CONDA
conda list --json | jake sbom -t CONDA_JSON
cat /path/to/Pipfile.lock | python -m jake.app sbom -t PIPENV
Check out these examples specifying a manifest:
jake sbom -t PIP -f /path/to/requirements.txt
jake sbom -t PIPENV -f /path/to/Pipfile.lock
Check for vulnerabilities using OSS Index
jake will look at the packaged installed in your current Python environment and check these against OSS Index for you.
Optionally, it can create a CycloneDX software bill-of-materials at the same time in a format that suits you.
> jake ddt --help
usage: jake ddt [-h] [-f FILE_PATH] [-t TYPE] [--clear-cache] [-o PATH/TO/FILE]
[--output-format {xml,json}]
[--schema-version {1.2,1.1,1.0,1.3}]
[--whitelist OSS_WHITELIST_JSON_FILE]
optional arguments:
-h, --help show this help message and exit
-f FILE_PATH, --input-file FILE_PATH
Where to get input data from. If a path to a file is
not specified directly here,then we will attempt to
read data from STDIN. If there is no data on STDIN, we
will then fall back to looking for standard files in
the current directory that relate to the type of input
indicated by the -t flag.
-t TYPE, --type TYPE, -it TYPE, --input-type TYPE
how jake should find the packages from which to
generate your SBOM.ENV = Read from the current Python
Environment; CONDA = Read output from `conda list
--explicit`; CONDA_JSON = Read output from `conda list
--json`; PIP = read from a requirements.txt; PIPENV =
read from Pipfile.lock; POETRY = read from a
poetry.lock. (Default = ENV)
--clear-cache Clears any local cached OSS Index data prior to execution
-o PATH/TO/FILE, --output-file PATH/TO/FILE
Specify a file to output the SBOM to. If not specified the report will be output to the console. STDOUT is not supported.
--output-format {xml,json}
SBOM output format (default = xml)
--schema-version {1.2,1.1,1.0,1.3}
CycloneDX schema version to use (default = 1.3)
--whitelist OSS_WHITELIST_JSON_FILE
Set path to whitelist json file
So you can quickly get a report by running:
> jake ddt
___ ___ ___
___ / /\ / /\ / /\
/__/\ / /::\ / /:/ / /::\
\__\:\ / /:/\:\ / /:/ / /:/\:\
___ / /::\ / /::\ \:\ / /::\____ / /::\ \:\
/__/\ /:/\/ /__/:/\:\_\:\ /__/:/\:::::\ /__/:/\:\ \:\
\ \:\/:/~~ \__\/ \:\/:/ \__\/~|:|~~~~ \ \:\ \:\_\/
\ \::/ \__\::/ | |:| \ \:\ \:\
\__\/ / /:/ | |:| \ \:\_\/
/__/:/ |__|:| \ \:\
\__\/ \__\| \__\/
/) /)
_/_(/ _ _ __ _ (/_ _
o o (__/ )__(/_ /_)_/ (_(_(_/(___(/_ o o
Jake Version: 1.1.0
Put your Python dependencies in a chokehold.
🐍 Collected 42 packages from your environment (0:00:00.10)
🐍 Successfully queried OSS Index for package and vulnerability info (0:00:00.59)
🐍 Sane number of results from OSS Index
╔Summary═══════════════╦════╗
║ Audited Dependencies ║ 42 ║
╠══════════════════════╬════╣
║ Vulnerablities Found ║ 0 ║
╚══════════════════════╩════╝
...and this is what jake will output if any bad things are found:
___ ___ ___
___ / /\ / /\ / /\
/__/\ / /::\ / /:/ / /::\
\__\:\ / /:/\:\ / /:/ / /:/\:\
___ / /::\ / /::\ \:\ / /::\____ / /::\ \:\
/__/\ /:/\/ /__/:/\:\_\:\ /__/:/\:::::\ /__/:/\:\ \:\
\ \:\/:/~~ \__\/ \:\/:/ \__\/~|:|~~~~ \ \:\ \:\_\/
\ \::/ \__\::/ | |:| \ \:\ \:\
\__\/ / /:/ | |:| \ \:\_\/
/__/:/ |__|:| \ \:\
\__\/ \__\| \__\/
/) /)
_/_(/ _ _ __ _ (/_ _
o o (__/ )__(/_ /_)_/ (_(_(_/(___(/_ o o
Jake Version: 1.1.5
Put your Python dependencies in a chokehold
🐍 Collected 69 packages from your environment
Related Skills
node-connect
352.5kDiagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps
claude-opus-4-5-migration
111.3kMigrate prompts and code from Claude Sonnet 4.0, Sonnet 4.5, or Opus 4.1 to Opus 4.5
frontend-design
111.3kCreate distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.
model-usage
352.5kUse CodexBar CLI local cost usage to summarize per-model usage for Codex or Claude, including the current (most recent) model or a full model breakdown. Trigger when asked for model-level usage/cost data from codexbar, or when you need a scriptable per-model summary from codexbar cost JSON.
