refactor(heuristics): remove Unknown Organization heuristic

Signed-off-by: Amine <amine.raouane@enim.ac.ma>

Author: AmineRaouane

src/macaron/malware_analyzer/pypi_heuristics/heuristics.py

@@ -43,9 +43,6 @@ class Heuristics(str, Enum):
     #: Indicates that the package source code contains suspicious code patterns.
     SUSPICIOUS_PATTERNS = "suspicious_patterns"
 
-    #: Indicates that the package is associated with an unknown organization.
-    UNKNOWN_ORGANIZATION = "unknown_organization"
-
     #: Indicates that the package has minimal content.
     MINIMAL_CONTENT = "minimal_content"
 

src/macaron/malware_analyzer/pypi_heuristics/metadata/minimal_content.py

@@ -18,7 +18,7 @@
 class MinimalContentAnalyzer(BaseHeuristicAnalyzer):
     """Check whether the package has minimal content."""
 
-    FILES_THRESHOLD = 3
+    FILES_THRESHOLD = 50
 
     def __init__(self) -> None:
         super().__init__(

src/macaron/malware_analyzer/pypi_heuristics/metadata/unknown_organization.py

@@ -26,7 +26,6 @@
 from macaron.malware_analyzer.pypi_heuristics.metadata.source_code_repo import SourceCodeRepoAnalyzer
 from macaron.malware_analyzer.pypi_heuristics.metadata.typosquatting_presence import TyposquattingPresenceAnalyzer
 from macaron.malware_analyzer.pypi_heuristics.metadata.unchanged_release import UnchangedReleaseAnalyzer
-from macaron.malware_analyzer.pypi_heuristics.metadata.unknown_organization import UnknownOrganizationAnalyzer
 from macaron.malware_analyzer.pypi_heuristics.metadata.unsecure_description import UnsecureDescriptionAnalyzer
 from macaron.malware_analyzer.pypi_heuristics.metadata.wheel_absence import WheelAbsenceAnalyzer
 from macaron.malware_analyzer.pypi_heuristics.sourcecode.pypi_sourcecode_analyzer import PyPISourcecodeAnalyzer
@@ -361,7 +360,6 @@ def run_check(self, ctx: AnalyzeContext) -> CheckResultData:
         WheelAbsenceAnalyzer,
         AnomalousVersionAnalyzer,
         TyposquattingPresenceAnalyzer,
-        UnknownOrganizationAnalyzer,
         UnsecureDescriptionAnalyzer,
         MinimalContentAnalyzer,
     ]
@@ -417,6 +415,12 @@ def run_check(self, ctx: AnalyzeContext) -> CheckResultData:
     {Confidence.HIGH.value}::trigger(malware_high_confidence_4) :-
         quickUndetailed, forceSetup, failed({Heuristics.TYPOSQUATTING_PRESENCE.value}).
 
+    % Package released with dependency confusion .
+    {Confidence.HIGH.value}::trigger(malware_high_confidence_5) :-
+        passed({Heuristics.MINIMAL_CONTENT.value}),
+        failed({Heuristics.ANOMALOUS_VERSION.value}),
+        failed({Heuristics.UNSECURE_DESCRIPTION.value}).
+
     % Package released recently with little detail, with multiple releases as a trust marker, but frequent and with
     % the same code.
     {Confidence.MEDIUM.value}::trigger(malware_medium_confidence_1) :-
@@ -430,14 +434,6 @@ def run_check(self, ctx: AnalyzeContext) -> CheckResultData:
         quickUndetailed,
         failed({Heuristics.ONE_RELEASE.value}),
         failed({Heuristics.ANOMALOUS_VERSION.value}),
-        failed({Heuristics.UNKNOWN_ORGANIZATION.value}),
-        failed({Heuristics.UNSECURE_DESCRIPTION.value}).
-
-    % Package released with dependency confusion .
-    {Confidence.HIGH.value}::trigger(malware_high_confidence_5) :-
-        passed({Heuristics.MINIMAL_CONTENT.value}),
-        failed({Heuristics.ANOMALOUS_VERSION.value}),
-        failed({Heuristics.UNKNOWN_ORGANIZATION.value}),
         failed({Heuristics.UNSECURE_DESCRIPTION.value}).
 
     % ----- Evaluation -----

src/macaron/resources/trusted_organizations.txt

@@ -23,7 +23,7 @@ def test_analyze_sufficient_files_pass(analyzer: MinimalContentAnalyzer, pypi_pa
     pypi_package_json.download_sourcecode.return_value = True
     pypi_package_json.package_sourcecode_path = "/fake/path"
     with patch("os.walk") as mock_walk:
-        mock_walk.return_value = [("root", [], ["file1.py", "file2.py", "file3.py"])]
+        mock_walk.return_value = [("root", [], [f"file{i}.py" for i in range(60)])]
         result, info = analyzer.analyze(pypi_package_json)
 
     assert result == HeuristicResult.PASS
@@ -36,7 +36,7 @@ def test_analyze_exactly_threshold_files_pass(analyzer: MinimalContentAnalyzer,
     pypi_package_json.download_sourcecode.return_value = True
     pypi_package_json.package_sourcecode_path = "/fake/path"
     with patch("os.walk") as mock_walk:
-        mock_walk.return_value = [("root", [], ["file1.py", "file2.py", "file3.py"])]
+        mock_walk.return_value = [("root", [], [f"file{i}.py" for i in range(50)])]
         result, info = analyzer.analyze(pypi_package_json)
 
     assert result == HeuristicResult.PASS
@@ -84,8 +84,8 @@ def test_analyze_download_failed_raises_error(analyzer: MinimalContentAnalyzer,
         (0, HeuristicResult.FAIL),
         (1, HeuristicResult.FAIL),
         (2, HeuristicResult.FAIL),
-        (3, HeuristicResult.PASS),
-        (10, HeuristicResult.PASS),
+        (55, HeuristicResult.PASS),
+        (70, HeuristicResult.PASS),
     ],
 )
 def test_analyze_various_file_counts(