securesecodao / searchseco-miner Goto Github PK

sample repo: https://github.com/pragmaticly/teahour.fm

One of the industry partners told us it is really hard for them to determine which version of a project a piece of source code (in particular C++ projects) belongs to. This, for instance, is needed when a company has included a set of C++ libraries, but they don't know which versions they have.

We want to be able to generate a Software Bill of Materials (SBOM) based on a large folder filled with code. As the code should not be sent to the DB, we must make sure it's only a check command.

The method could be as follows:

• Parse the project
• Identify potential projects (say: more than 10 matches for one project)
• Checkupload all tagged versions of those projects
• Do another check to get the exact version of that project

The input in this case will most probably be a directory and not a git repo.

Please do so, Krishna ;-)

If it runs, we can decide to apply for free AWS and MS credit

https://tree-sitter.github.io/tree-sitter/

What should be done? How should we approach it? What will it bring? What will we lose?

As it used to be in the C++ version.

Main reason: so we can upload the Linux project and see whether we can break the new js version and fix those problems too.

Currently, the default is "client", but I'd like to give it another name?

Parallelize parsers

And share them with Slinger so that we can take action if we actually find a big one in a latest version of a project. Because that would be huge!

So that when something weird happens (McAffee fires sometimes) you can immediately address it by looking up the time in the logs.

So that we need some kind of authentication to go into the DB and so that we don't have to use tcp/ip anymore.

Also, to need less code.

Eventually, make sure we also close the tcp/ip way of communicating with the DB, so we don't leave a huge backdoor.

Throughout project.

Such as here?

In this way we can see whether a miner needs a kick and we're not wasting money through Heroku or AWS or other.

I was happily running a miner without srcML, not realizing that I was missing a lot of projects because of it. Please do not proceed if srcML is not installed, as long as we need it? Should be easy, hopefully.

Organizations will want to know if their code has "leaked". We can warn them if their code appears in great numbers on Github.

Currently, we're not storing the date of a method's last change. We want to have better dating for each method.

Think of a way and usage scenario of how miners can check each other's hashes and subsequently ensure correctness of their hashes.