An example project showcasing hoplon - the tool that helps you verify that the hex.pm packages you use don't contain any extra code apart from what's in their Github repositories.
When run, the application runs a webserver that returns words that end in a given suffix. Here's an example deployed to Heroku: https://suffixer.herokuapp.com/s/ix
For aligning the words it uses evil_left_pad,
which is a package that contains some potentially malicious code that's not present
on its github, but will be in suffixer's deps/
directory. It's an example of a
malicious package.
It also contains hoplon, which is the tool
When you compile the project using $ mix compile
you'll have access to hoplon mix
tasks:
$ mix help | grep hoplon
mix hoplon.absolve # marks the package as OK, even if it differs from source or can't be resolved
mix hoplon.check # Checks project's dependencies for hidden code
mix hoplon.diff # Shows differences between pulled package dependency and its github code
mix hoplon.release_checklist # Prints a checklist for releasing hoplon-compatible packages and its completion status
Running $ mix hoplon.check
should print something like the following, with the HONEST
and ABSOLVED
rows coloured green and the CORRUPT
coloured red:
Dependency Version Github LocatedBy Status
ace 0.16.0 crowdhailer/ace tag:0.16.0 HONEST
cookie 0.1.0 CrowdHailer/cookie.ex tag:0.1.0 HONEST
evil_left_pad 0.3.0 nietaki/evil_left_pad bisect:433ccc5172094e174e7a816274dd588cb3993022 CORRUPT: [files_differ: "/lib/evil_left_pad.ex"]
hoplon 0.3.2 nietaki/hoplon tag:v0.3.2 HONEST
mime 1.2.0 elixir-lang/mime tag:v1.2.0 ABSOLVED: 78adaa84832b3680de06f88f0997e3ead3b451a440d183d688085be2d709b534 - "just formatting changes"
plug 1.5.0 elixir-plug/plug tag:v1.5.0 HONEST
raxx 0.15.0 crowdhailer/raxx tag:0.15.0 HONEST
uuid 1.1.8 zyro/elixir-uuid tag:v1.1.8 HONEST
This shows you the dependencies in your project and if their contents line up
with what they show on Github. You can see evil_left_pad
is marked as
CORRUPT
(and for a good reason too).
To see the extra code in evil_left_pad
, run $ mix hoplon.diff evil_left_pad
-
it will output a diff between the deps directory and the cloned repository directory.
You might notice that the mime
package (depended on by plug
) is marked as ABSOLVED
.
That's because after looking at its diff, one of the developers of suffixer decided the
differences were innocent and harmless and absolved it using $ mix hoplon.absolve
.