Tracking Spring Security With GitHub Mentions

cl4r1ty
cl4r1ty
Jun 26, 2015 · 2 min read

We’re all fans of GitHub and their mention system is pretty sweet. The normal use cases are straightforward but what if there were other possible use cases for the same feature? What if a programming language used a similar format as GitHub mentions in the language. Luckily Java does just that.

When writing Java code you can end up using a lot of annotations. Spring makes excellent use of these annotations and has a myriad of uses for them behind the scenes. These include everything from @SpringBootApplication which is a combinations of three other annotations, to @Bean which just defines a bean. Sometimes there are so many annotations you don’t know what to do with them.

Image for post
Image for post

At this point the idea dawned on me that I could passively monitor GitHub issues, pull requests, etc using the mention system.

The first task was registering the username @Autowired because it sounded like a decent alias so grabbing it seemed like a good idea. Initially there was some oddities in the GitHub account as it was detected as not being human. An email to GitHub support got that changed. As this was the first test of what kind of emails I would get, I sat on it for a few days. Here’s the results over a 5 day period:

Image for post
Image for post

Looking at the mails that were sent it was obvious that not only was this useful for Spring information but possibly also for any other public project.

After deciding this could be turned into a useful tool I registered a myriad of other usernames that related to Java annotations. After dealing with the not a human problem they’re not just sitting collecting data that I can turn into a feed of information about open source projects.

As an example use case I took these usernames:

  • PreAuthorize
  • PostAuthorize
  • PreFilter
  • PostFilter

These annotations (@PostFilter, etc) are some of the core spring security annotations. It’s possible some of the information I’d receive would be about incorrectly used annotations leading to security issues. Using these users I’m now just siphoning public data looking for security issues

On a side note — You don’t get mentions for private repos which the user is not a part of.


Originally published at c4.vc on June 26, 2015.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store