Skip to content

Home

Jump to bottom
Gabe Stocco edited this page Jun 4, 2021 · 2 revisions

CodeQL

OSS Gadget

Note: OSS Gadget is currently in public preview and is not ready for production use.

OSS Gadget is a collection of tools that can help analyze open source projects. These are intended to make it simple to perform low-level tasks, like locating the source code of a given package, downloading it, performing basic analyses on it, or estimating its health. The tools included in OSS Gadget will grow over time; currently, they include:

  • oss-characteristic: Identify a package's notable characteristics and features. Uses Application Inspector.
  • oss-defog: Searches a package for obfuscated strings (Base-64).
  • oss-detect-backdoor: Identifies potential backdoors and malicious code within a package. Currently has a high false-positive rate.
  • oss-detect-cryptography: Identifies cryptographic implementations within a package.
  • oss-diff: Compares two packages using a standard diff/patch view.
  • oss-download: Downloads a package and extracts it locally.
  • oss-find-domain-squats: Identifies potential typo-squatting for a given domain name.
  • oss-find-source: Attempts to locate the source code (on GitHub, currently) of a given package.
  • oss-find-squats: Identifies potential typo-squatting for a given package.
  • oss-health: Calculates health metrics for a given package.
  • oss-metadata: Normalizes metadata about a package into a common schema.

All OSS Gadget tools accept one or more Package URLs as a way to uniquely identify a package. Package URLs look like pkg:npm/express or pkg:gem/azure@0.7.10. If you leave the version number off, it implicitly means, "attempt to find the latest version". Using an asterisk (pkg:npm/express@*) means "perform the action on all available versions".

OSS Gadget supports packages provided by these sources:

  • Cargo - pkg:cargo/...
  • Cocoapods - pkg:cocoapods/...
  • Composer - pkg:composer/...
  • CPAN - pkg:cpan/...
  • CRAN - pkg:cran/...
  • GitHub - pkg:github/...
  • Go - pkg:golang/...
  • Hackage - pkg:hackage/...
  • Maven - pkg:maven/...
  • NPM - pkg:npm/...
  • NuGet - pkg:nuget/...
  • RubyGems - pkg:gem/...
  • PyPI - pkg:pypi/...
  • Ubuntu - pkg:ubuntu/...
  • Visual Studio Marketplace - pkg:vsm/...
  • Generic - pkg:url/...?url=URL

We will continue expanding this list to cover additional package management systems and would be happy to accept contributions from the community.

Basic Usage

All OSS Gadget tools are command line programs. When installed globally, they can be accessed from your path. For example, to download the NPM left-pad module, type:

$ oss-download pkg:npm/left-pad

This will download left-pad into a newly-created directory named npm-left-pad@1.3.0. (Because, at the time of this writing, 1.3.0 was the latest version of left-pad).

Each of the programs contains information on command line options (--help).

Reporting Security Vulnerabilities

To report a security vulnerability, please see SECURITY.md.

Clone this wiki locally