Lib.rs

Command line utilities
#hacking #bug-bounty #security

app goblin_prospector

A little tool to get information on lockfile dependencies and their recent changes

Owned by beastung.

1 unstable release

0.1.0 Sep 5, 2023

#2521 in Command line utilities

27 downloads per month

MIT/Apache

590KB
932 lines

goblin_prospector

Crates.io

A little tool to read lockfiles in a project and get information from each dependency's repo and get newer changes that aren't used by the project (hopefully containing a vulnerability or behaviour that was recently changed/fixed upstream but can still be exploited on said project).

Goblin prospector icon, which is a goblin dressed as an old timey prospector

Terminal recording of the output of the command "goblin_prospector -d path/to/project -c 30 -o test.txt" Gif made with vhs

Currently supports:

Lockfiles

  • yarn (yarn.lock)
  • npm (package-lock.json)
  • ruby (Gemfile.lock)

Releases from repositories

  • GitHub
  • GitLab

Installation

You can install from crates.io using cargo:

cargo install goblin_prospector

Or download a prebuilt binary from the releases.

You can also just clone the repo and build the tool with cargo:

git clone https://gitlab.com/bea_stung/goblin_prospector.git
cd goblin_prospector
cargo install --path=.

Usage

Basic usage

goblin_prospector -d ~/repos/gitlab --github-token GITHUB_TOKEN_HERE -c 40

Example Output:

 [[ GitHub KaTeX/KaTeX ]]:
    katex (Yarn) [0.13.2]:
      GitHub (KaTeX/KaTeX): git+https://github.com/KaTeX/KaTeX.git

      More recent releases:
        [v0.16.8]:
          0.16.8 (2023-06-24)
          Features

          expose error length and raw error message on ParseError (#3820) (710774a)

        [v0.16.7]:
          0.16.7 (2023-04-28)
          Bug Fixes

          docs/support_table.md: delete redundant "varPsi" (#3814) (33a1b98)
.....

Help message

goblin_prospector --help

Example Output:

Goblin goes and gets information about new dependancy features introduced after the versions used by a project.
Point me at a project directory and watch me go boss, yeehaw!
Supports:
Lockfiles:
  - yarn (yarn.lock)
  - npm (package-lock.json)
  - ruby (Gemfile.lock)
Releases from repositories:
  - GitHub
  - GitLab

Usage: goblin_prospector [OPTIONS] --dir <DIR>

Options:
  -d, --dir <DIR>                                  Directory of project to check
      --github-token <GITHUB_TOKEN>                GitHub token for API
      --gitlab-token <GITLAB_TOKEN>                GitLab token for API
  -c, --concurrent-requests <CONCURRENT_REQUESTS>  Number of concurrent requests
  -o, --output <OUTPUT>                            Output file name
  -h, --help                                       Print help
  -V, --version                                    Print version

Dependencies

~14–34MB
~545K SLoC