refactor: adjustments based on recent changes in the main branch

Author: art1f1c3R

src/macaron/malware_analyzer/pypi_heuristics/metadata/typosquatting_presence.py

@@ -60,9 +60,7 @@ class TyposquattingPresenceAnalyzer(BaseHeuristicAnalyzer):
     }
 
     def __init__(self, popular_packages_path: str | None = None) -> None:
-        super().__init__(
-            name="typosquatting_presence_analyzer", heuristic=Heuristics.TYPOSQUATTING_PRESENCE, depends_on=None
-        )
+        super().__init__(name="typosquatting_presence_analyzer", heuristic=Heuristics.TYPOSQUATTING_PRESENCE)
         self.default_path = os.path.join(MACARON_PATH, "resources/popular_packages.txt")
         if popular_packages_path:
             self.default_path = popular_packages_path

src/macaron/malware_analyzer/pypi_heuristics/sourcecode/pypi_sourcecode_analyzer.py

@@ -56,13 +56,6 @@ def __init__(self, resources_path: str | None = None) -> None:
         super().__init__(
             name="suspicious_patterns_analyzer",
             heuristic=Heuristics.SUSPICIOUS_PATTERNS,
-            # We include the SKIP condition here as we want to consider the case where EMPTY_PROJECT_LINK fails,
-            # meaning SOURCE_CODE_REPO is skipped, as this is still a scenario where the source code repository
-            # is not available, so we want to run source code analysis.
-            depends_on=[
-                (Heuristics.SOURCE_CODE_REPO, HeuristicResult.FAIL),
-                (Heuristics.SOURCE_CODE_REPO, HeuristicResult.SKIP),
-            ],
         )
         if resources_path is None:
             resources_path = global_config.resources_path

src/macaron/malware_analyzer/pypi_heuristics/sourcecode/suspicious_setup.py

@@ -43,11 +43,12 @@ def _get_setup_source_code(self, pypi_package_json: PyPIPackageJsonAsset) -> str
         str | None
             The source code.
         """
-        sourcecode_url: str | None = pypi_package_json.get_sourcecode_url()
+        sourcecode_url: str | None = pypi_package_json.get_sourcecode_url(package_type="sdist")
         if sourcecode_url is None:
-            error_msg = "Package metadata does not supply a tarball"
-            logger.debug(error_msg)
-            raise HeuristicAnalyzerValueError(error_msg)
+            # This isn't an error as some packages may be distributed just as wheels, which typically don't
+            # include setup.py files, or at least don't run then automatically.
+            logger.info("Package metadata does not supply a tarball")
+            return None
 
         # Get name of file.
         _, _, file_name = sourcecode_url.rpartition("/")

src/macaron/slsa_analyzer/checks/detect_malicious_metadata_check.py

@@ -135,7 +135,9 @@ def analyze_source(
         logger.debug("Instantiating %s", PyPISourcecodeAnalyzer.__name__)
         analyzer = PyPISourcecodeAnalyzer()
 
-        if not force and analyzer.depends_on and self._should_skip(results, analyzer.depends_on):
+        # If SOURCE_CODE_REPO failed, there is no source code repository available for this package. This is when we would want
+        # to run source code analysis.
+        if not force and results[Heuristics.SOURCE_CODE_REPO] == HeuristicResult.PASS:
             return {analyzer.heuristic: HeuristicResult.SKIP}, {}
 
         try:

tests/malware_analyzer/pypi/test_closer_release_join_date.py

@@ -5,6 +5,9 @@
 from datetime import datetime
 from unittest.mock import MagicMock
 
+import pytest
+
+from macaron.errors import HeuristicAnalyzerValueError
 from macaron.malware_analyzer.pypi_heuristics.heuristics import HeuristicResult
 from macaron.malware_analyzer.pypi_heuristics.metadata.closer_release_join_date import CloserReleaseJoinDateAnalyzer
 
@@ -47,8 +50,8 @@ def test_analyze_process(pypi_package_json: MagicMock) -> None:
     assert "latest_release_date" in detail_info
 
 
-def test_analyze_skip(pypi_package_json: MagicMock) -> None:
-    """Test analyze method when the heuristic should be skipped."""
+def test_analyze_no_maintainers(pypi_package_json: MagicMock) -> None:
+    """Test analyze method when there are no maintainers, raising an error."""
     analyzer = CloserReleaseJoinDateAnalyzer()
 
     # Set up mock return values.
@@ -57,9 +60,5 @@ def test_analyze_skip(pypi_package_json: MagicMock) -> None:
     pypi_package_json.component_name = "mock1"
 
     # Call the method.
-    result, detail_info = analyzer.analyze(pypi_package_json)
-
-    # Assert.
-    assert result == HeuristicResult.SKIP
-    assert "maintainers_join_date" in detail_info
-    assert "latest_release_date" in detail_info
+    with pytest.raises(HeuristicAnalyzerValueError):
+        _ = analyzer.analyze(pypi_package_json)

tests/malware_analyzer/pypi/test_high_release_frequency.py

@@ -1,10 +1,13 @@
-# Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """Tests for high release frequency heuristic."""
 
 from unittest.mock import MagicMock
 
+import pytest
+
+from macaron.errors import HeuristicAnalyzerValueError
 from macaron.malware_analyzer.pypi_heuristics.heuristics import HeuristicResult
 from macaron.malware_analyzer.pypi_heuristics.metadata.high_release_frequency import HighReleaseFrequencyAnalyzer
 
@@ -59,8 +62,8 @@ def test_analyze_low_frequency_fail(pypi_package_json: MagicMock) -> None:
     assert detail_info == {"frequency": 1}
 
 
-def test_analyze_no_releases_skip(pypi_package_json: MagicMock) -> None:
-    """Test HighReleaseFrequencyAnalyzer when no releases are available (should skip).
+def test_analyze_no_releases(pypi_package_json: MagicMock) -> None:
+    """Test HighReleaseFrequencyAnalyzer when no releases are available (should error for a malformed package).
 
     Parameters
     ----------
@@ -73,11 +76,8 @@ def test_analyze_no_releases_skip(pypi_package_json: MagicMock) -> None:
     pypi_package_json.get_releases.return_value = None
 
     # Call the method.
-    result, detail_info = analyzer.analyze(pypi_package_json)
-
-    # Assert.
-    assert result == HeuristicResult.SKIP
-    assert not detail_info
+    with pytest.raises(HeuristicAnalyzerValueError):
+        _ = analyzer.analyze(pypi_package_json)
 
 
 def test_analyze_single_release_skip(pypi_package_json: MagicMock) -> None:

tests/malware_analyzer/pypi/test_one_release_analyzer.py

@@ -1,11 +1,12 @@
-# Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """Tests for heuristic detecting malicious metadata from PyPI"""
 from unittest.mock import MagicMock
 
 import pytest
 
+from macaron.errors import HeuristicAnalyzerValueError
 from macaron.malware_analyzer.pypi_heuristics.heuristics import HeuristicResult
 from macaron.malware_analyzer.pypi_heuristics.metadata.one_release import OneReleaseAnalyzer
 from macaron.slsa_analyzer.package_registry.pypi_registry import PyPIPackageJsonAsset
@@ -32,14 +33,12 @@ def setup_one_release_analyzer() -> dict:
 
 
 def test_analyze_no_releases(one_release_analyzer: dict) -> None:
-    """Test for result skipped."""
+    """No release information available, should error for a malformed package."""
     mock_pypi_package_pass = one_release_analyzer["mock_pypi_package_pass"]
     mock_pypi_package_pass.get_releases.return_value = None
-    expected_result: tuple[HeuristicResult, dict] = (HeuristicResult.SKIP, {"releases": {}})
 
-    result = one_release_analyzer["analyzer"].analyze(mock_pypi_package_pass)
-
-    assert result == expected_result
+    with pytest.raises(HeuristicAnalyzerValueError):
+        _ = one_release_analyzer["analyzer"].analyze(mock_pypi_package_pass)
 
 
 def test_analyze_one_release(one_release_analyzer: dict) -> None:

tests/malware_analyzer/pypi/test_suspicious_setup.py

@@ -1,4 +1,4 @@
-# Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """Tests for suspicious setup.py heuristic."""
@@ -14,7 +14,7 @@
 def test_analyze_skip() -> None:
     """Test to ensure the URL of the source distribution is missing.
 
-    The heuristic analyzer should return SKIP if the URL is not present.
+    The heuristic analyzer should return SKIP if the PyPI URL is not present.
     """
     mock_pypi_package = MagicMock(spec=PyPIPackageJsonAsset)
     mock_pypi_package.get_sourcecode_url.return_value = None

tests/malware_analyzer/pypi/test_unchanged_release.py

@@ -1,9 +1,12 @@
-# Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """Tests for heuristic detecting malicious metadata from PyPI"""
 from unittest.mock import MagicMock
 
+import pytest
+
+from macaron.errors import HeuristicAnalyzerValueError
 from macaron.malware_analyzer.pypi_heuristics.heuristics import HeuristicResult
 from macaron.malware_analyzer.pypi_heuristics.metadata.unchanged_release import UnchangedReleaseAnalyzer
 
@@ -58,8 +61,8 @@ def test_analyze_fail(pypi_package_json: MagicMock) -> None:
     assert not detail_info
 
 
-def test_analyze_skip(pypi_package_json: MagicMock) -> None:
-    """Test the analyze method returning SKIP.
+def test_analyze_error(pypi_package_json: MagicMock) -> None:
+    """Test the digest information being unavailable, resulting in an error.
 
     Parameters
     ----------
@@ -72,8 +75,5 @@ def test_analyze_skip(pypi_package_json: MagicMock) -> None:
     pypi_package_json.get_releases.return_value = None
 
     # Call the method.
-    result, detail_info = analyzer.analyze(pypi_package_json)
-
-    # Assert.
-    assert result == HeuristicResult.SKIP
-    assert not detail_info
+    with pytest.raises(HeuristicAnalyzerValueError):
+        _ = analyzer.analyze(pypi_package_json)

tests/slsa_analyzer/checks/test_detect_malicious_metadata_check.py

@@ -106,8 +106,8 @@ def test_detect_malicious_metadata(
     load_defaults(user_config_path)
     pypi_registry.load_defaults()
 
-    httpserver.expect_request("/project/zlibxjson").respond_with_data(p_page_content)
-    httpserver.expect_request("/user/tser111111").respond_with_data(u_page_content)
+    httpserver.expect_request("/project/zlibxjson/").respond_with_data(p_page_content)
+    httpserver.expect_request("/user/tser111111/").respond_with_data(u_page_content)
     httpserver.expect_request("/pypi/zlibxjson/json").respond_with_json(package_json)
     httpserver.expect_request(
         "/packages/3e/1e/b1ecb05e7ca1eb74ca6257a7f43d052b90d2ac01feb28eb28ce677a871ab/zlibxjson-8.2.tar.gz"