Do you manage a GitHub org with a bunch of repositories? Do you have a hard time scrambling when the latest NPM supply-chain attack hits, and you have to determine whether or not your repositories are impacted? The Poison-Pillminder can help.
What is Poison-Pillminder?
Poison-Pillminder is a tool which helps you find specific versions of dependencies in your sea of repositories and dependencies. This allows you to quickly and easily determine whether or not that latest round of SHA1-Hulud packages impacts you. Instead of spending hours digging, simply collect list of package names with version ranges in a CSV file and run the poison-pillminder. The tool works with semantic version range expressions, and the CSV file looks something like this:
actions/checkout,4.*.*
@jest/console,30.1.0 - 30.2.0
@missing/doesnt-exist,1.2.3
graceful-fs,^4.1.3
is-generator-fn,^2.5.3Code language: JavaScript (javascript)This CSV file is looking for five different packages:
actions/checkoutwith any version matching wildcard4.*.*@jest/consolewith versions between30.1.0and30.2.0@missing/doesnt-existat exactly version1.2.3graceful-fsmatching^4.1.3is-generator-fnversion^2.5.3
There are more samples in the repository, but you get the idea. This allows you to focus on the risk you’re hunting for, and it also keeps it in a format that’s easy to version-control and share with peers, allowing coordination in the field.
The tool has the ability to search in a number of search patterns:
- Searching in all repos for an organization or user, with an optional
topicfilter - Searching in specific repos for an organization or user
./poison-pillminder -f ./sample-needlestack.csv \
--owner manchicken \
--owner-is-userThis command will look for all dependency versions specified in ./sample-needlestack.csv, in all repositories belonging to user manchicken, without complaining about the repositories it finds which don’t have SBOM support enabled.
Limitations
Presently, the Poison-Pillminder relies on SBOM APIs provided by GitHub, though I hope to add other providers as well (PRs are welcome). This comes with a couple of limitations:
- I feel this one goes without saying, but for now this tool only supports GitHub.
- Repositories without dependency scanning enabled will not be visible to the tool.
- GitHub rate limits apply, so for larger sets of repositories the tool may take longer to run. The tool supports GitHub’s rate-limiting, and will throttle itself to comply with those limits.
- Only package ecosystems which adhere to semantic versioning are supported.
Coming Soon
- The ability to toggle including/ignoring archived repositories
- GitLab support
I still want to add Forgejo support, but I can’t until I find a path for getting per-repository dependency data.
Issues and Feedback
If you have any issues or feedback, please create an issue on the repository: https://codeberg.org/manchicken/poison-pillminder