asfswhid

v0.1.1 suspicious
4.0
Medium Risk

Python bindings for the swhid-rs SWHID v1.2 reference implementation (ISO/IEC 18670:2025)

🤖 AI Analysis

Final verdict: SUSPICIOUS

The package shows low risk in terms of network calls, shell commands, obfuscation, and credential harvesting. However, the recent and concentrated commits along with the incomplete and new maintainer's profile raise concerns about potential supply-chain risks.

  • Suspiciously recent and concentrated commits
  • Incomplete and new maintainer's profile
Per-check LLM notes
  • Network: No network calls detected, indicating no immediate risk from network activity.
  • Shell: Git commands suggest the package may be using Git for version control or other development purposes within its functionality, which is not inherently malicious but should be reviewed for context.
  • Obfuscation: No obfuscation patterns detected, indicating low risk of malicious obfuscation.
  • Credentials: No credential harvesting patterns detected, indicating low risk of malicious credential theft.
  • Metadata: The repository has suspiciously recent and concentrated commits, and the maintainer's profile is incomplete and new.

📦 Package Quality Overall: Low (4.4/10)

◈ Medium Test Suite 6.0

Partial test coverage signals detected

  • 2 test file(s) detected (e.g. test_asfswhid.py)
◈ Medium Documentation 5.0

Some documentation present

  • Detailed PyPI description (14728 chars)
○ Low Contributing Guide 2.0

No contributing guide or governance files found

  • No CONTRIBUTING, CODE_OF_CONDUCT, or governance files found
○ Low Type Annotations 1.0

No type annotations detected

  • No type annotations, py.typed marker, or stub files detected
✦ High Multiple Contributors 8.0

Active multi-contributor project

  • 3 unique contributor(s) across 20 commits in apache/tooling-asfswhid
  • Small but multi-author team (3–4 contributors)

🔬 Heuristic Checks

Outbound Network Calls

No suspicious network call patterns found

Code Obfuscation

No obfuscation patterns detected

Shell / Subprocess Execution score 10.0

Found 5 shell execution pattern(s)

  • bytes(data) git_hex = subprocess.check_output( ["git", "hash-object", str(f)], text=True
  • po with known content subprocess.run(["git", "init", str(tmp_path)], check=True,
  • capture_output=True) subprocess.run(["git", "-C", str(tmp_path), "config",
  • ite_bytes(b"Hello\n") subprocess.run(["git", "-C", str(tmp_path), "add", "."],
  • capture_output=True) subprocess.run( ["git", "-C", str(tmp_path), "commit", "-m", "i
Credential Harvesting

No credential harvesting patterns detected

Typosquatting

No typosquatting candidates detected

Registered Email Domain

No author email provided

Suspicious Page Links

All external links appear legitimate

Git Repository History score 2.5

Git history flags: All 20 commits happened within 24 hours

  • All 20 commits happened within 24 hours
Maintainer History score 4.0

2 maintainer concern(s) found

  • Author name is missing or very short
  • Author "" appears to have only 1 package on PyPI (new or inactive account)
Known CVE Vulnerabilities

No known vulnerabilities found in OSV database.

💡 AI App Starter Prompt

Use this prompt to build a project with asfswhid 
Develop a mini-application named 'SWHID-Manager' using Python that leverages the 'asfswhid' package to generate and manage Software Heritage Identifiers (SWHIDs). This application will serve as a tool for developers to easily create and validate SWHIDs based on ISO/IEC 18670:2025 standards. The application should include the following functionalities:

1. **Generate SWHID**: Users should be able to input a software artifact's URL or local path and get its corresponding SWHID.
2. **Validate SWHID**: The app must provide a way to verify if a given SWHID is valid according to the SWHID v1.2 standard.
3. **Metadata Lookup**: If possible, the application should also allow users to fetch metadata associated with a provided SWHID from the Software Heritage archive.
4. **Command Line Interface (CLI)**: Implement a simple CLI where users can interact with the application through commands like `generate`, `validate`, and `lookup`.
5. **Documentation**: Provide clear documentation explaining how to install the application, how to use each feature, and any limitations or considerations.

The 'asfswhid' package will be primarily used for generating and validating SWHIDs. Ensure your code is well-documented and includes error handling for invalid inputs or network issues when fetching metadata.

💬 Discussion Feed

Leave a comment

No discussion yet. Be the first to share your thoughts!