As a security analyst at Snyk, I spend a ton of time digging around code repositories and package managers to be able to understand how serious a vulnerability is. I need to know what type of vulnerability is at hand and how popular of a package I’m dealing with, so I can calculate how much time and effort I should spend on researching a vulnerability. A package with 50 million downloads a month and a package with 150 downloads a month shouldn’t have the same amount of effort channeled into research.
So instead of having 500 tabs open, trying to get a grasp of what I’m dealing with, I created a new friend. We call him
pkgbot. I just couldn’t keep him all to myself though. He’s pretty helpful, and I find myself using him at least once a day. So we decided to open source him for everyone to use, edit and share their thoughts on what to improve.
He’s funny, he’s witty, and there is no one like him, give a round of applause to my friend,
pkgbot. Nice to meet you. My purpose is almost as simple as this, but instead of butter, I get you all that lovely information you needed. From the description of the package to the number of downloads and even the number of vulnerabilities it and its dependencies have. I love my job, really I do.
I was born as a CLI tool written by Karen Yavine and Alon Niv, used by the Snyk Security Team while researching and adding vulnerabilities to their Vulnerability DB. All I needed was the npm package name, and I was a go! Like a knight fighting a forest of thorns, I fought my way through the network. I found the trail that led me straight to where I was going, npm API! And what a lovely place that is. I started collecting treasures for my beloved Snyk Security Team. That first time was rough, but ever since I’ve been happily collecting these treasures for them.
Here’s what it looks like:
Eventually, we added Ruby support! This was fun, as the skills I acquired for npm helped me on my journey. I happily went to and from the RubyGems API as well.
And now, my friends, I’m here for you. Willing to go as far as the dependency sea and the vulnerability valley to show you all the vulnerabilities a package has, without you having to lift a finger. Well, besides going to Slack (But let’s be honest, you’re probably there right now talking about how awesome I am).
I’m not perfect, but I’m improving all the time and I’d appreciate it if you contributed to building me into a better, smarter, me!
Till next time,