arcgis-item-graph

v0.3.6 suspicious
7.0
High Risk

CLI tool for building and querying ArcGIS item dependency graphs

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package exhibits multiple unusual behaviors such as obfuscated imports and insecure credential handling, raising suspicion about its legitimacy.

  • High obfuscation risk through use of __import__
  • Insecure credential handling with getpass
Per-check LLM notes
  • Network: The network calls to localhost suggest internal testing or probing and do not indicate external exfiltration or command and control activities.
  • Shell: The use of subprocess.run to execute commands might be for CLI functionality but could pose risks if not properly sanitized or controlled.
  • Obfuscation: The import statements using __import__ suggest an attempt to bypass static analysis tools, which is uncommon for legitimate purposes.
  • Credentials: Direct use of getpass without proper context or secure handling indicates potential insecure credential management practices.
  • Metadata: The missing repository and short author name raise concerns, but there's no direct evidence of malice.

📦 Package Quality Overall: Low (4.8/10)

✦ High Test Suite 9.0

Test suite present — 17 test file(s) found

  • 17 test file(s) detected (e.g. test_auditor.py)
◈ Medium Documentation 5.0

Some documentation present

  • Detailed PyPI description (17305 chars)
○ Low Contributing Guide 4.0

No contributing guide or governance files found

  • Development Status classifier >= Beta
◈ Medium Type Annotations 5.0

Partial type annotation coverage

  • 117 type-annotated function signatures detected in source
○ Low Multiple Contributors 1.0

Could not retrieve contributor data from GitHub

  • GitHub API error: 404

🔬 Heuristic Checks

Outbound Network Calls score 4.5

Found 3 network call pattern(s)

  • json" try: resp = requests.get(probe, verify=verify_cert, timeout=timeout) if resp.
  • , port=TEST_PORT): conn = http.client.HTTPConnection("localhost", port, timeout=5) conn.request("GET", path)
  • , port=TEST_PORT): conn = http.client.HTTPConnection("localhost", port, timeout=5) conn.request("POST", path,
Code Obfuscation score 6.0

Found 3 obfuscation pattern(s)

  • t.to_dataframe.return_value = __import__("pandas").DataFrame() with patch("cli.main.resolve_gis", ret
  • d"]) outcomes = [ __import__("arcgis_item_graph.remapper", fromlist=["RemapOutcome"]).RemapOutcome( "ccc", "Item ccc", True, None
  • True, None ), __import__("arcgis_item_graph.remapper", fromlist=["RemapOutcome"]).RemapOutcome( "ddd", "Item ddd", False, "type m
Shell / Subprocess Execution score 2.0

Found 1 shell execution pattern(s)

  • import sys result = subprocess.run( [sys.executable, "-m", "cli", "query", "--help"
Credential Harvesting score 2.5

Found 1 credential access pattern(s)

  • ).strip() password = _getpass.getpass("Password: ") env_content = ( f"ARCGIS_U
Typosquatting

No typosquatting candidates detected

Registered Email Domain

No author email provided

Suspicious Page Links

All external links appear legitimate

Git Repository History score 3.0

Repository not found (deleted or private)

  • Repository not found (deleted or private)
Maintainer History score 4.0

2 maintainer concern(s) found

  • Author name is missing or very short
  • Author "" appears to have only 1 package on PyPI (new or inactive account)
Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with arcgis-item-graph 
Develop a Python-based mini-application called 'ArcGIS Dependency Explorer' that leverages the 'arcgis-item-graph' package to visualize and analyze dependencies between different ArcGIS items such as layers, maps, and scenes within a given ArcGIS organization. The application should enable users to import their ArcGIS credentials, select an organization, and then generate a dependency graph of all items within that organization. Here are the key functionalities the app should include:

1. **User Authentication**: Allow users to input their ArcGIS credentials securely. Use the 'arcgis-item-graph' package to authenticate the user and gain access to the selected ArcGIS organization.
2. **Item Discovery**: Once authenticated, the app should fetch all available items from the specified organization using the 'arcgis-item-graph' package. These items will form the nodes of the dependency graph.
3. **Dependency Graph Construction**: Utilize the 'arcgis-item-graph' package to construct a dependency graph where each node represents an item and edges represent dependencies between these items. This could include dependencies like a layer being used in multiple maps.
4. **Graph Visualization**: Implement a feature to visually represent the dependency graph. Consider using libraries like NetworkX and Matplotlib to create a graphical representation of the dependencies.
5. **Querying the Graph**: Provide functionality for users to query the graph based on specific criteria. For example, they might want to find out which maps use a particular layer or identify orphaned items that are not referenced by any other items.
6. **Report Generation**: Allow the option to generate a report summarizing the findings from the dependency graph. This report could include visualizations and key insights about the dependencies.
7. **Optional Feature - Recommendation System**: As an advanced feature, implement a recommendation system that suggests potential improvements to the current structure based on the dependency graph. For instance, it could suggest consolidating layers or optimizing the use of resources.

The goal is to create a comprehensive tool that helps ArcGIS administrators and developers better understand and manage their items, ensuring efficient and effective usage of resources.

💬 Discussion Feed

Leave a comment

No discussion yet. Be the first to share your thoughts!