Skip to main content

Introducing pkgbot!

著者:
Karen Yavine

Karen Yavine

2017年1月19日

0 分で読めます

As a security analyst at Snyk, I spend a ton of time digging around code repositories and package managers to be able to understand how serious a vulnerability is. I need to know what type of vulnerability is at hand and how popular of a package I’m dealing with, so I can calculate how much time and effort I should spend on researching a vulnerability. A package with 50 million downloads a month and a package with 150 downloads a month shouldn’t have the same amount of effort channeled into research.

So instead of having 500 tabs open, trying to get a grasp of what I’m dealing with, I created a new friend. We call him pkgbot. I just couldn’t keep him all to myself though. He’s pretty helpful, and I find myself using him at least once a day. So we decided to open source him for everyone to use, edit and share their thoughts on what to improve.

He’s funny, he’s witty, and there is no one like him, give a round of applause to my friend, pkgbot!


Hey everybody!

I'm pkgbot. Nice to meet you. My purpose is almost as simple as this, but instead of butter, I get you all that lovely information you needed. From the description of the package to the number of downloads and even the number of vulnerabilities it and its dependencies have. I love my job, really I do.

I was born as a CLI tool written by Karen Yavine and Alon Niv, used by the Snyk Security Team while researching and adding vulnerabilities to their Vulnerability DB. All I needed was the npm package name, and I was a go! Like a knight fighting a forest of thorns, I fought my way through the network. I found the trail that led me straight to where I was going, npm API! And what a lovely place that is. I started collecting treasures for my beloved Snyk Security Team. That first time was rough, but ever since I’ve been happily collecting these treasures for them.

Here’s what it looks like:

pkgbot-npm

Eventually, we added Ruby support! This was fun, as the skills I acquired for npm helped me on my journey. I happily went to and from the RubyGems API as well.

pkgbot-ruby

And now, my friends, I’m here for you. Willing to go as far as the dependency sea and the vulnerability valley to show you all the vulnerabilities a package has, without you having to lift a finger. Well, besides going to Slack (But let’s be honest, you’re probably there right now talking about how awesome I am).

pkgbot-Snyk

*bows*

I’m not perfect, but I’m improving all the time and I’d appreciate it if you contributed to building me into a better, smarter, me!

Till next time,
Love,
Pkgbot

カテゴリー:

セキュリティチャンピオンプログラムの構築方法

Snykは、セキュリティチャンピオンプログラムを成功させた、または失敗した20人以上のセキュリティリーダーとのインタビューを実施しました。このガイドを参照し、開発者を中心とした効果的なセキュリティチャンピオンプログラムの進め方を学びましょう。