chore(tests): improve test coverage and apply minor heuristic changes

Signed-off-by: Amine <amine.raouane@enim.ac.ma>

Author: AmineRaouane

src/macaron/config/defaults.ini

@@ -639,14 +639,14 @@ disabled_custom_rulesets =
 [llm]
 # The LLM configuration for Macaron.
 # If enabled, the LLM will be used to analyze the results and provide insights.
-enabled = False
+enabled = True
 # The provider for the LLM service.
 # Supported providers :
 # - openai: OpenAI's GPT models.
-provider =
+provider = openai
 # The API key for the LLM service.
-api_key =
+api_key = lm-studio
 # The API endpoint for the LLM service.
-api_endpoint =
+api_endpoint = http://127.0.0.1:1234/v1/chat/completions
 # The model to use for the LLM service.
-model =
+model = openai/gpt-oss-20b

src/macaron/malware_analyzer/pypi_heuristics/metadata/inconsistent_description.py

@@ -107,6 +107,9 @@ def analyze(self, pypi_package_json: PyPIPackageJsonAsset) -> tuple[HeuristicRes
             user_prompt=description,
             response_format=self.RESPONSE_FORMAT,
         )
+        if not analysis_result:
+            logger.error("LLM returned invalid response, skipping the analysis.")
+            return HeuristicResult.SKIP, {}
 
         if analysis_result["score"] < self.threshold:
             return HeuristicResult.FAIL, {

src/macaron/malware_analyzer/pypi_heuristics/sourcecode/matching_docstrings.py

@@ -93,6 +93,7 @@ def analyze(self, pypi_package_json: PyPIPackageJsonAsset) -> tuple[HeuristicRes
             logger.warning("No source code found for the package, skipping the matching docstrings analysis.")
             return HeuristicResult.SKIP, {}
 
+        none_attempts = 5
         for file, content in pypi_package_json.iter_sourcecode():
             if file.endswith(".py"):
                 time.sleep(self.REQUEST_INTERVAL)  # Respect the request interval to avoid rate limiting.
@@ -101,6 +102,13 @@ def analyze(self, pypi_package_json: PyPIPackageJsonAsset) -> tuple[HeuristicRes
                     user_prompt=code_str,
                     response_format=self.RESPONSE_FORMAT,
                 )
+                if not analysis_result:
+                    none_attempts -= 1
+                    if none_attempts == 0:
+                        logger.error("LLM returned None multiple times, skipping the analysis.")
+                        return HeuristicResult.SKIP, {}
+                    continue
+
                 if analysis_result["decision"] == "inconsistent":
                     return HeuristicResult.FAIL, {
                         "file": file,

src/macaron/slsa_analyzer/build_tool/gradle.py

@@ -1,5 +1,4 @@
 # Copyright (c) 2022 - 2025, Oracle and/or its affiliates. All rights reserved.
-# Copyright (c) 2022 - 2025, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """This module contains the Gradle class which inherits BaseBuildTool.
@@ -70,94 +69,6 @@ def is_detected(self, repo_path: str) -> bool:
         gradle_config_files = self.build_configs + self.entry_conf
         return any(file_exists(repo_path, file) for file in gradle_config_files)
 
-    def prepare_config_files(self, wrapper_path: str, build_dir: str) -> bool:
-        """Prepare the necessary wrapper files for running the build.
-
-        This method will return False if there is any errors happened during operation.
-
-        Parameters
-        ----------
-        wrapper_path : str
-            The path where all necessary wrapper files are located.
-        build_dir : str
-            The path of the build dir. This is where all files are copied to.
-
-        Returns
-        -------
-        bool
-            True if succeed else False.
-        """
-        # The path of the needed wrapper files
-        wrapper_files = self.wrapper_files
-
-        if copy_file_bulk(wrapper_files, wrapper_path, build_dir):
-            # Ensure that gradlew is executable.
-            file_path = os.path.join(build_dir, "gradlew")
-            status = os.stat(file_path)
-            if oct(status.st_mode)[-3:] != "744":
-                logger.debug("%s does not have 744 permission. Changing it to 744.")
-                os.chmod(file_path, 0o744)
-            return True
-
-        return False
-
-    def get_dep_analyzer(self) -> CycloneDxGradle:
-        """Create a DependencyAnalyzer for the Gradle build tool.
-
-        Returns
-        -------
-        CycloneDxGradle
-            The CycloneDxGradle object.
-
-        Raises
-        ------
-        DependencyAnalyzerError
-        """
-        if "dependency.resolver" not in defaults or "dep_tool_gradle" not in defaults["dependency.resolver"]:
-            raise DependencyAnalyzerError("No default dependency analyzer is found.")
-        if not DependencyAnalyzer.tool_valid(defaults.get("dependency.resolver", "dep_tool_gradle")):
-            raise DependencyAnalyzerError(
-                f"Dependency analyzer {defaults.get('dependency.resolver', 'dep_tool_gradle')} is not valid.",
-            )
-
-        tool_name, tool_version = tuple(
-            defaults.get(
-                "dependency.resolver",
-                "dep_tool_gradle",
-                fallback="cyclonedx-gradle:1.7.3",
-            ).split(":")
-        )
-        if tool_name == DependencyTools.CYCLONEDX_GRADLE:
-            return CycloneDxGradle(
-                resources_path=global_config.resources_path,
-                file_name="bom.json",
-                tool_name=tool_name,
-                tool_version=tool_version,
-            )
-
-        raise DependencyAnalyzerError(f"Unsupported SBOM generator for Gradle: {tool_name}.")
-
-    def get_gradle_exec(self, repo_path: str) -> str:
-        """Get the Gradle executable for the repo.
-
-        Parameters
-        ----------
-        repo_path: str
-            The absolute path to a repository containing Gradle projects.
-
-        Returns
-        -------
-        str
-            The absolute path to the Gradle executable.
-        """
-        # We try to use the gradlew that comes with the repository first.
-        repo_gradlew = os.path.join(repo_path, "gradlew")
-        if os.path.isfile(repo_gradlew) and os.access(repo_gradlew, os.X_OK):
-            return repo_gradlew
-
-        # We use Macaron's built-in gradlew as a fallback option.
-        return os.path.join(os.path.join(macaron.MACARON_PATH, "resources"), "gradlew")
-
     def get_group_id(self, gradle_exec: str, project_path: str) -> str | None:
         """Get the group id of a Gradle project.
 

src/macaron/slsa_analyzer/build_tool/maven.py

@@ -64,71 +64,3 @@ def is_detected(self, repo_path: str) -> bool:
             return False
         maven_config_files = self.build_configs
         return any(file_exists(repo_path, file) for file in maven_config_files)
-
-    def prepare_config_files(self, wrapper_path: str, build_dir: str) -> bool:
-        """Prepare the necessary wrapper files for running the build.
-
-        This method will return False if there is any errors happened during operation.
-
-        Parameters
-        ----------
-        wrapper_path : str
-            The path where all necessary wrapper files are located.
-        build_dir : str
-            The path of the build dir. This is where all files are copied to.
-
-        Returns
-        -------
-        bool
-            True if succeed else False.
-        """
-        # The path of the needed wrapper files
-        wrapper_files = self.wrapper_files
-
-        if copy_file_bulk(wrapper_files, wrapper_path, build_dir):
-            # Ensure that mvnw is executable.
-            file_path = os.path.join(build_dir, "mvnw")
-            status = os.stat(file_path)
-            if oct(status.st_mode)[-3:] != "744":
-                logger.debug("%s does not have 744 permission. Changing it to 744.")
-                os.chmod(file_path, 0o744)
-            return True
-
-        return False
-
-    def get_dep_analyzer(self) -> CycloneDxMaven:
-        """
-        Create a DependencyAnalyzer for the Maven build tool.
-
-        Returns
-        -------
-        CycloneDxMaven
-            The CycloneDxMaven object.
-
-        Raises
-        ------
-        DependencyAnalyzerError
-        """
-        if "dependency.resolver" not in defaults or "dep_tool_maven" not in defaults["dependency.resolver"]:
-            raise DependencyAnalyzerError("No default dependency analyzer is found.")
-        if not DependencyAnalyzer.tool_valid(defaults.get("dependency.resolver", "dep_tool_maven")):
-            raise DependencyAnalyzerError(
-                f"Dependency analyzer {defaults.get('dependency.resolver', 'dep_tool_maven')} is not valid.",
-            )
-
-        tool_name, tool_version = tuple(
-            defaults.get(
-                "dependency.resolver",
-                "dep_tool_maven",
-                fallback="cyclonedx-maven:2.6.2",
-            ).split(":")
-        )
-        if tool_name == DependencyTools.CYCLONEDX_MAVEN:
-            return CycloneDxMaven(
-                resources_path=global_config.resources_path,
-                file_name="bom.json",
-                tool_name=tool_name,
-                tool_version=tool_version,
-            )
-
-        raise DependencyAnalyzerError(f"Unsupported SBOM generator for Maven: {tool_name}.")

src/macaron/slsa_analyzer/build_tool/pip.py

@@ -64,11 +64,6 @@ def get_dep_analyzer(self) -> DependencyAnalyzer:
         DependencyAnalyzer
             The DependencyAnalyzer object.
         """
-        tool_name = "cyclonedx_py"
-        if not DependencyAnalyzer.tool_valid(f"{tool_name}:{cyclonedx_version}"):
-            raise DependencyAnalyzerError(
-                f"Dependency analyzer {defaults.get('dependency.resolver', 'dep_tool_gradle')} is not valid.",
-            )
         return CycloneDxPython(
             resources_path=global_config.resources_path,
             file_name="python_sbom.json",

src/macaron/slsa_analyzer/build_tool/poetry.py

@@ -102,11 +102,6 @@ def get_dep_analyzer(self) -> DependencyAnalyzer:
         DependencyAnalyzer
             The DependencyAnalyzer object.
         """
-        tool_name = "cyclonedx_py"
-        if not DependencyAnalyzer.tool_valid(f"{tool_name}:{cyclonedx_version}"):
-            raise DependencyAnalyzerError(
-                f"Dependency analyzer {defaults.get('dependency.resolver', 'dep_tool_gradle')} is not valid.",
-            )
         return CycloneDxPython(
             resources_path=global_config.resources_path,
             file_name="python_sbom.json",

src/macaron/slsa_analyzer/checks/detect_malicious_metadata_check.py

@@ -450,8 +450,9 @@ def run_check(self, ctx: AnalyzeContext) -> CheckResultData:
         failed({Heuristics.SIMILAR_PROJECTS.value}),
         failed({Heuristics.HIGH_RELEASE_FREQUENCY.value}),
         failed({Heuristics.FAKE_EMAIL.value}).
+
     % Package released with a name similar to a popular package.
-    {Confidence.MEDIUM.value}::trigger(malware_medium_confidence_3) :-
+    {Confidence.MEDIUM.value}::trigger(malware_medium_confidence_5) :-
         quickUndetailed, forceSetup, failed({Heuristics.MATCHING_DOCSTRINGS.value}).
 
     % ----- Evaluation -----
@@ -461,6 +462,7 @@ def run_check(self, ctx: AnalyzeContext) -> CheckResultData:
     {problog_result_access} :- trigger(malware_high_confidence_2).
     {problog_result_access} :- trigger(malware_high_confidence_3).
     {problog_result_access} :- trigger(malware_high_confidence_4).
+    {problog_result_access} :- trigger(malware_medium_confidence_5).
     {problog_result_access} :- trigger(malware_medium_confidence_4).
     {problog_result_access} :- trigger(malware_medium_confidence_3).
     {problog_result_access} :- trigger(malware_medium_confidence_2).