Unmaintained Item
Flags items that are not maintained on the marketplace, suggesting concerns about the item's reputation and the publisher's reliability.
low
Findings
All findings are available for Enterprise users
Code analysis
AI-powered analysis of the extension's source code for security insights and risk assessment.
This extension provides support for connecting to JupyterHub in VS Code, working alongside the Jupyter extension. Its main purpose is to facilitate communication with JupyterHub servers, manage kernels, sessions, and file contents, and handle related API interactions.
Key Activities and API Usage:
- Network Communication:
- Uses HTTP(S) requests to JupyterHub/Jupyter server REST APIs for managing kernels, sessions, contents, and configuration.
- Uses WebSocket connections for real-time communication with kernels (for code execution, output, etc.).
- Example:
this._ws = new settings.WebSocket(url, supportedProtocols); this._ws.binaryType = "arraybuffer";
- Filesystem Activity:
- Interacts with Jupyter server's contents API to read, write, rename, and delete files, but does not directly access the local filesystem from the extension code. All file operations are mediated via the Jupyter server REST API.
- Process Execution:
- No direct process execution on the user's machine is performed by the extension code. All kernel and session management is done via server APIs.
- Data Handling:
- Handles notebook and file content as JSON objects, and transmits/receives them via the server APIs.
- Extension Configuration:
- Reads configuration from the Jupyter server or from VS Code settings, but does not attempt to modify VS Code or system-level settings outside its scope.
- Obfuscation:
- The code is minified and bundled, but not obfuscated. Variable names and logic are readable and follow standard patterns for VS Code/JupyterLab extensions.
Security and Malicious Indicators:
- No evidence of code execution on the user's machine outside of the Jupyter server context.
- No evidence of arbitrary network requests to unknown domains (all network activity is directed at the configured Jupyter server/JupyterHub endpoints).
- No evidence of data exfiltration, credential theft, or backdoors.
- No use of eval, Function constructor, or dynamic code execution.
- No suspicious string encoding, encryption, or obfuscation techniques.
Summary:
- The extension is a standard implementation for JupyterHub connectivity, using well-known APIs and patterns. It does not exhibit behaviors associated with malicious extensions.
API Calls
API calls detected through static analysis of the source code. For more accurate insights, explore our sandbox dynamic analysis.
low
os.cpus
nodejs
/extension/dist/extension.node.js
low
http.ServerRequest
nodejs
/extension/dist/extension.node.js
low
http.ServerResponse
nodejs
/extension/dist/extension.node.js
All API calls are available for Enterprise users
Secrets
Any encoded/decoded secrets we managed to find in the source code, git repository, or related files
URI
/extension/dist/extension.node.js
Unverified
URI
/extension/dist/extension.node.js
Unverified
All secrets are available for Enterprise users
Vulnerabilities
Known vulnerabilities and security issues detected in the extension's dependencies and code.
high
Enterprise Only
Enterprise Only
Enterprise Only
medium
Enterprise Only
Enterprise Only
Enterprise Only
low
Enterprise Only
Enterprise Only
Enterprise Only
VULNERABILITIES ARE AVAILABLE FOR ENTERPRISE USERS
External communication
Any identifiers we detected that may indicate external communication from the item's code
https://github.com/Microsoft/node-diagnostic-cha
extension/dist/extension.node.js
https://aka.ms/vscodeJupyterHub
extension/dist/extension.node.js
https://aka.ms/vscodeJupyterHubApiToken
extension/dist/extension.node.js
All external communications are available for Enterprise users
Dependencies
Dependencies and third-party libraries used by the extension, including version information and license details.
@jupyterlab/services
Version:
Unknown
@types/chai
Version:
Unknown
@types/chai-as-promised
Version:
Unknown
All dependencies are available for Enterprise users
Licenses & Compliance
Compliance
Compliance status and certifications for the extension and its publisher
Microsoft
Microsoft is ISO27001 certified, with Azure, Dynamics 365, and other Microsoft online services undergoing regular independent third-party audits for compliance. There is no mention of a parent company as Microsoft is a large corporation on its own.
Compliant
Microsoft
Microsoft's services are compliant with the SOC 2 Type 2 standards for operational security, which are relevant to trust services criteria for system security, availability, processing integrity, and confidentiality. Additionally, there is a mention of compliance in their security and privacy policies, indicating a commitment to maintaining these standards.
Compliant
Microsoft
Microsoft is committed to GDPR compliance across its cloud services and provides relevant assurances in its contractual commitments. No specific parent company was identified as this appears to be a standalone entity within the context.
Compliant
Licenses
X.Net License
View License" MIT License\n\n Copyright (c) Microsoft Corporation.\n\n Permission is hereby granted, free of charge, to any person obtaining a copy\n of this software and associated documentation file...