Skip to content

Add census --live for real-time ecosystem data collection#34

Merged
thebenignhacker merged 1 commit intomainfrom
feat/census-live-cli-v2
Mar 18, 2026
Merged

Add census --live for real-time ecosystem data collection#34
thebenignhacker merged 1 commit intomainfrom
feat/census-live-cli-v2

Conversation

@thebenignhacker
Copy link
Copy Markdown
Contributor

@thebenignhacker thebenignhacker commented Mar 18, 2026

Summary

  • cryptoserve census --live fetches real download data from npm, PyPI, crates.io
  • --ecosystems npm,pypi,crates to limit scope
  • --format json for machine-readable output
  • Formatted table with ecosystem breakdown, top weak packages, NIST deadline
  • Rate-limited API calls (100ms npm, 200ms crates, 2s PyPI)

Test plan

  • 271 JS tests pass
  • Live npm query verified (47 packages, 1.5B/mo)
  • JSON output validated

@thebenignhacker
feat: add census --live command for real-time ecosystem data collection
fe8a04f 
Fetches live download counts from npm, PyPI, and crates.io APIs,
classifies packages by tier (weak/modern/PQC), and displays a
formatted summary table with tier percentages and top weak packages.

Supports --ecosystems flag to limit queries and --format json for
machine-readable output.
@thebenignhacker thebenignhacker merged commit ea327af into main Mar 18, 2026
@thebenignhacker thebenignhacker deleted the feat/census-live-cli-v2 branch March 18, 2026 16:12
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 18, 2026
edited
Loading

Claude finished @thebenignhacker's task —— View job

Security Review Complete ✅

Performed comprehensive security-focused review of PR #34 (census --live command).

Checklist

  • Read changed files
  • Check injection vulnerabilities
  • Check authentication/authorization
  • Check insecure deserialization/eval
  • Check hardcoded credentials
  • Check SSRF/open redirect risks
  • Check cryptographic misuse
  • Check prototype pollution
  • Check ReDoS vulnerabilities
  • Check command injection
  • Check scoring/gating logic bugs
  • Check filter predicate bugs
  • Check boolean expression bugs
  • Post findings

Security Findings

I performed a systematic security review covering all 12 security check categories. Here are my findings:

✅ No Security Issues Found

1. Injection Vulnerabilities: None

  • No SQL, command, or path traversal vulnerabilities
  • URL construction uses hardcoded package names from static catalog

2. Authentication/Authorization: N/A

  • Public data collection feature, no auth required

3. Insecure Deserialization/eval: None

  • No eval(), Function(), or vm usage
  • JSON parsing only on trusted public API responses
  • Safe property access patterns (optional chaining at sdk/javascript/bin/cryptoserve.mjs:1056, sdk/javascript/bin/cryptoserve.mjs:1067)

4. Hardcoded Credentials: None

  • No secrets or credentials in code

5. SSRF/Open Redirect: None

  • Initially flagged fetch() calls at lines 1044, 1053, 1062 as potential SSRF
  • Verified safe: Package names come from hardcoded static catalog (package-catalog.mjs), not user input
  • URLs use validated package names only

6. Cryptographic Misuse: N/A

  • No cryptographic operations in this feature

7. Prototype Pollution: None

  • No __proto__ access
  • Property access at sdk/javascript/bin/cryptoserve.mjs:1047 uses safe fallback pattern (data.downloads || 0)
  • Optional chaining used for nested properties

8. ReDoS: None

  • Input parsing at sdk/javascript/bin/cryptoserve.mjs:1030 uses safe string operations
  • No user-controlled regex patterns

9. Command Injection: None

  • No subprocess execution

10. Scoring/Gating Logic Bugs: None

Traced through with 3 test cases:

  • Single ecosystem (--ecosystems npm): Aggregates correctly ✅
  • All ecosystems (default): Division-by-zero protection at line 1153 (total > 0 ? ...) ✅
  • Empty results: Percentages default to 0, no division errors ✅

Math verification:

  • Crates.io monthly estimation (line 1068): 90-day downloads / 3 = 30-day average

11. Filter Predicates: None

  • Line 1087: Validates ecosystem exists in config before use ✅
  • Line 1165: Filter predicate p.tier === TIERS.WEAK && p.downloads > 0 is correct ✅

12. Boolean Expressions: None

  • No redundant or problematic boolean logic

Code Quality Notes

Positive Security Patterns:

  • Input validation before use (ecosystem config check at line 1087)
  • Division-by-zero guards (line 1153)
  • Safe fallback patterns (|| 0, optional chaining)
  • Static package catalog prevents injection attacks
  • Rate limiting implemented (lines 1033-1035)

Architecture:

  • Clean separation: user input (--ecosystems) validated against hardcoded config
  • Package names sourced from static catalog, not user input
  • API rate limits prevent abuse (100ms npm, 200ms crates, 2s PyPI)

FINDINGS_COUNT=0

@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 18, 2026

Manual review required. This PR did not meet auto-merge criteria:

  • Security review found issues (findings: unknown)
  • PR author 'thebenignhacker' is not in the trusted auto-merge list
  • Too many lines changed (278 > 200)
  • PR is too new (2 min < 5 min minimum)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@thebenignhacker