package-analysis icon indicating copy to clipboard operation
package-analysis copied to clipboard

Published 20 hours ago verified publisher icon ossf

Generate diffs between versions, or between published package and source repo

Open oliverchang opened this issue 4 years ago • 1 comments

oliverchang avatar Nov 08 '21 08:11 oliverchang

So after experimenting with a rudimentary approach to diffing, one of the hurdles to overcome will be correctly handling the following scenarios:

  • mktemp, its variants, and other temporary file usage (e.g. /tmp/24lynggh and /root/.npm/_cacache/tmp/bef4038b)
  • cache files using hashes in the filename and path (e.g. /root/.cache/pip/http/0/8/c/c/5/08cc5446546538adb2483cd6651e4407619a3fb170e5eb63c8b5606dex9zwodo.tmp)
  • other filenames with variable contents (e.g. /usr/local/lib/python3.9/__pycache__/__future__.cpython-39.pyc.140101993770544)

The challenge will be dealing with these in a way that still makes it possible to catch an attacker using the cache or temp file for storage

calebbrown avatar Nov 22 '21 23:11 calebbrown

This probably needs to become a Milestone.

calebbrown avatar Dec 21 '22 00:12 calebbrown

Deprioritised after dynamic analysis data showed that there is not much extra info that can be gained from diffing analysis, as opposed to just looking at versions individually

maxfisher-g avatar Mar 28 '23 02:03 maxfisher-g