Documentation
¶
Overview ¶
Package inventory fetches the ProjectDiscovery malicious-package inventory: a single gzipped JSON export that is the sole intel source for depx. The export is refreshed hourly upstream and served unauthenticated, so depx downloads it whole, decompresses it on the fly, and builds a local index.
Index ¶
Constants ¶
const DefaultSourceURL = "https://github.projectdiscovery.io/github/malicious/export"
DefaultSourceURL is the unauthenticated, hourly-refreshed inventory export.
Variables ¶
This section is empty.
Functions ¶
func PackagePageURL ¶
PackagePageURL returns the public ProjectDiscovery page for a malicious advisory/package ID. It is derived from the configured source URL so a mirror override stays internally consistent.
Types ¶
type IOCs ¶
type IOCs struct {
Domains []string `json:"domains,omitempty"`
FileHashes []string `json:"file_hashes,omitempty"`
PkgHashes []string `json:"pkg_hashes,omitempty"`
}
IOCs holds indicators of compromise associated with a malicious package.
type Record ¶
type Record struct {
Ecosystem string
Name string
PackageURL string
PURL string
IDs []string
Source string
Severity string
AllVersions bool
AffectedVersions []string
Summary string
References []string
IOCs IOCs
ModifiedAt time.Time
PublishedAt time.Time
ImportedAt time.Time
}
Record is a single malicious-package entry from the inventory export.
type Snapshot ¶
type Snapshot struct {
SchemaVersion string
GeneratedAt time.Time
Source string
ETag string
NotModified bool
}
Snapshot carries inventory metadata captured during a fetch.
func Fetch ¶
func Fetch(ctx context.Context, url, userAgent, prevETag string, onRecord func(Record) error) (Snapshot, error)
Fetch downloads the inventory export and streams every record to onRecord.
The whole document is never held in memory: the gzip body is decoded incrementally so peak usage is bounded by the compiled index, not the ~125 MB decompressed JSON. When prevETag matches the server's current revision the call returns early with Snapshot.NotModified set and onRecord is not invoked. The caller is responsible for an appropriate ctx deadline; no per-request timeout is imposed here so large transfers are not truncated.