AuraBorealisApp - Do You Know What's In Your Python Packages? A Tool For Visualizing Python Package Registry Security Audit Data


AuraBorealis is a web application for visualizing anomalous and potentially malicious code in Python package registries. It uses security audit data produced by scanning the Python Package Index (PyPI) via Aura, a static analysis designed for large scale security auditing of Python packages. The current tool is a proof-of-concept, and includes some live Aura data, as well as some mockup data for demo purposes.

Current features include:

  • Scanning the entire python package registry to:

    • List packages with the highest number of security warnings, sorted by Aura warning type
    • List packages sorted by the total and unique count of warnings
    • List packages by their overall severity score
  • Displaying security warnings for an individual package, sorted by criticality

  • Visualize the line numbers and lines of code in files generating security warnings for a specific package

  • Compare two packages for security warnings


Instructions

Turn on your VPN (at IQT)

Clone the repository.

git clone https://github.com/IQTLabs/AuraBorealisApp.git

Navigate to aura-borealis-flask-app directory.

cd aura-borealis-flask-app

Install dependencies.

pip install -r requirements.txt

Run the app.

python app.py

Navigate to the URL http://0.0.0.0:7000/ via a browser.


Feature Roadmap
  • Compare a package to a benchmark profile of packages of similar purpose for security warnings
  • Compare different versions of the same package for security warnings
  • List packages that have changes in their warnings and/or severity score between two dates
  • Ability to scan an internal package/registry that's not public on PyPI
  • Display an analysis of permissions (does this package make a network connection? Does this package require OS-level library permissions?)

Contact Information

[email protected] (John Speed Meyers, IQT Labs, Secure Code Reuse project lead).

The lead developer and creator of Aura is Martin Carnogusky of sourcecode.ai.


Related Work


AuraBorealisApp - Do You Know What's In Your Python Packages? A Tool For Visualizing Python Package Registry Security Audit Data AuraBorealisApp - Do You Know What's In Your Python Packages? A Tool For Visualizing Python Package Registry Security Audit Data Reviewed by Zion3R on 8:30 AM Rating: 5