[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-78368":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":17,"stars7d":18,"stars30d":19,"stars90d":16,"forks30d":16,"starsTrendScore":20,"compositeScore":21,"rankGlobal":10,"rankLanguage":10,"license":22,"archived":23,"fork":23,"defaultBranch":24,"hasWiki":25,"hasPages":23,"topics":26,"createdAt":10,"pushedAt":10,"updatedAt":30,"readmeContent":31,"aiSummary":32,"trendingCount":16,"starSnapshotCount":16,"syncStatus":33,"lastSyncTime":34,"discoverSource":35},78368,"bumblebee","perplexityai\u002Fbumblebee","perplexityai","Read-only developer endpoint scanner for on-disk package, extension, and developer-tool metadata, built to check exposure to known software supply-chain compromises.","",null,"Go",4395,396,17,11,0,13,137,2431,75,109.79,"Apache License 2.0",false,"main",true,[27,28,29],"golang","package-inventory","supply-chain-security","2026-06-12 04:01:23","# bumblebee\n\nBumblebee is a read-only inventory collector for package, extension,\nand developer-tool metadata on macOS and Linux developer endpoints.\n\nIt answers a narrow supply-chain response question: when an advisory\nnames a package, extension, or version, which developer machines show\na match in their on-disk metadata right now?\n\nSBOMs help answer what shipped, and EDR helps answer what ran or\ntouched the network, but supply-chain response often needs a different\nview: messy local state across lockfiles, package-manager metadata,\nextension manifests, and supported developer-tool configs.\n\nBumblebee turns that scattered on-disk state into structured NDJSON\ncomponent records and, when given an exposure catalog, flags exact\nmatches for fast, read-only exposure checks when responders already\nknow what they are looking for.\n\n## Scope\n\n- Single static binary, Go 1.25+, zero non-stdlib dependencies.\n- Three scan profiles (`baseline`, `project`, `deep`) for different\n  populations and cadences.\n- Reads only the lockfiles, package-manager install metadata,\n  extension manifests, and supported MCP JSON configs listed in\n  [docs\u002Finventory-sources.md](docs\u002Finventory-sources.md). No package\n  manager execution (`npm ls`, `pip show`, `go list`, ...) and no\n  source-file reads. MCP host configs can carry environment values\n  and credentials in their `env` blocks; Bumblebee parses these\n  configs for the server inventory it needs but does not emit those\n  values in its records.\n\n## Coverage\n\n| Family | Emitted `ecosystem` | Sources |\n|---|---|---|\n| npm | `npm` | `package-lock.json`, `npm-shrinkwrap.json`, `node_modules\u002F.package-lock.json`, `node_modules\u002F\u003Cpkg>\u002Fpackage.json` |\n| pnpm | `npm` | `pnpm-lock.yaml`, `.pnpm\u002F...\u002Fpackage.json` |\n| Yarn | `npm` | `yarn.lock` (Classic + Berry) |\n| Bun | `npm` | `bun.lock`; `bun.lockb` presence as diagnostic |\n| PyPI | `pypi` | `*.dist-info\u002FMETADATA`, `INSTALLER`, `direct_url.json`, `*.egg-info\u002FPKG-INFO` |\n| Go modules | `go` | `go.sum`, `go.mod` |\n| RubyGems | `rubygems` | `Gemfile.lock`, installed `*.gemspec` |\n| Composer | `packagist` | `composer.lock`, `vendor\u002Fcomposer\u002Finstalled.json` |\n| MCP | `mcp` | JSON host configs: `mcp.json`, `.mcp.json`, `claude_desktop_config.json`, `mcp_config.json`, `mcp_settings.json`, `cline_mcp_settings.json`, plus `~\u002F.gemini\u002Fsettings.json` (Gemini CLI \u002F Code Assist). Non-JSON configs (Codex `config.toml`, Continue YAML) are not parsed in v0.1. |\n| Editor extensions | `editor-extension` | VS Code, Cursor, Windsurf, VSCodium manifests |\n| Browser extensions | `browser-extension` | Chromium-family (`manifest.json`) and Firefox (`extensions.json`) per profile |\n\nPer-ecosystem detail: [docs\u002Finventory-sources.md](docs\u002Finventory-sources.md).\n\n## Install\n\nRequires Go 1.25+. Zero non-stdlib dependencies.\n\n```sh\n# Install the latest tagged release into $GOBIN.\ngo install github.com\u002Fperplexityai\u002Fbumblebee\u002Fcmd\u002Fbumblebee@latest\n\n# Or pin a specific tag.\ngo install github.com\u002Fperplexityai\u002Fbumblebee\u002Fcmd\u002Fbumblebee@v0.1.1\n```\n\nTo build from a checkout:\n\n```sh\ngo build -o bumblebee .\u002Fcmd\u002Fbumblebee\ngo test .\u002F...\n```\n\nStamp an explicit version at build time:\n\n```sh\ngo build -ldflags \"-X main.Version=v0.1.1\" -o bumblebee .\u002Fcmd\u002Fbumblebee\n```\n\n`bumblebee version` prints the version plus the VCS revision, build\ntime, and Go runtime — so a record emitted in production can be traced\nback to a specific build. Version precedence: `-ldflags` override,\nmodule version recorded by `go install`, then the in-tree default\ntracked in `VERSION`.\n\n### Self-test\n\nAfter installing, run a built-in end-to-end check against embedded\nfixtures:\n\n```sh\nbumblebee selftest\n# selftest OK (2 findings in 1ms)\n```\n\nThe fixtures live inside the binary, use deliberately fake package\nnames (`bumblebee-selftest-evil@0.0.0`), and make no network calls. A\nnon-zero exit means the local install can no longer detect what it\nshould — a fast pre-deployment smoke test for fleet rollouts.\n\n## Profiles\n\nBumblebee is a one-shot scanner: each invocation performs a single scan\nand exits. Cadence is the runner's responsibility (cron, launchd, systemd,\nMDM, etc.). Each record carries `profile` and a per-root `root_kind` so\nreceivers can keep populations separate.\n\n| Profile | Scans | Use for |\n|---|---|---|\n| `baseline` | Common global\u002Fuser package roots, language toolchains, editor extensions, browser extensions, and MCP configs. | Recurring lightweight inventory via an external runner. |\n| `project` | Configured development directories, such as `~\u002Fcode`, `~\u002Fsrc`, or `~\u002Fwork`. | Recurring inventory for known project workspaces. |\n| `deep` | Explicit `--root` paths, including broad roots like `$HOME`. | On-demand incident or campaign checks, usually with `--ecosystem`, `--exposure-catalog`, and `--findings-only`. |\n\n`baseline` and `project` refuse bare-home roots; only `deep` walks them.\n\n## Quick start\n\n```sh\n# Baseline global inventory.\nbumblebee scan --profile baseline > inventory.ndjson\n\n# Daily project sweep with explicit roots.\nbumblebee scan --profile project \\\n  --root \"$HOME\u002Fcode\" \\\n  --root \"$HOME\u002FDeveloper\"\n\n# Limit a run to selected emitted ecosystems.\nbumblebee scan --profile baseline \\\n  --ecosystem npm,pypi \\\n  --ecosystem go\n\n# On-demand exposure scan against a published advisory.\nbumblebee scan --profile deep \\\n  --root \"$HOME\" \\\n  --exposure-catalog .\u002Fcatalog.json \\\n  --max-duration 10m\n```\n\nPreview the resolved roots without scanning:\n\n```sh\nbumblebee roots --profile baseline\n# prints \"\u003Croot_kind>\\t\u003Cpath>\" lines\n```\n\n`--root` is a filesystem path to scan; repeatable, required for `deep`,\noptional for the other profiles. `--ecosystem` is repeatable and\ncomma-separated. `--exposure-catalog` accepts a JSON file or a directory\nof `*.json` catalogs (merged non-recursively, all files must share\n`schema_version`). `--findings-only` requires `--exposure-catalog` and\nsuppresses package records while keeping findings. `bumblebee scan --help`\nlists every flag.\n\n## Output\n\nRecords are NDJSON, one per line. Diagnostics go to stderr as NDJSON. Each\nrun ends with a `scan_summary` record; receivers use it to decide whether\nto promote a run to current state. See [docs\u002Ftransport.md](docs\u002Ftransport.md)\nfor HTTPS\u002Ffile output and [docs\u002Fstate-model.md](docs\u002Fstate-model.md) for the\nreceiver-side current-state model.\n\nPackage record:\n\n\u003Cdetails>\n\u003Csummary>Example package record\u003C\u002Fsummary>\n\n```json\n{\n  \"record_type\": \"package\",\n  \"record_id\": \"package:...\",\n  \"schema_version\": \"0.1.0\",\n  \"scanner_name\": \"bumblebee\",\n  \"scanner_version\": \"v0.1.1\",\n  \"run_id\": \"9b1f0c2e4d5a6b7c8d9e0f1a2b3c4d5e\",\n  \"scan_time\": \"2026-05-15T18:22:01.482Z\",\n  \"endpoint\": {\n    \"hostname\": \"alex-mbp\",\n    \"os\": \"darwin\",\n    \"arch\": \"arm64\",\n    \"username\": \"alex\",\n    \"uid\": \"501\",\n    \"device_id\": \"MDM-7F4A2B\"\n  },\n  \"profile\": \"project\",\n  \"ecosystem\": \"npm\",\n  \"package_name\": \"@tanstack\u002Fquery-core\",\n  \"normalized_name\": \"@tanstack\u002Fquery-core\",\n  \"version\": \"5.59.20\",\n  \"project_path\": \"\u002FUsers\u002Falex\u002Fcode\u002Fweb-app\",\n  \"root_kind\": \"project_root\",\n  \"package_manager\": \"pnpm\",\n  \"source_type\": \"pnpm-lockfile\",\n  \"source_file\": \"\u002FUsers\u002Falex\u002Fcode\u002Fweb-app\u002Fpnpm-lock.yaml\",\n  \"has_lifecycle_scripts\": false,\n  \"confidence\": \"high\"\n}\n```\n\n\u003C\u002Fdetails>\n\n`confidence`:\n\n- `high` — exact identity and version came from canonical metadata.\n- `medium` — identity is reliable, but version or source is partial.\n- `low` — config\u002Fpath\u002Fspec reference only; not proof of an installed exact version.\n\nFinding record (exposure-catalog match):\n\n\u003Cdetails>\n\u003Csummary>Example finding record\u003C\u002Fsummary>\n\n```json\n{\n  \"record_type\": \"finding\",\n  \"record_id\": \"finding:...\",\n  \"schema_version\": \"0.1.0\",\n  \"scanner_name\": \"bumblebee\",\n  \"scanner_version\": \"v0.1.1\",\n  \"run_id\": \"3a8c7d1e9f0b2a4c6d8e0f1a2b3c4d5e\",\n  \"scan_time\": \"2026-05-15T18:22:01.482Z\",\n  \"endpoint\": {\n    \"hostname\": \"alex-mbp\",\n    \"os\": \"darwin\",\n    \"arch\": \"arm64\",\n    \"username\": \"alex\",\n    \"uid\": \"501\",\n    \"device_id\": \"MDM-7F4A2B\"\n  },\n  \"profile\": \"deep\",\n  \"finding_type\": \"package_exposure\",\n  \"severity\": \"critical\",\n  \"catalog_id\": \"advisory-2026-0042\",\n  \"catalog_name\": \"example-pkg 1.2.3 (compromised release)\",\n  \"ecosystem\": \"npm\",\n  \"package_name\": \"example-pkg\",\n  \"normalized_name\": \"example-pkg\",\n  \"version\": \"1.2.3\",\n  \"root_kind\": \"deep_home_root\",\n  \"project_path\": \"\u002FUsers\u002Falex\u002Fcode\u002Fweb-app\",\n  \"source_type\": \"pnpm-lockfile\",\n  \"source_file\": \"\u002FUsers\u002Falex\u002Fcode\u002Fweb-app\u002Fpnpm-lock.yaml\",\n  \"confidence\": \"high\",\n  \"evidence\": \"exact name+version match (version=1.2.3)\"\n}\n```\n\n\u003C\u002Fdetails>\n\n`record_id` is a content-addressed hash of a canonical identity tuple per\nrecord type, stable across runs. Per-record-type field lists and dedupe\nguidance: [docs\u002Fstate-model.md](docs\u002Fstate-model.md#record-identity-record_id).\n\n## Exposure Catalog Format\n\nMinimal JSON, exact `(ecosystem, name, version)` matching only:\n\n```json\n{\n  \"schema_version\": \"0.1.0\",\n  \"entries\": [\n    {\n      \"id\": \"advisory-2026-0042\",\n      \"name\": \"example-pkg 1.2.3 (compromised release)\",\n      \"ecosystem\": \"npm\",\n      \"package\": \"example-pkg\",\n      \"versions\": [\"1.2.3\"],\n      \"severity\": \"critical\"\n    }\n  ]\n}\n```\n\nThe catalog must be a JSON object with `schema_version` and `entries`\nkeys. Bare top-level arrays are rejected. Unsupported future\n`schema_version` values are rejected. Multiple catalog files can be\nloaded together by pointing `--exposure-catalog` at a directory; see\nthe flag description above.\n\n### Sample exposure catalogs\n\nThe [`threat_intel\u002F`](threat_intel\u002F) directory holds maintained exposure\ncatalogs built from public threat-intelligence reporting on recent\nsupply-chain campaigns, assembled with\n[Perplexity Computer](https:\u002F\u002Fwww.perplexity.ai\u002Fcomputer) and updated\nvia PRs as new campaigns are reported. See\n[`threat_intel\u002FREADME.md`](threat_intel\u002FREADME.md) for the current\ncatalog list and review guidance.\n\n## License\n\nApache License 2.0. See [LICENSE](LICENSE).\n","Bumblebee 是一个用于扫描开发人员终端上已安装包、扩展和开发工具元数据的只读工具，旨在检查是否存在已知软件供应链攻击的风险。它通过收集macOS和Linux系统上的本地状态信息，并将其转换为结构化的NDJSON组件记录来实现这一目标。当给定暴露目录时，Bumblebee能够快速标记出精确匹配项，以便进行快速、只读的暴露检查。该项目采用Go语言编写，依赖于Go 1.25+版本且无非标准库依赖。提供了三种扫描配置（基线、项目、深度）以适应不同场景的需求。Bumblebee适用于需要迅速响应供应链安全事件的企业或组织，在已知存在风险的情况下，帮助识别哪些开发机器上存在潜在威胁。",2,"2026-06-11 03:56:43","CREATED_QUERY"]