Package takeovers #1271
Replies: 2 comments 2 replies
-
|
Hmm interesting. I'm definitely on board with this. This will probably hinge on the family of modules we build around I'm currently working on optimizing our regex performance, and once that happens we can start leveraging all the CPU cores for this kind of extraction. |
Beta Was this translation helpful? Give feedback.
-
|
I'm already looking at what data the |
Beta Was this translation helpful? Give feedback.
-
|
holy lord |
Beta Was this translation helpful? Give feedback.
-
|
Excavate is already struggling lol. It's a good thing we're reworking it in 2.0. New excavate will use Yara and should be able to handle this kind of load. |
Beta Was this translation helpful? Give feedback.
-
This may be a far-out idea that may not be feasible, but a module that extracts private
pip,npmorgemspackages and looks them up on the public registry's.For example if a code repositories README.md mentions
pip install nonexistentpackagethat could be extracted and passed to this module which would look it up athttps://pypi.org/and if it does not exist it could be raised as a finding.This is a good article which explains it better than me https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
I don't believe README's are currently analyzed so may need that as a prerequisite. There are probably other things that need validating but would love to know your thoughts
Beta Was this translation helpful? Give feedback.
All reactions