Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/breml/depcaps

map capabilities of dependencies against a set of allowed capabilities
https://github.com/breml/depcaps

capabilities dependencies go golang linter

Last synced: 11 months ago
JSON representation

map capabilities of dependencies against a set of allowed capabilities

Awesome Lists containing this project

README 

          
# depcaps - map capabilities of dependencies against a set of allowed capabilities



**This was an experiment and I do no longer have the time to continue with it. Therefore I archive this repository.**



[![Test Status](https://github.com/breml/depcaps/workflows/Go%20Matrix/badge.svg)](https://github.com/breml/depcaps/actions?query=workflow%3AGo%20Matrix) [![Go Report Card](https://goreportcard.com/badge/github.com/breml/depcaps)](https://goreportcard.com/report/github.com/breml/depcaps) [![License](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE)



depcaps maps capabilities of dependencies agains a set of allowed capabilities.



List of reported capabilities:



* CAPABILITY_UNSPECIFIED

* CAPABILITY_SAFE

* CAPABILITY_FILES

* CAPABILITY_NETWORK

* CAPABILITY_RUNTIME

* CAPABILITY_READ_SYSTEM_STATE

* CAPABILITY_MODIFY_SYSTEM_STATE

* CAPABILITY_OPERATING_SYSTEM

* CAPABILITY_SYSTEM_CALLS

* CAPABILITY_ARBITRARY_EXECUTION

* CAPABILITY_CGO

* CAPABILITY_UNANALYZED

* CAPABILITY_UNSAFE_POINTER

* CAPABILITY_REFLECT

* CAPABILITY_EXEC



## Installation



Download `depcaps` from the [releases](https://github.com/breml/depcaps/releases) or get the latest version from source with:



```shell

go get github.com/breml/depcaps/cmd/depcaps

```



## Usage



### Shell



Check everything:



```shell

depcaps ./...

```



### Config JSON file



The config JSON file allows to define a set of accepted capabilities. Capabilities

can be accepted globally or on a per package level.



The config JSON file has the following structure (`github.com/google/uuid` just

serves as an example package):



```json

{

  "GlobalAllowedCapabilities": {

    "CAPABILITY_UNSPECIFIED": true

  },

  "PackageAllowedCapabilities": {

    "github.com/google/uuid": {

      "CAPABILITY_RUNTIME": true

    }

  }

}

```



### Reference file



A reference file can be generated by using [`capslock`](https://github.com/google/capslock):



```shell

capslock -noisy -output json -packages ./... > reference.json

```



In order to verify against a `capslock` reference file the following command can be used:



```shell

depcaps -reference reference.json ./...

```



A reference file and a config file might be combined. In this case, the actual

capabilities are first compared against the reference. The remaining offending

capabilites are then compared against the allowed capabilites in the config JSON.

Only the remaining offending capabilities after both comparisons are reported.



## Inspiration



* [capslock](https://github.com/google/capslock)

* [Capslock: What is your code really capable of?](https://security.googleblog.com/2023/09/capslock-what-is-your-code-really.html)