Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
@atomist/sdm-pack-fingerprint
Advanced tools
an Atomist SDM Extension Pack for fingerprinting code
Atomist software delivery machine (SDM) extension pack providing fingerprinting support.
See the Atomist documentation for more information on what SDMs are and what they can do for you using the Atomist API for software.
This pack sets a goal to monitor all git pushes and trackes the following aspects:
project.clj
files are monitored for updates to library dependencies and project version.pom.xml
files are monitored for updates to maven library dependencies and version coordinates.package.json
files are monitored for updates to module dependencies and package version changes.This monitoring happens computing a set of fingerprints on every commit. The fingerprints that are computed depend on the type of project. We currently compute fingerprints for maven, clojure, and npm projects.
When a new fingerprint is computed, we can drive interesting behaviors such as:
Make the following updates to your machine:
import { fingerprintSupport } from "@atomist/sdm-pack-fingerprints";
import { Fingerprint } from "@atomist/sdm";
// create a goal to fingerprint all new Pushes
export FingerprintGoal = new Fingerprint();
FingerprintGoal
for some push rules. Normally, this is done as part of creating your machine: // there will usually be more than one Push rule here
const sdm = createSoftwareDeliveryMachine({
...config
},
whenPushSatisfies(IsLein)
.itMeans("fingerprint a clojure project")
.setGoals(FingerprintGoal));
sdm
definition:There'll be some new imports:
import {
fingerprintSupport,
forFingerprints,
renderDiffSnippet,
depsFingerprints,
logbackFingerprints,
renderData,
applyFingerprint,
FP,
} from "@atomist/sdm-pack-fingerprints";
and then you'll have to add the extension pack to your machine definition:
// add this pack to your SDM
sdm.addExtensionPacks(
fingerprintSupport(
FingerprintGoal,
async (p: GitProject) => {
// COMPUTE fingerprints: called on every Push
return depsFingerprints(p.baseDir);
},
async (p: GitProject, fp: FP) => {
// APPLY fingerprint to Project (currently only through user actions in chat)
return applyFingerprint(p.baseDir, fp);
},
{
selector: forFingerprints("backpack-react-scripts"),
handler: async (ctx, diff) => {
// HANDLE new fingerprint (even if it hasn't changed in this push)
return checkFingerprintTargets(ctx, diff);
},
diffHandler: async (ctx, diff) => {
// HANDLE new fingerprint (only when the fingerprint sha is updated)
return renderDiffSnippet(ctx, diff);
},
},
),
)
In the example above, we have a module which computes a set of fingerprints on every Push
(one of them is named backpack-react-scripts
). The pack also notices if a newly
computed fingerprint has either changed, or is different from a goal
state. It will then present the user with options to do things like:
General support questions should be discussed in the #support
channel in the Atomist community Slack workspace.
If you find a problem, please create an issue.
You will need to install node to build and test this project.
Use the following package scripts to build, test, and perform other development tasks.
Command | Reason |
---|---|
npm install | install project dependencies |
npm run build | compile, test, lint, and generate docs |
npm run lint | run TSLint against the TypeScript |
npm run compile | generate types from GraphQL and compile TypeScript |
npm test | run tests |
npm run autotest | run tests every time a file changes |
npm run clean | remove files generated during build |
Releases are handled via the Atomist SDM. Just press the 'Approve' button in the Atomist dashboard or Slack.
Created by Atomist. Need Help? Join our Slack workspace.
FAQs
an Atomist SDM Extension Pack for fingerprinting code
The npm package @atomist/sdm-pack-fingerprint receives a total of 580 weekly downloads. As such, @atomist/sdm-pack-fingerprint popularity was classified as not popular.
We found that @atomist/sdm-pack-fingerprint demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.