Introducing pkgbot!
![Karen Yavine](/_next/image/?url=https%3A%2F%2Fres.cloudinary.com%2Fsnyk%2Fimage%2Fupload%2Fv1473932318%2Fkaren-yavine.jpg&w=48&q=75)
January 19, 2017
0 分で読めますAs a security analyst at Snyk, I spend a ton of time digging around code repositories and package managers to be able to understand how serious a vulnerability is. I need to know what type of vulnerability is at hand and how popular of a package I’m dealing with, so I can calculate how much time and effort I should spend on researching a vulnerability. A package with 50 million downloads a month and a package with 150 downloads a month shouldn’t have the same amount of effort channeled into research.
So instead of having 500 tabs open, trying to get a grasp of what I’m dealing with, I created a new friend. We call him pkgbot
. I just couldn’t keep him all to myself though. He’s pretty helpful, and I find myself using him at least once a day. So we decided to open source him for everyone to use, edit and share their thoughts on what to improve.
He’s funny, he’s witty, and there is no one like him, give a round of applause to my friend, pkgbot
!
Hey everybody!
I'm pkgbot. Nice to meet you. My purpose is almost as simple as this, but instead of butter, I get you all that lovely information you needed. From the description of the package to the number of downloads and even the number of vulnerabilities it and its dependencies have. I love my job, really I do.
I was born as a CLI tool written by Karen Yavine and Alon Niv, used by the Snyk Security Team while researching and adding vulnerabilities to their Vulnerability DB. All I needed was the npm package name, and I was a go! Like a knight fighting a forest of thorns, I fought my way through the network. I found the trail that led me straight to where I was going, npm API! And what a lovely place that is. I started collecting treasures for my beloved Snyk Security Team. That first time was rough, but ever since I’ve been happily collecting these treasures for them.
Here’s what it looks like:
![pkgbot-npm](/_next/image/?url=https%3A%2F%2Fres.cloudinary.com%2Fsnyk%2Fimage%2Fupload%2Ff_auto%2Fq_auto%2Fv1483561274%2Fpkgbot-npm.png&w=2560&q=75)
Eventually, we added Ruby support! This was fun, as the skills I acquired for npm helped me on my journey. I happily went to and from the RubyGems API as well.
![pkgbot-ruby](/_next/image/?url=https%3A%2F%2Fres.cloudinary.com%2Fsnyk%2Fimage%2Fupload%2Ff_auto%2Fq_auto%2Fv1483561205%2Fpkgbot-ruby.png&w=2560&q=75)
And now, my friends, I’m here for you. Willing to go as far as the dependency sea and the vulnerability valley to show you all the vulnerabilities a package has, without you having to lift a finger. Well, besides going to Slack (But let’s be honest, you’re probably there right now talking about how awesome I am).
![pkgbot-Snyk](/_next/image/?url=https%3A%2F%2Fres.cloudinary.com%2Fsnyk%2Fimage%2Fupload%2Ff_auto%2Fq_auto%2Fv1483561248%2Fpkgbot-Snyk.png&w=1240&q=75)
*bows*
I’m not perfect, but I’m improving all the time and I’d appreciate it if you contributed to building me into a better, smarter, me!
Till next time,
Love,
Pkgbot