Skip to main content

Introducing pkgbot!

Écrit par:
Karen Yavine
Karen Yavine

19 janvier 2017

0 minutes de lecture

As a security analyst at Snyk, I spend a ton of time digging around code repositories and package managers to be able to understand how serious a vulnerability is. I need to know what type of vulnerability is at hand and how popular of a package I’m dealing with, so I can calculate how much time and effort I should spend on researching a vulnerability. A package with 50 million downloads a month and a package with 150 downloads a month shouldn’t have the same amount of effort channeled into research.

So instead of having 500 tabs open, trying to get a grasp of what I’m dealing with, I created a new friend. We call him pkgbot. I just couldn’t keep him all to myself though. He’s pretty helpful, and I find myself using him at least once a day. So we decided to open source him for everyone to use, edit and share their thoughts on what to improve.

He’s funny, he’s witty, and there is no one like him, give a round of applause to my friend, pkgbot!


Hey everybody!

I'm pkgbot. Nice to meet you. My purpose is almost as simple as this, but instead of butter, I get you all that lovely information you needed. From the description of the package to the number of downloads and even the number of vulnerabilities it and its dependencies have. I love my job, really I do.

I was born as a CLI tool written by Karen Yavine and Alon Niv, used by the Snyk Security Team while researching and adding vulnerabilities to their Vulnerability DB. All I needed was the npm package name, and I was a go! Like a knight fighting a forest of thorns, I fought my way through the network. I found the trail that led me straight to where I was going, npm API! And what a lovely place that is. I started collecting treasures for my beloved Snyk Security Team. That first time was rough, but ever since I’ve been happily collecting these treasures for them.

Here’s what it looks like:

pkgbot-npm

Eventually, we added Ruby support! This was fun, as the skills I acquired for npm helped me on my journey. I happily went to and from the RubyGems API as well.

pkgbot-ruby

And now, my friends, I’m here for you. Willing to go as far as the dependency sea and the vulnerability valley to show you all the vulnerabilities a package has, without you having to lift a finger. Well, besides going to Slack (But let’s be honest, you’re probably there right now talking about how awesome I am).

pkgbot-Snyk

*bows*

I’m not perfect, but I’m improving all the time and I’d appreciate it if you contributed to building me into a better, smarter, me!

Till next time,
Love,
Pkgbot

Publié dans: