Mapping repository dependencies with Github CLI and Python
I transitioned into my new role as an application security engineer, and immediately started diving in on a Shift Left effort. My goal for the first quarter is to get static analysis running on every developer’s local system using semgrep. I had hit the ground running, was making progress, and as per usual in infosec we had an urgent request come in for a potential client.
The request was simple enough, something along the lines of “Legal needs a comprehensive list of all the open source dependencies our software uses. We’re trying to get the contract out within 30 days.” Cool, cool. So basically a promise was made to the potential client and we have to deliver this artifact like, last week.
I figured a request like this is common enough, and we even have a tool called Cider which provided supply chain data. So, trying to be efficient I thought, well let’s just export the list of all the things, narrow the list down to production only repos, then de-duplicate. Done! But, as any senior engineer knows if it’s that easy, something isn’t right. Well, in this case when trying to export a CSV with 36k records, the request times out on Cider.
Ok, so that won’t work. I’ll just use the Github API, and I’ve been wanting to expand my golang chops. This should be a great opportunity for that!
Well, golang is kind of an asshole and picking up some syntactical details I’d glossed over in the Golang for dummies tutorials I’ve read came back to bite me. Finally I got something going but there was a problem — my personal access token was only fetching my personal repos on Github, not the repos associated with my organization. Off to another adventure into the depths of Github documentation to figure out something else I didn’t know I didn’t know, which was cool because now our organization has PAT access hardened (another quick win).
TL;DR: I was finally able to fetch all the repos within my organization using https://pkg.go.dev/github.com/google/go-github/v50/github.
BUT another problem — there’s no f’ing way to fetch a repository’s dependency map via Github’s RESTful API :facepalm:. To do that, you have to use the GraphQL API, which was yet ANOTHER language I had to pick up. Truth be told, I gave up on this effort after about three hours of head bashing and much colorful language.
Then something amazing happened… a fellow engineer cough thanks @spaceB0xx cough sent me this link https://github.com/andyfeller/gh-dependency-report and said “maybe this will help.” A quick review of the code sparked my interest and I went to bed hopeful. The next morning I got up, logged on, and ran:
gh extension install andyfeller/gh-dependency-report gh dependency-report Organization backend-service
A REPORT WAS GENERATED! I vengefully deleted the three directories containing various attempts for doing what this extension did in about 30 seconds, and proceeded to run:
gh dependency-report Organization ^C
Ctrl-Ced as soon as the massive list of 600+ repositories appeared as we have a ton of dead repos, internal tooling repos, playgrounds, etc. I only needed ~170 of these repositories in the resulting report so after cleaning up that list I was able to run the extension with the admittedly still massive list of repos and go for a walk. When I returned, we finally had a 25MB file containing a list of all production-impacting dependencies and I was on to the easy part: de-duplicate the list, break the list down into separate files containing language specific dependencies, remove internal dependencies, and produce one last file listing the unique licenses on each of those dependencies.
I won’t cover what this code does line for line, but after a couple hours of hacking this thing together we have our deliverable in hand, and tooling to make sure when the next request of this kind comes in we aren’t scrambling like we were this time round.
Hopefully this helps someone else out there faces with a similar problem. Thanks for reading.