Tracking Spring Security With GitHub Mentions

We’re all fans of GitHub and their mention system is pretty sweet. The normal use cases are straightforward but what if there were other possible use cases for the same feature? What if a programming language used a similar format as GitHub mentions in the language. Luckily Java does just that.

When writing Java code you can end up using a lot of annotations. Spring makes excellent use of these annotations and has a myriad of uses for them behind the scenes. These include everything from @SpringBootApplication which is a combinations of three other annotations, to @Bean which just defines a bean. Sometimes there are so many annotations you don’t know what to do with them.

[SpringBootApplication annotation]

At this point the idea dawned on me that I could passively monitor GitHub issues, pull requests, etc using the mention system.

The first task was registering the username @Autowired because it sounded like a decent alias so grabbing it seemed like a good idea. Initially there was some oddities in the GitHub account as it was detected as not being human. An email to GitHub support got that changed. As this was the first test of what kind of emails I would get, I sat on it for a few days. Here’s the results over a 5 day period:

[@Autowired]

Looking at the mails that were sent it was obvious that not only was this useful for Spring information but possibly also for any other public project.

After deciding this could be turned into a useful tool I registered a myriad of other usernames that related to Java annotations. After dealing with the not a human problem they’re not just sitting collecting data that I can turn into a feed of information about open source projects.

As an example use case I took these usernames:

  • PreAuthorize
  • PostAuthorize
  • PreFilter
  • PostFilter

These annotations (@PostFilter, etc) are some of the core spring security annotations. It’s possible some of the information I’d receive would be about incorrectly used annotations leading to security issues. Using these users I’m now just siphoning public data looking for security issues

On a side note - You don’t get mentions for private repos which the user is not a part of.