Support GitHub packages urls (golang, swift, ...)

[baruchiro]

Github (and other repos) are used in wide use cases, and we need to find the way they cross each other.

General

Analyse links to Github and give information about the repo.

• Find Github analyzers.
• Identify which package is in this repo,
• We may enhance the current package insights with its repo insights (for npm, PyPI. We need to make sure the repo is really connected to the package)

Swift

TBD

Go

See the comment: #45.
Links should be supported by generally supporting Github links (see above).

• What should we do for a standard library?
• Package in other sources than github should be researched.

NPM

• npm package can be installed by npm install git://github.com/user-c/dep-2#node0.8.0
• Identify which package is in this repo. Example: Not seeing overlay indicator in Stack Overflow #59

Python

• python package can be installed by pip install git+ssh://[email protected]/user/repo.git (see here

---

Please share what else we need to consider if we want to support Github URLs. Do we need to change the design?

[baruchiro]

Go packages

Examples:

case	Package name	StackOverflow	Advisories	comments
Standard library/tool	golang.org/x/tools/cmd/godoc	macos - Install go with brew, and running the gotour	no
link	github.com/google/uuid	Is there a method to generate a UUID with Go language?	Snyk, Debricked, openbase, deps.dev
command	github.com/nu7hatch/gouuid	Is there a method to generate a UUID with Go language?	Snyk, Debricked*, openbase, deps.dev**	No versions in Github
go install	github.com/mailgun/godebug	debugging - Does any golang interactive debugger exist?	Snyk, Debricked***, openbase, deps.dev**
Not-exists package	github.com/username/hello	go - How to place Golang project (a set of packages) to Github?	No of course
From code.google	code.google.com/p/goauth2/oauth	Google service account authorization with JWT in Go		I can't find working example

Way to support:

• Support the go get and go install.
• Support command arguments
• Support get specific version
• The Github repo should be searched in the advisories.
• Need to search for an example of go get github.com/user/repo/subfolder

[baruchiro]

Referenced in #46

[jossef]

also python packages can be installed from a git repo
see https://stackoverflow.com/a/24811490/3191896

pip install git+ssh://[email protected]/user/repo.git
pip install git+ssh://[email protected]/user/repo.git@my_version
pip install git+https://github.com/user/repo.git

[baruchiro]

About which package is represented by a Github repo

I think we will have to work on a side project for this requirement.
I see two different ways:

1. Create a database that will register all the packages and their repo URL (then we can ask for the other direction)
2. Write a tool that will scan the repo, understand the package, and make sure the package declares this repo.

[baruchiro]

Consider using trivy: Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more.

Although Trivy is a CLI tool written in Go, we discussed it with Mor from AquaSecurity, and he said that Trivy already solved the problem of identifying the package related to a given Github repository.

We need to think if we want to lunch a service to supply Trivy results, or maybe compile the Trivy code into a WASM.