Hello, author of Aura here.
The project is in fact active! But in a different branch called "ambience". Which is a very big refactor into transforming Aura (which is now designed to be run locally as tui) into server/web application. It would allow to automatically monitor and audit all used python packages in an organization by using an http reverse proxy to intercept python package installations. It's taking me currently long time to finish that big refactor as I am currently the only active developer there so apologies if the project seems to be abandoned, I'm just hesitating to merge the changes from ambience branch into main (which is what people see) as the new refactor is not stable yet as compared to master & dev as that was tested and tuned on the whole PyPI.
I haven't used pulp so I am not sure but yes in theory. Several schemes are currently supported via URIs (pypi://, git://, http(s):// etc...) so if the destination to scan can be formatted as one of the already supported URI schemes then you can already scan it. URI providers are also using plugin architecture so adding a new one for better integration with pulp (such as autodiscovering packages) should be trivial.
Thank you for the suggestion, the pulp project looks interesting and I would definitely check it out!
Yes, command line version will be always available, this is just an additional mode built on top of it, it's using in fact the same API interface as CLI version to spawn scans and parses out the JSON output format into persistent DB with some postprocessing to be more suitable for web app.
SARIF is implemented as a separate output format and is supported. the "json" one contains more information such as taint traces (even unconfirmed ones that haven't reached sinks), anomaly tags, static behaviour etc... main json format is intended to capture as much data as possible so it can be analyzed later as the original intention is to hunt for malware, anomalies and doing research in general on top of the whole PyPI repository. I found SARIF to be more "practical" or actionable in terms of what needs to be done in fixing the source code or vulnerabilities found vs research oriented such as "this piece of code is doing network communication". Due to this differences it was added as a separate format which is a subset and reformatted (to the SARIF standard) "json" output format
I second this question. While server versions are nice, I need command line, local-only versions to use for my code review as I can’t pass code and dependencies to third parties.
Thank you for the suggestion, that is indeed a good idea. I will modify the README to include some explanation about the current status and why the main & dev branches may seem to be stale
I don't understand the negativity in here. I would never expect Little Snitch (my opinion) to completely block all network traffic on all levels and this seems reasonable to me. Does it leak my ip? Yes. Do I think it compromises my security? No, there's so much noise on internet facing services that just initiating connection would easily get lost in the noise of all the botnets, port scans and legitimate users.
There's huge amount of other ways how data can be exfiltrated if one wishes to do so, from domain fronting, DNS level (you can easily tunnel data via DNS), forcing OS and/or whitelisted application to do it on your behalf (haven't tried but I think the files where rules are stored is readable by current user/process?). Such techniques can bypass even insanely expensive network IDS taps if there is enough incentive on the attacker side. I would never expect Little Snitch to be on the same level as those expensive network taps.
I think the use case people now forget is preventing applications to send meaningful data to analytic services like google ad-sense and similar or sending full data payloads (like http body). For this it's good enough. If your worry is about advanced techniques that would exfiltrate the data via DNS tunneling, partial TCP handshakes or forcing to do the connection/beacon on OS level for you then Little Snitch isn't going to help you and your problem is somewhere else. The last Electron wrapped application you downloaded that is packed with 5+ ad services isn't going to do that so it can get your IP.
On the other hand the wording may have been changed slightly and their use of "data" word so it doesn't give user the wrong impression but there is also a balance between explaining in 1-2 sentences what it does and writing 20 page document just to explain that and be technically correct in every word.
This is a very cool software! I highly recommend to try it out if you own a drone, even if just for a fun, I learned so much when I was tinkering with it.
Around a year ago I needed to obtain an aerial map of some specific area, but due to recent drastic changes (construction work) and poor quality of the public maps I had to somehow create my own. I fly drones for recreational purposes so I was thinking about using it to make that map when I found out about ODM which is exactly what I was looking for. ODM itself just processes already obtained images (AFAIK) so there is also a whole process of getting them from drone. That's when I found about other software for planning fully automated flight paths so there is a perfect overlap between the photos (required for quality maps and 3D reconstruction). I managed to make a high quality map with 1px:1cm ratio via ODM that I still use from time to time.
Like I mentioned if you own a drone I would recommend to try it out even if it's just for fun as for my case I learned a lot of other stuff I didn't knew before like that automated flight path planning.
That's exactly what I am working on right now! I made an open source project called ambience (currently in public alpha https://ambience.sourcecode.ai ).
The point of that project is that you can create or use an existing repository proxies and attach to it what I called "audit policies" those are basically a list of packages/versions you want to block or allow. The default ones include for example malicious, vulnerable, yanked packages etc... (the blacklist repository) to which you point pip, poetry etc... and it will block installation of the packages listed in the audit policies attached to the repository. You can also create ad-hoc repositories or repository per project to keep it separate and operate in whitelist mode where you allow only whitelisted&audited packages.
On top of that there is also "monitor" mode where you can allow installation of any package or subsset of packages and it will capture all depedencies for purpose of tracking the software supply chain accross the company or project and those packages would be automatically scanned and audit using integration with another project of mine called Aura that is a static analysis scanner designed for the python supply chain.
As mentioned this is currently in open alpha mode so access is limited and user registration is not open (I am currently working on users&permissions for making their own repositories and audit policies) but if someone is interested in testing or this project in general or an early access to features behind the curtain feel free to shoot me an email at admin @ sourcecode.ai . The license is open source so it can be also self-hosted.
That's a cool project - I really like that it's open source and self hostable. A key thing for me would be npm package support - the nodejs ecosystem is such a dumpster fire.
I've done extensive research in this area and looked at existing tools including bandit to scan the whole pypi repository and monitor what is being uploaded there, the conclusion was that most of the tools are not up for this task so I made a new framework from scratch that is specially design for this purpose, to scan the whole PyPI repository, it's called Aura: https://github.com/SourceCode-AI/aura
I can confirm that the revive via DFU works. It also works over normal USB (instead of usb-c) connector as I used my gf older mac pro late 2015. Be aware that you need at least Mojave 10.14.6+ as the app configurator can't be run/installed on previous versions. There is also a big difference in App configurator 2.10 vs the latest 2.12. On 2.10 (you can find dmg file on internet, but be careful about running untrusted software) you can restore BridgeOS on the chip without wiping the data. In version 2.12 it will wipe all data!
Initially, I tried to restore the system via Virtualbox where I installed Mojave via Apple Configurator but that didn't work as it break during the revival of the last step because of the constant USB de-plugging from host/guest machine during the process. I think just the revival step in 2.12 should also work as it flashes also the bridge os and power it up which should avoid any data loss but don't take this for granted.
I was coding in Python almost 24/7 when studying at University and loved teaching so I started offering private python courses for students that had problems with it (it was mandatory also for some non-IT studies) in exchange for beer/dinner/cash etc... One of them was my close friend that I knew for a very long time, he got very excited to the point he applied to the python-dev job at a major international corporation. During the interview, he was very shy and the employer didn't have confidence that his python skills are sufficient for the position he applied to so he gave him a coding homework (simple stuff, convert some XML output to a nice HTML page). He forwarded it to me asking for help if I could do this because he really wanted to get the job. I didn't have the heart to tell him his skills are not as high as they should be so I wrote that homework for him. Also as a kind of payback as he actually helped me before to get my job I was working at that time. In the homework, I put there a lot of comments with in-depth explanation of how each piece worked and some of them contained rude words like "this sh does not handle utf-8 so we need to monkey patch it here and do some black magic below" with instruction that he should read the comments to understand it and delete them before submitting it for next interview round. Of course, he did not. So he went to the next round in the interview with the homework, opened it up. Everything working perfectly, even the comments with rude words made a good laugh that he hasn't removed. He made a so good impression with that that the guy immediately put him an offer for employment discarding all previous candidates as he thought he is just a classic IT guy that is very bad when it comes to social interaction but when closed in a room, is coding like a beast. When the contract was presented to him, he made a long awkward pause and disclosed that I made the homework and it was not his own work. The guy then made him another offer to give him my contact details in exchange for dinner & beer for both of us if I show up at the interview. I wasn't really looking for a job change but I thought its cool since I was a student eating cheap instant noodles to save money everywhere I could so a nice dinner (normal food, yay!) sounded good for just showing up at the interview. I was immediately presented with an offer that I took even if it was not my intention as I just had a few nasty arguments at the current job. The position was for a fixed time, just for one small project but I started poking around with their security systems and built a complete system for remote forensic acquisition while my manager was looking to free up money to offer me a full-time position. (successfully).
This was how I got my previous job, which I already left to fund a startup for providing reconnaissance/OSINT as a service but that's another even longer story.
Very early alpha version is available here: https://ambience.sourcecode.ai if someone is interested in checking it out.