DEV Community

Michael Scovetta
Michael Scovetta

Posted on

OSS Gadget: Using oss-download

As a security researcher, I often find myself downloading packages (rather than installing them). This is often harder than it should be, either requiring specific ecosystem-specific tools like npm or pip, or searching through websites like https://repo1.maven.org.

As a developer, I loathe repeating myself, so a few years ago, my team and I started building a collection of tools we call OSS Gadget. It simplifies and automates various task that we've needed to perform, and thought it would help others too.

OSS Gadget includes tools to help you download and extract packages, identify malware or cryptography, extract interesting characteristics, detect typo-squatting, and various other things.

In this post, I wanted to share the oss-download tool, which as the name suggests, helps you download and optionally extract packages from a wide variety of package ecosystems.

The oss-download tool operates on a Package URL, which is a convenient way to express an ecosystem, package, and version. For example, the Python Django package would be pkg:pypi/django, and version 4.1.4 of Django would be pkg:pypi/django@4.1.4.

To download Django 4.1.4, just run:

# oss-download pkg:pypi/django@4.1.4

   ____   _____ _____    _____           _            _
  / __ \ / ____/ ____|  / ____|         | |          | |
 | |  | | (___| (___   | |  __  __ _  __| | __ _  ___| |_
 | |  | |\___ \\___ \  | | |_ |/ _` |/ _` |/ _` |/ _ \ __|
 | |__| |____) |___) | | |__| | (_| | (_| | (_| |  __/ |_
  \____/|_____/_____/   \_____|\__,_|\__,_|\__, |\___|\__|
                                            __/ |
                                           |___/          
OSS Gadget - oss-download 0.1.365+570ffa6632 - github.com/Microsoft/OSSGadget
INFO  - Downloaded pkg:pypi/django@4.1.4 to /usr/src/app/pypi-bdist_wheel-django@4.1.4.whl
INFO  - Downloaded pkg:pypi/django@4.1.4 to /usr/src/app/pypi-sdist-django@4.1.4.tar.gz
Enter fullscreen mode Exit fullscreen mode

If you'd like to automatically extract the contents of the packages (recursively), use the -e option:

# oss-download -e pkg:pypi/django@4.1.4
Enter fullscreen mode Exit fullscreen mode

You can also download all version of a package by simply using a * as the version:

# oss-download pkg:pypi/django@*
Enter fullscreen mode Exit fullscreen mode

OSS Gadget supports Cargo, Cocoapods, Composer, CPAN, CRAN, RubyGems, Go, GitHub, Hackage, Maven, npm, NuGet, PyPI, Ubutnu, and the Visual Studio Marketplace.

We hope OSS Gadget is useful; if you run into any trouble, please open an issue.

Top comments (0)