Skip to content

Commit

Permalink
docs: document the internal logic flow
Browse files Browse the repository at this point in the history
  • Loading branch information
lirantal authored Jul 15, 2021
1 parent 7f3f0bb commit a332831
Showing 1 changed file with 16 additions and 0 deletions.
16 changes: 16 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,22 @@ We've seen cases of package hijacking and maintainer accounts compromises in pas

When a pakcage is detected as **suspicious**, it is our recommendation to immediately move to a new package naming and reserve that new name on the public registry.

## Logic flow

How does snync work from decision tree perspective?

```
1. Get "all dependencies" in `package.json` (note, refers to direct dependencies only, not transitive)
['dependencies'] and ['devDependencies]
2. If a package includes a scope (such as prefixed with a `@snyk/`)
then remove it from the "all dependencies" list and save it for later, to warn the user to ensure they own that scope
3. Foreach of the "all dependencies" gathered, get the time it was introduced to the source-code (i.e. the time it was added to `package.json`)
4. Foreach of the "all dependencies" gathered, get the time it was created in the npmjs registry
5. Compare the two timestamps
5.1. if a package is not found in the registry then signal an error to let them know that this public namespace is not taken, and is vulnerable for someone to employ a Dependency Confusion on them.
5.2. if a package is found in the registry, and it was created after the time it was introduced to source-code, then signal a warning that there is potentially an attack in progress and to warn the user to review the premise and legitimacy of that package that exits in the public registry.
```

## Supported ecosystems

| Ecosystem | Supported
Expand Down

0 comments on commit a332831

Please sign in to comment.