feat(malware-check): add whitespace check to detect excessive spacing and invisible characters #1086
+50
−1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
oracle-contributor-agreement
bot
added
the
OCA Verified
behnazh-w
changed the title
behnazh-w
changed the title
behnazh-w
changed the title
art1f1c3R
reviewed
May 26, 2025
src/macaron/malware_analyzer/pypi_heuristics/sourcecode/white_spaces.py
Outdated
Show resolved
Hide resolved
…d invisible characters Signed-off-by: Amine <[email protected]>
Signed-off-by: Amine <[email protected]>
AmineRaouane
force-pushed
the
white-spaces-heuristic
branch
from
db0e35c to
6978bd7
Compare
art1f1c3R
reviewed
Jun 2, 2025
src/macaron/config/defaults.ini
Outdated
| @@ -600,3 +600,5 @@ major_threshold = 20 | |||
| epoch_threshold = 3 | |||
| # The number of days +/- the day of publish the calendar versioning day may be. | |||
| day_publish_error = 4 | |||
| # THe threshold for the number of repeated spaces in a line from the source code. | |||
There was a problem hiding this comment.
Small typo, "The" instead of "THe"
art1f1c3R
reviewed
Jun 2, 2025
| @@ -381,6 +383,10 @@ def run_check(self, ctx: AnalyzeContext) -> CheckResultData: | |||
| failed({Heuristics.CLOSER_RELEASE_JOIN_DATE.value}), | |||
| forceSetup. | |||
| % Package released with excessive whitespace in the code . | |||
| {Confidence.HIGH.value}::trigger(malware_high_confidence_4) :- | |||
There was a problem hiding this comment.
Could you walk me through the rationale of why we should combine WHITE_SPACES failing with the forceSetup rule and why these rules together are a malicious indicator with HIGH confidence?
There was a problem hiding this comment.
because it implies, not only that harmful code may be executed during the installation process, but also that there appears to be an effort to hide the form of this code which strongly suggests malicious motives.
Signed-off-by: Ben Selwyn-Smith <[email protected]>
Signed-off-by: Amine <[email protected]>
…ackages (oracle#965) Include support for using Semgrep for analysis of source code to detect malicious code patterns, specified using Semgrep's YAML files. Signed-off-by: Carl Flottmann <[email protected]>
This PR allows Macaron to discover GitHub attestation. To retrieve these attestations, the SHA256 hash of the related artefact is required. Hashes are computed from local artefact files if available, or from downloaded ones otherwise. Signed-off-by: Ben Selwyn-Smith <[email protected]>
…acle#1096) This PR replaces the Go shared library previously used via C-bindings in Python with a standalone binary for the cuevalidator component. The binary can now be invoked as a subprocess, simplifying integration and improving portability. Signed-off-by: behnazh-w <[email protected]>
…e. (oracle#1102) The detail info containing inspector links now contains links as keys regardless of whether they are reachable, and includes a boolean value for reachability. Signed-off-by: Carl Flottmann <[email protected]>
…torial (oracle#1101) Signed-off-by: Carl Flottmann <[email protected]>
oracle#1097) Signed-off-by: Amine <[email protected]>
…d invisible characters Signed-off-by: Amine <[email protected]>
Signed-off-by: Amine <[email protected]>
Signed-off-by: Amine <[email protected]>
Signed-off-by: Amine <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds a new heuristic that analyzes code to detect suspicious use of excessive spaces and invisible characters. It checks whether the amount of spacing and invisible Unicode characters exceeds a defined threshold.
Description of changes
WhiteSpacesheuristic in a new Python module.heuristics.pyfile.WhiteSpacesAnalyzerheuristic.detect_malicious_metadata_check.pyto integrate and execute the new heuristic logic during analysis.Related issues
None
Checklist
verifiedlabel should appear next to all of your commits on GitHub.