Skip to main content

Automatically detect software supply chain smells and issues

Project description

dirty-waters

Dirty-waters automatically finds software supply chain issues in software projects by analyzing the available metadata of all dependencies, transitively.

Reference: Dirty-Waters: Detecting Software Supply Chain Smells, Technical report 2410.16049, arXiv, 2024.

By using dirty-waters, you identify the shady areas of your supply chain, which would be natural target for attackers to exploit.

Kinds of problems identified by dirty-waters

  • Dependencies with no link to source code repositories (high severity)
  • Dependencies with no tag / commit sha for release, impossible to have reproducible builds (high severity)
  • Deprecated Dependencies (medium severity)
  • Depends on a fork (medium severity)
  • Dependencies with no build attestation (low severity)

Additionally, dirty-waters gives a supplier view on the dependency trees (who owns the different dependencies?)

dirty-waters is developed as part of the Chains research project.

NPM Support

Installation

To set up the Dirty-Waters, follow these steps:

  1. Clone the repository:
git clone https://github.com/chains-project/dirty-waters.git
cd dirty-waters
  1. Set up a virtual environment and install dependencies:
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt
cd tool

In alternative, you may also use the Nix flake present in this repository.

  1. Set up the GitHub API token (ideally, in a .env file):
export GITHUB_API_TOKEN=<your_token>

Usage

Run the tool using the following command structure:

python main.py -p <project_repo_name> -v <release_version_old> -s -pm <package_manager> [-vn <release_version_new>] [-d]

Arguments:

usage: main.py [-h] -p PROJECT_REPO_NAME -v RELEASE_VERSION_OLD [-vn RELEASE_VERSION_NEW] -s [-d] -pm
               {yarn-classic,yarn-berry,pnpm} [--pnpm-scope]

options:
  -p PROJECT_REPO_NAME, --project-repo-name PROJECT_REPO_NAME
                        Specify the project repository name. Example: MetaMask/metamask-extension
  -v RELEASE_VERSION_OLD, --release-version-old RELEASE_VERSION_OLD
                        The old release tag of the project repository. Example: v10.0.0
  -vn RELEASE_VERSION_NEW, --release-version-new RELEASE_VERSION_NEW
                        The new release version of the project repository.
  -s, --static-analysis
                        Run static analysis and generate a markdown report of the project
  -d, --differential-analysis
                        Run differential analysis and generate a markdown report of the project
  -pm {yarn-classic,yarn-berry,pnpm,npm}, --package-manager {yarn-classic,yarn-berry,pnpm,npm}
                        The package manager used in the project.
  --pnpm-scope          Extract dependencies from pnpm with a specific scope
                        using 'pnpm list --filter <scope> --depth Infinity'
                        command. Configure the scope in tool_config.py file.

Example usage:

  1. Software supply chain smell analysis:
python3 main.py -p MetaMask/metamask-extension -v v11.11.0 -s -pm yarn-berry
  1. Differential analysis:
python3 main.py -p MetaMask/metamask-extension -v v11.11.0 -vn v11.12.0 -s -d -pm yarn-berry

Notes:

  • -v should be the version of GitHub release, e.g. for this release, the value should be v11.11.0, not Version 11.11.0 or 11.11.0.
  • The -s flag is required for all analyses.
  • When using -d for differential analysis, both -v and -vn must be specified.

Java Support

Installation

Usage

Usage: Example reports: TODO add link

Academic Work

Other issues not handled by dirty-waters

  • Missing dependencies: simply run mvn/pip/... install :)
  • Bloated dependencies: we recommend DepClean for Java, depcheck for NPM
  • Version constraint inconsistencies: we recommend pipdeptree for Python

License

MIT License.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

dirty_waters-0.1.1.tar.gz (30.2 kB view details)

Uploaded Source

Built Distribution

dirty_waters-0.1.1-py3-none-any.whl (35.0 kB view details)

Uploaded Python 3

File details

Details for the file dirty_waters-0.1.1.tar.gz.

File metadata

  • Download URL: dirty_waters-0.1.1.tar.gz
  • Upload date:
  • Size: 30.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/5.1.1 CPython/3.12.7

File hashes

Hashes for dirty_waters-0.1.1.tar.gz
Algorithm Hash digest
SHA256 4bbb502acb7f8bcc92a43a04be5af9e3ec2f006c60f5f82086f5dba0fa4ac9a2
MD5 6ac5251e22219d2075a89456c9cba6ad
BLAKE2b-256 91fddd21d2a46b22d103b310c18a44290760ca19de10c7f7cada5477de9bd3a4

See more details on using hashes here.

Provenance

File details

Details for the file dirty_waters-0.1.1-py3-none-any.whl.

File metadata

  • Download URL: dirty_waters-0.1.1-py3-none-any.whl
  • Upload date:
  • Size: 35.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/5.1.1 CPython/3.12.7

File hashes

Hashes for dirty_waters-0.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 a0ec6e27867268174103ba5ef9937b65ca0f1522c9c075fc3ecf1e73cb7becb3
MD5 d5ed86f772f895982250c758b8140ebc
BLAKE2b-256 20e4ce5e766d75c1d33a24b8ee150039d31e96d928ab2b5fcb769658b702c6b6

See more details on using hashes here.

Provenance

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page