AuraBorealisApp - Do You Know What's In Your Python Packages? A Tool For Visualizing Python Package Registry Security Audit Data

AuraBorealis is a web application for visualizing anomalous and potentially malicious code in Python package registries. It uses security audit data produced by scanning the Python Package Index (PyPI) via Aura, a static analysis designed for large scale security auditing of Python packages. The current tool is a proof-of-concept, and includes some live Aura data, as well as some mockup data for demo purposes.

Current features include:

Scanning the entire python package registry to:

List packages with the highest number of security warnings, sorted by Aura warning type List packages sorted by the total and unique count of warnings List packages by their overall severity score

Displaying security warnings for an individual package, sorted by criticality

Visualize the line numbers and lines of code in files generating security warnings for a specific package

Compare two packages for security warnings

Instructions

Turn on your VPN (at IQT)

Clone the repository.

git clone https://github.com/IQTLabs/AuraBorealisApp.git

Navigate to aura-borealis-flask-app directory.

cd aura-borealis-flask-app

Install dependencies.

pip install -r requirements.txt

Run the app.

python app.py

Navigate to the URL http://0.0.0.0:7000/ via a browser.

Feature Roadmap

Compare a package to a benchmark profile of packages of similar purpose for security warnings Compare different versions of the same package for security warnings List packages that have changes in their warnings and/or severity score between two dates Ability to scan an internal package/registry that's not public on PyPI Display an analysis of permissions (does this package make a network connection? Does this package require OS-level library permissions?)

Contact Information

[email protected] (John Speed Meyers, IQT Labs, Secure Code Reuse project lead).

The lead developer and creator of Aura is Martin Carnogusky of sourcecode.ai.

Related Work

IQT blog post on secure code reuse IQT blog posts on typosquatting and preventing typosquatting via pypi-scan USENIX article on "Counting Broken Links: A Quant's View of Software Supply Chain Security" IQT open source dataset on known software supply chain compromises

AuraBorealisApp - Do You Know What's In Your Python Packages? A Tool For Visualizing Python Package Registry Security Audit Data

Reviewed by Zion3R on 8:30 AM Rating: 5

LEFT SIDEBAR AD

AuraBorealisApp - Do You Know What's In Your Python Packages? A Tool For Visualizing Python Package Registry Security Audit Data

BOOK THIS SPACE FOR AD

Related

File-Unpumper - Tool That Can Be Used To Trim Useless Things From A PE File Such As The Things A File Pumper Would Add

Mass-Assigner - Simple Tool Made To Probe For Mass Assignment Vulnerability Through JSON Field Modification In HTTP Requests

Psobf - PowerShell Obfuscator

DockerSpy - DockerSpy Searches For Images On Docker Hub And Extracts Sensitive Information Such As Authentication Secrets, Private Keys, And More

Ashok - A OSINT Recon Tool, A.K.A Swiss Army Knife

VulnNodeApp - A Vulnerable Node.Js Application

Trending

Popular

Install waybackurls on Kali Linux

1-click RCE in Electron Applications

Microsoft Office Professional Plus 2019 (x64 & x86) Multilingual + Pre-Activated

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Install DalFox on Kali Linux

Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated

Maxon CINEMA 4D Studio S22.123 (x64) Multilingual + Crack

Autodesk Revit 2023 R1 Build 23.0.11.19 (x64) Multilingual + Crack

‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

Just Gopher It: Escalating a Blind SSRF to RCE for $15k

BOOK THIS SPACE FOR AD