ado-source-core

v0.3.0 safe
4.0
Medium Risk

Read-only Azure DevOps API client and Pydantic models. OSS library shared by ado-scanner and Shyftport engines.

🤖 AI Analysis

Final verdict: SAFE

The package primarily interacts with Azure DevOps services through legitimate API calls and has a low likelihood of malicious intent based on the current analysis.

  • Low network and shell execution risks
  • Encoded tokens require further investigation but do not conclusively indicate malicious activity
Per-check LLM notes
  • Network: The network calls appear to be legitimate API interactions with Azure DevOps services, which aligns with the package's expected functionality.
  • Shell: No shell execution patterns detected, indicating low risk of direct system command execution.
  • Obfuscation: The base64 decoding pattern could be used for legitimate purposes such as data encryption, but it also raises concerns about hidden operations.
  • Credentials: No clear credential harvesting patterns were detected, but the presence of encoded tokens warrants further investigation.
  • Metadata: The repository not being found and the author's profile lacking details raises concerns.

🔬 Heuristic Checks

Outbound Network Calls score 9.0

Found 6 network call pattern(s)

  • lients = { "dev": httpx.AsyncClient(base_url=f"{base_url}/{organization}", **common_kwargs),
  • _kwargs), "vsrm": httpx.AsyncClient( base_url=f"https://vsrm.dev.azure.com/{orga
  • ), "feeds": httpx.AsyncClient( base_url=f"https://feeds.dev.azure.com/{org
  • ), "analytics": httpx.AsyncClient( base_url=f"https://analytics.dev.azure.com/
  • ), "vssps": httpx.AsyncClient( base_url=f"https://vssps.dev.azure.com/{org
  • ), "vsaex": httpx.AsyncClient( base_url=f"https://vsaex.dev.azure.com/{org
Code Obfuscation score 2.0

Found 1 obfuscation pattern(s)

  • x("Basic ") decoded = base64.b64decode(encoded).decode() assert decoded == ":some-token-wit
Shell / Subprocess Execution

No shell execution patterns detected

Credential Harvesting

No credential harvesting patterns detected

Typosquatting

No typosquatting candidates detected

Registered Email Domain

Email domain looks legitimate: n8group.com>

Suspicious Page Links

All external links appear legitimate

Git Repository History score 3.0

Repository not found (deleted or private)

  • Repository not found (deleted or private)
Maintainer History score 4.0

2 maintainer concern(s) found

  • Author name is missing or very short
  • Author "" appears to have only 1 package on PyPI (new or inactive account)
Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with ado-source-core 
Create a mini-application called 'DevOpsInsight' that leverages the 'ado-source-core' Python package to provide developers and DevOps engineers with a comprehensive view of their Azure DevOps projects. This tool will allow users to authenticate with their Azure DevOps account and then retrieve and display various project details such as repositories, work items, builds, and releases.

Step 1: Set up the project environment
- Initialize a new Python project and install the 'ado-source-core' package.
- Ensure all necessary dependencies are installed.

Step 2: Authentication
- Implement a secure method for users to authenticate with their Azure DevOps account using OAuth2 or similar authentication protocols supported by Azure DevOps.
- Store the access token securely and use it to make authenticated requests to the Azure DevOps REST API.

Step 3: Data Retrieval
- Use the 'ado-source-core' package to query Azure DevOps for repositories within a specified organization/project.
- Fetch work items from specific projects, including their statuses and assignments.
- Retrieve recent build and release pipeline statuses.

Step 4: Data Presentation
- Design a user-friendly interface (console-based or web-based) to display the retrieved data in a structured format.
- Include options to filter and sort the displayed information based on different criteria (e.g., by repository name, work item type).
- Provide visual indicators for the status of builds and releases.

Suggested Features:
- Ability to select multiple organizations/projects to monitor simultaneously.
- Support for exporting data to CSV or JSON formats for further analysis.
- Real-time updates for build and release statuses.
- Integration with other tools like Slack or email for notifications.

How 'ado-source-core' is Utilized:
- The 'ado-source-core' package provides read-only access to the Azure DevOps API through its client and Pydantic models. It simplifies the process of making API calls and handling responses by abstracting away much of the complexity involved in working directly with the Azure DevOps REST API.
- Users will leverage the package's client to authenticate and fetch data, while Pydantic models will help in parsing and validating the API responses into Python objects, making it easier to manipulate and present the data.