profile
viewpoint
If you are wondering where the data of this site comes from, please visit https://api.github.com/users/woodruffw/events. GitMemory does not store any data, but only uses NGINX to cache data for a period of time. The idea behind GitMemory is simply to give users a better reading experience.
William Woodruff woodruffw @trailofbits New York, NY https://yossarian.net Research @trailofbits, maintainer @Homebrew

pypa/warehouse 2781

The Python Package Index

kbsecret/kbsecret 434

A secret manager backed by Keybase and KBFS.

trailofbits/krf 298

A kernelspace syscall interceptor and randomized faulter

trailofbits/mishegos 155

A differential fuzzer for x86 decoders

trailofbits/bisc 68

Borrowed Instructions Synthetic Computation

Homebrew/gsoc 44

🔰 Homebrew's Google Summer of Code

trailofbits/http-security 36

Parse HTTP Security Headers

trailofbits/blight 34

A framework for instrumenting build tools

trailofbits/KRFAnalysis 24

Collection of LLVM passes and triage tools for use with the KRF fuzzer

trailofbits/dmarc 22

Ruby DMARC Parser

push eventtrailofbits/pip-audit

William Woodruff

commit sha 43385a9117f31b0aebcb46db40a1fb31d4a91779

pip_audit/cli: add a --version flag

view details

push time in 2 days

pull request commenttrailofbits/pip-audit

Progress indicator

Demo:

asciicast

woodruffw

comment created time in 2 days

PR opened trailofbits/pip-audit

Progress indicator

Adds a progress based progress indicator to the CLI.

Some notes:

  • I've subclasses progress.spinner.Spinner into AuditSpinner to make it behave a little better (the spin icon is on the LHS now, and we show each item being processed to give the user more feedback)
  • I've confirmed that the default behavior of progress is reasonable when stdout/stderr aren't TTYs and that it doesn't interfere with our logging or other output
+26 -3

0 comment

3 changed files

pr created time in 2 days

push eventtrailofbits/pip-audit

William Woodruff

commit sha c1dab0d1c12179902bb69f946df47ad354b9d813

pip_audit/cli: add a custom AuditSpinner

view details

push time in 2 days

delete branch woodruffw-forks/CompilerJobs

delete branch : ww/tob

delete time in 2 days

pull request commentmgaudet/CompilerJobs

README: update ToB links

No problem, thanks for maintaining this resource!

woodruffw

comment created time in 2 days

delete branch trailofbits/mishegos

delete branch : dependabot/submodules/src/worker/dynamorio/dynamorio-9357d87

delete time in 2 days

PR merged trailofbits/mishegos

build(deps): bump src/worker/dynamorio/dynamorio from `e66b2ae` to `9357d87` dependencies submodules

Bumps src/worker/dynamorio/dynamorio from e66b2ae to 9357d87. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/DynamoRIO/dynamorio/commit/9357d87adb3b13740d682d2524cb70486628e775"><code>9357d87</code></a> i#4953 ubuntu20: Fix locale test mismatches (<a href="https://github-redirect.dependabot.com/DynamoRIO/dynamorio/issues/5100">#5100</a>)</li> <li><a href="https://github.com/DynamoRIO/dynamorio/commit/a49485e5b320089f797c2c0edeb1396365f57968"><code>a49485e</code></a> i#4924: Enable drcachesim -test_mode in release builds (<a href="https://github-redirect.dependabot.com/DynamoRIO/dynamorio/issues/5099">#5099</a>)</li> <li><a href="https://github.com/DynamoRIO/dynamorio/commit/1c0ea52ffa0f099f5f652cb431dea44ad724f7ee"><code>1c0ea52</code></a> i#4953: Upgrade some AArchXX CI jobs to use Ubuntu 20.04 (<a href="https://github-redirect.dependabot.com/DynamoRIO/dynamorio/issues/5098">#5098</a>)</li> <li><a href="https://github.com/DynamoRIO/dynamorio/commit/dc109ef26f738f1e2872eccf12488c366cf9f72d"><code>dc109ef</code></a> i#4953 ubuntu20: Update package building to use Ubuntu 20 (<a href="https://github-redirect.dependabot.com/DynamoRIO/dynamorio/issues/5097">#5097</a>)</li> <li><a href="https://github.com/DynamoRIO/dynamorio/commit/7595b777289b70a4752ecb6db5ca7987efeeaaaf"><code>7595b77</code></a> i#2243: Support non-first-segment-code in drcov (<a href="https://github-redirect.dependabot.com/DynamoRIO/dynamorio/issues/5094">#5094</a>)</li> <li><a href="https://github.com/DynamoRIO/dynamorio/commit/7fe9954f18088adccd1f2a5d4d223c8f9afc7dbf"><code>7fe9954</code></a> i#4953 ubuntu20: Explicily invoke python2 for clang-format-diff (<a href="https://github-redirect.dependabot.com/DynamoRIO/dynamorio/issues/5095">#5095</a>)</li> <li>See full diff in <a href="https://github.com/DynamoRIO/dynamorio/compare/e66b2ae73d50499f7574d75f837b757f7c30b290...9357d87adb3b13740d682d2524cb70486628e775">compare view</a></li> </ul> </details> <br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

</details>

+1 -1

0 comment

1 changed file

dependabot[bot]

pr closed time in 2 days

push eventtrailofbits/mishegos

dependabot[bot]

commit sha 497b21486b1ba937f49c604b6b381da79fff9e9d

build(deps): bump src/worker/dynamorio/dynamorio (#1044) Bumps [src/worker/dynamorio/dynamorio](https://github.com/DynamoRIO/dynamorio) from `e66b2ae` to `9357d87`. - [Release notes](https://github.com/DynamoRIO/dynamorio/releases) - [Commits](https://github.com/DynamoRIO/dynamorio/compare/e66b2ae73d50499f7574d75f837b757f7c30b290...9357d87adb3b13740d682d2524cb70486628e775) --- updated-dependencies: - dependency-name: src/worker/dynamorio/dynamorio dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

view details

push time in 2 days

delete branch trailofbits/mishegos

delete branch : dependabot/submodules/src/worker/zydis/zydis-e493174

delete time in 2 days

push eventtrailofbits/mishegos

dependabot[bot]

commit sha 3102425cdde907ccd3f85ee4cdf9a39a7372c176

build(deps): bump src/worker/zydis/zydis from `5c193ca` to `e493174` (#1045) Bumps [src/worker/zydis/zydis](https://github.com/zyantific/zydis) from `5c193ca` to `e493174`. - [Release notes](https://github.com/zyantific/zydis/releases) - [Commits](https://github.com/zyantific/zydis/compare/5c193ca38ffac871c9893678bb13da14dee7d2a1...e493174711144f1f0ad2d74b280fed69c02dc9d5) --- updated-dependencies: - dependency-name: src/worker/zydis/zydis dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

view details

push time in 2 days

PR merged trailofbits/mishegos

build(deps): bump src/worker/zydis/zydis from `5c193ca` to `e493174` dependencies submodules

Bumps src/worker/zydis/zydis from 5c193ca to e493174. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/zyantific/zydis/commit/e493174711144f1f0ad2d74b280fed69c02dc9d5"><code>e493174</code></a> Do not sign ZydisWinKernel sample</li> <li>See full diff in <a href="https://github.com/zyantific/zydis/compare/5c193ca38ffac871c9893678bb13da14dee7d2a1...e493174711144f1f0ad2d74b280fed69c02dc9d5">compare view</a></li> </ul> </details> <br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

</details>

+1 -1

0 comment

1 changed file

dependabot[bot]

pr closed time in 2 days

PR opened mgaudet/CompilerJobs

README: update ToB links

The old link was a little stale; I've also updated the top link to point to our jobs page.

+2 -2

0 comment

1 changed file

pr created time in 2 days

create barnchwoodruffw-forks/CompilerJobs

branch : ww/tob

created branch time in 2 days

issue commenttrailofbits/pip-audit

Figure out how to represent the absence of a known good upgrade

Actually, the second case is probably one we can just punt on: our output format supports reporting multiple vulnerabilities for a dependency, so we could leave it to the user to make an upgrade decision among their choices.

woodruffw

comment created time in 2 days

issue commenttrailofbits/pip-audit

Use OSV 1.0 format

Thanks for bringing this to our attention @oliverchang!

What do you think about changing the format to list a series of fix versions instead of ranges?

Yeah, I think we should upgrade to the 1.0 format, and change our internal representation to individual fixed versions in the process. Ultimately, we probably want our upgrade advice to look like a greater-equal pin for the fixed version (e.g. >= 1.2.3), so we don't need the ranges at all.

oliverchang

comment created time in 2 days

issue openedtrailofbits/pip-audit

Figure out how to represent the absence of a known good upgrade

There are (at least) two scenarios in which we'll want to report a vulnerability in a package, but won't be (naively) able to offer upgrade advice:

  • The package is on its latest release, and as such cannot be upgraded any further
  • The package can be upgraded to a newer release that fixes a vulnerability, but not without introducing another known vulnerability

In the first case, we should probably emit a special value indicating that we're incapable of offering upgrade advice.

The second case is tricker; we could:

  • Not offer upgrade advice at all
  • Offer upgrade advice if and only if the newer version is "less" vulnerable than the older
  • Offer upgrade advice unconditionally, but warn the user that they're just trading one vulnerability for another

created time in 2 days

issue commenttrailofbits/pip-audit

Add a progress indicator to the CLI

I pushed up two concepts here:

  • https://github.com/trailofbits/pip-audit/tree/ww/progress-progress (progress-based)
  • https://github.com/trailofbits/pip-audit/tree/ww/tqdm-progress (tqdm-based)

We probably still want to just go with progress, but I wanted to highlight how relatively bare-bones it is. But it's a pretty simple module, so we might be able to subclass Spinner and add more context to it.

woodruffw

comment created time in 3 days

create barnchtrailofbits/pip-audit

branch : ww/progress-progress

created branch time in 3 days

create barnchtrailofbits/pip-audit

branch : ww/tqdm-progress

created branch time in 3 days

delete branch trailofbits/pip-audit

delete branch : ww/lazier

delete time in 3 days

push eventtrailofbits/pip-audit

William Woodruff

commit sha b3fd732bf5f70311dcd9a32e15e26889597e3060

pip_audit, test: make interfaces lazier (#36)

view details

push time in 3 days

PR merged trailofbits/pip-audit

pip_audit, test: make interfaces lazier

Per https://github.com/trailofbits/pip-audit/issues/28#issuecomment-920943310.

+27 -21

0 comment

5 changed files

woodruffw

pr closed time in 3 days

issue openedtrailofbits/pip-audit

Handoff: Document architecture and data model

As part of the handoff, we should deliver documentation that explains our core design decisions:

  • Key architectural components (vuln service, dep collection, formatting interfaces) and how to use them (examples of implementing each)
  • An explanation of our data model (each dependency has multiple potential vulnerabilities, etc.)

created time in 3 days

Pull request review commenttrailofbits/pip-audit

pip_audit, test: make interfaces lazier

 def __init__(         self._service = service         self._options = options -    def audit(self, source: DependencySource) -> Dict[Dependency, List[VulnerabilityResult]]:+    def audit(+        self, source: DependencySource+    ) -> Iterator[Tuple[Dependency, List[VulnerabilityResult]]]:

This is perhaps getting to the point of deserving a newtype or type alias...

woodruffw

comment created time in 3 days

PullRequestReviewEvent

PR opened trailofbits/pip-audit

pip_audit, test: make interfaces lazier

Per https://github.com/trailofbits/pip-audit/issues/28#issuecomment-920943310.

+27 -21

0 comment

5 changed files

pr created time in 3 days

create barnchtrailofbits/pip-audit

branch : ww/lazier

created branch time in 3 days

issue commenttrailofbits/pip-audit

Add a progress indicator to the CLI

Thinking about this a bit more made me realize that we want to make the auditor and vulnerability service interfaces more accommodating to this: both should return iterators instead of concrete list/map types so that we can place the progress bar in the CLI rather than breaking our abstraction and putting it somewhere in the API.

woodruffw

comment created time in 3 days

issue commenttrailofbits/pip-audit

Evaluate `resolvelib`

(We shouldn't need to parse the metadata ourselves, but here's the relevant most recent PEP anyways: https://www.python.org/dev/peps/pep-0566/)

woodruffw

comment created time in 3 days