Thank you for the suggestion, that is indeed a good idea. I will modify the README to include some explanation about the current status and why the main & dev branches may seem to be stale
I haven't used pulp so I am not sure but yes in theory. Several schemes are currently supported via URIs (pypi://, git://, http(s):// etc...) so if the destination to scan can be formatted as one of the already supported URI schemes then you can already scan it. URI providers are also using plugin architecture so adding a new one for better integration with pulp (such as autodiscovering packages) should be trivial.
Thank you for the suggestion, the pulp project looks interesting and I would definitely check it out!
SARIF is implemented as a separate output format and is supported. the "json" one contains more information such as taint traces (even unconfirmed ones that haven't reached sinks), anomaly tags, static behaviour etc... main json format is intended to capture as much data as possible so it can be analyzed later as the original intention is to hunt for malware, anomalies and doing research in general on top of the whole PyPI repository. I found SARIF to be more "practical" or actionable in terms of what needs to be done in fixing the source code or vulnerabilities found vs research oriented such as "this piece of code is doing network communication". Due to this differences it was added as a separate format which is a subset and reformatted (to the SARIF standard) "json" output format
Yes, command line version will be always available, this is just an additional mode built on top of it, it's using in fact the same API interface as CLI version to spawn scans and parses out the JSON output format into persistent DB with some postprocessing to be more suitable for web app.
Hello, author of Aura here.
The project is in fact active! But in a different branch called "ambience". Which is a very big refactor into transforming Aura (which is now designed to be run locally as tui) into server/web application. It would allow to automatically monitor and audit all used python packages in an organization by using an http reverse proxy to intercept python package installations. It's taking me currently long time to finish that big refactor as I am currently the only active developer there so apologies if the project seems to be abandoned, I'm just hesitating to merge the changes from ambience branch into main (which is what people see) as the new refactor is not stable yet as compared to master & dev as that was tested and tuned on the whole PyPI.
I don't understand the negativity in here. I would never expect Little Snitch (my opinion) to completely block all network traffic on all levels and this seems reasonable to me. Does it leak my ip? Yes. Do I think it compromises my security? No, there's so much noise on internet facing services that just initiating connection would easily get lost in the noise of all the botnets, port scans and legitimate users.
There's huge amount of other ways how data can be exfiltrated if one wishes to do so, from domain fronting, DNS level (you can easily tunnel data via DNS), forcing OS and/or whitelisted application to do it on your behalf (haven't tried but I think the files where rules are stored is readable by current user/process?). Such techniques can bypass even insanely expensive network IDS taps if there is enough incentive on the attacker side. I would never expect Little Snitch to be on the same level as those expensive network taps.
I think the use case people now forget is preventing applications to send meaningful data to analytic services like google ad-sense and similar or sending full data payloads (like http body). For this it's good enough. If your worry is about advanced techniques that would exfiltrate the data via DNS tunneling, partial TCP handshakes or forcing to do the connection/beacon on OS level for you then Little Snitch isn't going to help you and your problem is somewhere else. The last Electron wrapped application you downloaded that is packed with 5+ ad services isn't going to do that so it can get your IP.
On the other hand the wording may have been changed slightly and their use of "data" word so it doesn't give user the wrong impression but there is also a balance between explaining in 1-2 sentences what it does and writing 20 page document just to explain that and be technically correct in every word.
This is a very cool software! I highly recommend to try it out if you own a drone, even if just for a fun, I learned so much when I was tinkering with it.
Around a year ago I needed to obtain an aerial map of some specific area, but due to recent drastic changes (construction work) and poor quality of the public maps I had to somehow create my own. I fly drones for recreational purposes so I was thinking about using it to make that map when I found out about ODM which is exactly what I was looking for. ODM itself just processes already obtained images (AFAIK) so there is also a whole process of getting them from drone. That's when I found about other software for planning fully automated flight paths so there is a perfect overlap between the photos (required for quality maps and 3D reconstruction). I managed to make a high quality map with 1px:1cm ratio via ODM that I still use from time to time.
Like I mentioned if you own a drone I would recommend to try it out even if it's just for fun as for my case I learned a lot of other stuff I didn't knew before like that automated flight path planning.
That's exactly what I am working on right now! I made an open source project called ambience (currently in public alpha https://ambience.sourcecode.ai ).
The point of that project is that you can create or use an existing repository proxies and attach to it what I called "audit policies" those are basically a list of packages/versions you want to block or allow. The default ones include for example malicious, vulnerable, yanked packages etc... (the blacklist repository) to which you point pip, poetry etc... and it will block installation of the packages listed in the audit policies attached to the repository. You can also create ad-hoc repositories or repository per project to keep it separate and operate in whitelist mode where you allow only whitelisted&audited packages.
On top of that there is also "monitor" mode where you can allow installation of any package or subsset of packages and it will capture all depedencies for purpose of tracking the software supply chain accross the company or project and those packages would be automatically scanned and audit using integration with another project of mine called Aura that is a static analysis scanner designed for the python supply chain.
As mentioned this is currently in open alpha mode so access is limited and user registration is not open (I am currently working on users&permissions for making their own repositories and audit policies) but if someone is interested in testing or this project in general or an early access to features behind the curtain feel free to shoot me an email at admin @ sourcecode.ai . The license is open source so it can be also self-hosted.