Skip to content

docs: include source code analysis subsection in malicious package tutorial #1101

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Jun 12, 2025
Merged

docs: include source code analysis subsection in malicious package tutorial #1101

Changes from 3 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
b8b9b54
docs: included tutorial section explaining source code analysis
art1f1c3R Jun 11, 2025
343b656
chore: addressing PR feedback
art1f1c3R Jun 12, 2025
dcd53c9
docs: added note to indicate new feature
art1f1c3R Jun 12, 2025
ed89354
chore: PR change with conventional commit message
art1f1c3R Jun 12, 2025
21bfa9b
docs: include force analyze source in cli docs
art1f1c3R Jun 12, 2025
42f0c15
docs: add analyze source to cli docs
art1f1c3R Jun 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions docs/source/pages/tutorials/detect_malicious_package.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,22 @@ Note that the ``match`` constraint applies a regex pattern and can be expanded t
is_component(component_id, purl),
match("pkg:pypi.*", purl).

''''''''''''''''''''
Source Code Analysis
''''''''''''''''''''

.. note:: This is a new feature recently added to Macaron in 2025.

Macaron supports static code analysis as a malware analysis heuristic. This can be enabled by supplying the command line argument ``--analyze-source``. Macaron uses the open-source static code analysis tool Semgrep to analyse the source code of a python package, looking for malicious code patterns defined in Macaron's own Semgrep rules. Example detection patterns include identifying attempts to obfuscate source code and detecting code that exfiltrates sensitive data to remote connections.

By default, the source code analyzer is run in conjunction with the other metadata heuristics. The source code heuristic is optimised such that it is not always required to be run to ensure a package is benign, so it will not always be run as part of the heuristic analysis, even when enabled. To force it to run regardless of the result of other heuristics, the command line argument ``--force-analyze-source`` must be supplied. To analyze ``[email protected]`` with source code analysis enabled and enforced, the following command may be run:

.. code-block:: shell

./run_macaron.sh analyze -purl pkg:pypi/[email protected] --python-venv "/tmp/.django_venv" --analyze-source --force-analyze-source

If any suspicious patterns are triggered, this will be identified in the ``mcn_detect_malicious_metadata_1`` result for the heuristic named ``suspicious_patterns``. The output database ``output/macaron.db`` can be used to get the specific results of the analysis by querying the :class:`detect_malicious_metadata_check.result field <macaron.database>`. This will provide detailed JSON information about all data collected by the ``mcn_detect_malicious_metadata_1`` check, including, for source code analysis, any malicious code patterns detected, what Semgrep rule detected it, the file in which it was detected, and the line number for the detection.

+++++++++++++++++++++++++++++++++++++++
Verification Summary Attestation report
+++++++++++++++++++++++++++++++++++++++
Expand Down
Loading