supplychain.fail

I was curious what it would look like if I plotted the intensity and volume of software supply chain CVEs over time, given what seemed like a flood of compromises lately.

It looked exactly how I expected:

Building

This was an AI-enabled side project, built largely on my phone between family responsibilities. For practical reasons and because the codebase is small, the first 90% of the build involved brainstorming with Gemini (because it’s free) and copy-pasting between Gemini, gitingest.com and the Github mobile app. I put the final touches on artisinally on my laptop like a true code craftsman.

Architecture

The source data for the visualization is the GitHub Advisory Database repository, conveniently provided in Open Source Vulnerability (OSV) format.

The AI wanted to add a “lightweight” backend in the form of a key value store, but I had absolutely no interesting in maintaining any kind of infrastructure as I am a time-poor and thrifty with my side projects. Instead, I directed it to do everything via GitHub actions and it duly obliged, generating and commiting an almighty source-of-truth JSON blob to the repo and letting GitHub Pages handle the rest. The only cost was the vanity domain, obtained cheaply.

Tweaking

The initial visualisation dreamed up by the robot did not render well, with large overlapping circles to indicate intensity:

Some further surgical prompting corrected it to the coloured squares that ended up getting deployed.

Linux CVEs

I wanted to include Linux CVEs to visualize recent fun like copy.fail and Dirty Frag, but due to the fact that essentially any bug in the kernel is assigned a CVE, they don’t appear in an easily digestible format like other ecosystems in the Advisory Database. I tried to work around this, but gave up in the end because this is a silly side project after all and I went to build LEGO with my kid instead.

Links

Site: supplychain.fail

Code: Repository