Panoptisch - A way to understand your project's dependencies and find malicious packages
Aarnav Mahavir Bos
aarnav.bos at code.berlin
Thu Dec 8 12:52:29 EST 2022
Hello all,
I would like to share Panoptisch, a FOSS(Free and Open Source Software)
tool I've been working on.
We all may have encountered the issue of not having a clear dependency tree
or not being sure of the modules our dependencies and sub-dependencies are
using.
Some of us may have also heard of supply chain attacks, where open source
projects are hijacked to distribute malicious code masquerading as the
original package. This can happen deep down in the dependency chain.
Panoptisch was born out of the need to accurately verify the modules used
in my project.
It recursively scans a Python module or file to find modules used and
exports a report in JSON which can be parsed for analysis.
For example, should your yaml parser, or it's sub-dependencies import
socket/os? should your markdown renderer or it's sub-dependencies import
sys/importlib? *Probably not.*
Panoptisch is in early stages, has known limitations and is looking for
help! I would love feedback, contributions, and most important of all,
rigorous testing!
I would also love to help you integrate this tool in your workflow to write
more secure software.
Link: https://github.com/R9295/panoptisch
Short Demo: https://www.youtube.com/watch?v=bDJWl_odXx0
Thanks and Regards,
aarnav
More information about the Python-list
mailing list