Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add a check to analyze malicious Python packages #750

Merged
merged 47 commits into from
Jul 4, 2024
Merged

feat: add a check to analyze malicious Python packages #750

merged 47 commits into from
Jul 4, 2024

Conversation

Yao-Wen-Chang
Copy link
Contributor

@Yao-Wen-Chang Yao-Wen-Chang commented May 26, 2024
edited by behnazh-w
Loading

PR Message:

Implemented PyPI's heuristics check to detect suspicious packages using seven key heuristics.

TODO List:

  • Implement PyPI's heuristics check to detect the suspicious packages with seven heuristics
  • Implement confidence policy
  • Implement PyPI package registry
  • Design the DB table to store the proper result
  • Create src/macaron/malware_analyzer/ directory and move this check there.
  • Update documentation to reflect the new heuristics and their usage
  • Write unit tests to ensure the reliability and accuracy of the heuristics implementation

@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label May 26, 2024
@Yao-Wen-Chang Yao-Wen-Chang marked this pull request as draft May 26, 2024 06:25
tromai
tromai reviewed May 31, 2024
View reviewed changes
pyproject.toml Outdated Show resolved Hide resolved
@tromai
Copy link
Member

tromai commented May 31, 2024

@Yao-Wen-Chang When you address an issue mentioned in a comment, you can put the link to the commit next to the comment indicating that it has been resolve. Something like this would be extremely helpful for my review. Thanks!

Fixed this in https://github.com/oracle/macaron/pull/750/commits/d6684088dbe7792731240709d73a17de1eba73ad

@Yao-Wen-Chang Yao-Wen-Chang force-pushed the implement-heuristic-check branch from d668408 to 80b544a Compare June 8, 2024 16:54
@Yao-Wen-Chang
chore: refine base analyzer
f278feb 
Signed-off-by: Yao-Wen-Chang <changyaowen19980629@gmail.com>
@Yao-Wen-Chang
chore: refine one release analyzer and modify base analyzer name
4e4a903 
Signed-off-by: Yao-Wen-Chang <changyaowen19980629@gmail.com>
@Yao-Wen-Chang
chore: refine unchanged releases heuristic
6f8ff8e 
Signed-off-by: Yao-Wen-Chang <changyaowen19980629@gmail.com>
@Yao-Wen-Chang
chore: implement PyPI registry
5f3724d 
Signed-off-by: Yao-Wen-Chang <changyaowen19980629@gmail.com>
@Yao-Wen-Chang
chore: add handler for strptime
b9b07ee 
Signed-off-by: Yao-Wen-Chang <changyaowen19980629@gmail.com>
@Yao-Wen-Chang
chore: modify test of empty project link analyzer
965a7f9 
Signed-off-by: Yao-Wen-Chang <changyaowen19980629@gmail.com>
@Yao-Wen-Chang
chore: modify test of one release analyzer and refine empty project l…
c73beea 
…ink analyzer

Signed-off-by: Yao-Wen-Chang <changyaowen19980629@gmail.com>
@Yao-Wen-Chang
chore: refine test and fix bug
98c04d2 
Signed-off-by: Yao-Wen-Chang <changyaowen19980629@gmail.com>
@Yao-Wen-Chang
chore: move heuristics check to another folder
a588762 
Signed-off-by: Yao-Wen-Chang <changyaowen19980629@gmail.com>
@Yao-Wen-Chang
chore: change module imported path
23fcc52 
Signed-off-by: Yao-Wen-Chang <changyaowen19980629@gmail.com>
@Yao-Wen-Chang
chore: fix project link test
cb0ae1a 
Signed-off-by: Yao-Wen-Chang <changyaowen19980629@gmail.com>
@Yao-Wen-Chang
chore: refine requests handler for source code download
4b6b25d 
Signed-off-by: Yao-Wen-Chang <changyaowen19980629@gmail.com>
@Yao-Wen-Chang
chore: fix source file name extraction
07c6729 
Signed-off-by: Yao-Wen-Chang <changyaowen19980629@gmail.com>
@Yao-Wen-Chang
chore: modify HEURISTIC to Heuristics
9af8138 
Signed-off-by: Yao-Wen-Chang <changyaowen19980629@gmail.com>
@Yao-Wen-Chang
chore: update bs4 dep configuration
66fe586 
Signed-off-by: Yao-Wen-Chang <changyaowen19980629@gmail.com>
@Yao-Wen-Chang
chore: implement test for suspicious_setup heuristic
0ce67b9 
Signed-off-by: Yao-Wen-Chang <changyaowen19980629@gmail.com>
@Yao-Wen-Chang
chore: refine docstrings for HeuristicResult enum
272b4a7 
Signed-off-by: Yao-Wen-Chang <changyaowen19980629@gmail.com>
@Yao-Wen-Chang
chore: handle the package with one release
de7fc72 
Signed-off-by: Yao-Wen-Chang <changyaowen19980629@gmail.com>
@Yao-Wen-Chang
chore: refine the pypi registry docstring
bc2d921 
Signed-off-by: Yao-Wen-Chang <changyaowen19980629@gmail.com>
@Yao-Wen-Chang
chore: refine heuristics enum
58243a4 
Signed-off-by: Yao-Wen-Chang <changyaowen19980629@gmail.com>
@Yao-Wen-Chang
chore: add and refine tests for heuristics analysis
cbd409b 
Signed-off-by: Yao-Wen-Chang <changyaowen19980629@gmail.com>
@Yao-Wen-Chang
chore: refine docstrings and fix confidence logic of the heuristics
713fc12 
Signed-off-by: Yao-Wen-Chang <changyaowen19980629@gmail.com>
@Yao-Wen-Chang
chore: add the suspicious combo to detect unreachable links
8fd511b 
Signed-off-by: Yao-Wen-Chang <changyaowen19980629@gmail.com>
@Yao-Wen-Chang
chore: add docstrings for suspicious combo and modify confidence
1a54ed8 
Signed-off-by: Yao-Wen-Chang <changyaowen19980629@gmail.com>
@Yao-Wen-Chang
chore: remove suspicious combo
bd1e010 
Signed-off-by: Yao-Wen-Chang <changyaowen19980629@gmail.com>
@Yao-Wen-Chang Yao-Wen-Chang force-pushed the implement-heuristic-check branch from a5f7b2b to bd1e010 Compare July 4, 2024 08:11
@behnazh-w behnazh-w merged commit 6e025b2 into oracle:staging Jul 4, 2024
9 checks passed
@Yao-Wen-Chang Yao-Wen-Chang deleted the implement-heuristic-check branch July 23, 2024 14:24
art1f1c3R pushed a commit that referenced this pull request Nov 29, 2024
@Yao-Wen-Chang
feat: add a check to analyze malicious Python packages (#750)
2e9784a 
Signed-off-by: Yao-Wen-Chang <changyaowen19980629@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@behnazh-w behnazh-w behnazh-w approved these changes

@tromai tromai tromai approved these changes

Assignees
No one assigned
Labels
OCA Verified All contributors have signed the Oracle Contributor Agreement.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Yao-Wen-Chang @tromai @behnazh-w