A small Go program aiming to provide insights into Gemfile.lock
or yarn.lock
files and their dependencies.
This option is useful to detect inconsistent dependencies and hopefully prevent supply chain attacks.
The follow algorithm is used:
- Parse every
.lock
file found in the specified directory - Parse the
registry
file containing the dependencies and the URL they should be loaded from - For every
.lock
file, flag dependencies that exists in the `registry`` but that fetched from a different URL
See the Registry file format
section for more information.
This option is useful to detect suspicious remotes being used across your .lock
files.
The follow algorithm is used:
- Parse every
.lock
file found in the specified directory - Aggregate every remote found in the dependencies
- Print the unique remotes found
For example, if dependencies are all from https://registry.yarnpkg.com
it will print a single line with that information, ignoring dependency names.
{
"url": "https://npm.acme.io/",
"dependencies": [
"dependency1",
"dependency2",
"dependencyN"
]
}
Keep the following things in mind besides the examples shared below:
- the
--path
flag can also point to a single.lock
file instead of a directory. - the
--verbose
flag will print the dependencies parsed from each.lock
file.
Use the --help
flag to get more information about the available options.
Parsing every .lock
file found in lock_files/ruby
and checking if any of the dependencies are being loaded from a different url
than the one specified in registries/ruby.json
. For example, if we had the following .lock
files:
lock_files/ruby/repo1.lock
lock_files/ruby/repo2.lock
lock_files/ruby/repo3.lock
And our program found inconsistencies in repo1
and repo3
, the following files would be created:
analyze_output/repo1.json
analyze_output/repo3.json
./dependency_inspector analyze --path lock_files/ruby --registry registries/ruby.json --ruby
./dependency_inspector analyze --path lock_files/js --registry registries/js.json --js
./dependency_inspector remotes --path lock_files/ruby --ruby
We can also grep
by a particular substring:
./dependency_inspector remotes --path lock_files/ruby --grep "acme" --ruby
./dependency_inspector remotes --path lock_files/js --js
The grep
flag is also available for the js
option.
The scripts
directory contains a few scripts that can be used to fetch .lock
files from your repositories and perform a partial analysis from dependencies within your registry
file against rubygems
.
yarn.lock
files with entries that contain dependencies with distinct names in the same line tend to cause duplicated remote entries in the output.
Example:
"wrap-ansi-cjs@npm:wrap-ansi@^7.0.0", wrap-ansi@^7.0.0:
This will return the following remote:
Instead of the expected:
This is happening because our parser will fetch wrap-ansi-cjs
from the definition above and won't be able to clean the remote URL since it contains wrap-ansi
.