chore(tests): improve test coverage and apply minor heuristic changes

Signed-off-by: Amine <amine.raouane@enim.ac.ma>

Author: AmineRaouane

src/macaron/malware_analyzer/pypi_heuristics/metadata/inconsistent_description.py

@@ -107,6 +107,9 @@ def analyze(self, pypi_package_json: PyPIPackageJsonAsset) -> tuple[HeuristicRes
             user_prompt=description,
             response_format=self.RESPONSE_FORMAT,
         )
+        if not analysis_result:
+            logger.error("LLM returned invalid response, skipping the analysis.")
+            return HeuristicResult.SKIP, {}
 
         if analysis_result["score"] < self.threshold:
             return HeuristicResult.FAIL, {

src/macaron/malware_analyzer/pypi_heuristics/sourcecode/matching_docstrings.py

@@ -93,6 +93,7 @@ def analyze(self, pypi_package_json: PyPIPackageJsonAsset) -> tuple[HeuristicRes
             logger.warning("No source code found for the package, skipping the matching docstrings analysis.")
             return HeuristicResult.SKIP, {}
 
+        none_attempts = 5
         for file, content in pypi_package_json.iter_sourcecode():
             if file.endswith(".py"):
                 time.sleep(self.REQUEST_INTERVAL)  # Respect the request interval to avoid rate limiting.
@@ -101,6 +102,13 @@ def analyze(self, pypi_package_json: PyPIPackageJsonAsset) -> tuple[HeuristicRes
                     user_prompt=code_str,
                     response_format=self.RESPONSE_FORMAT,
                 )
+                if not analysis_result:
+                    none_attempts -= 1
+                    if none_attempts == 0:
+                        logger.error("LLM returned None multiple times, skipping the analysis.")
+                        return HeuristicResult.SKIP, {}
+                    continue
+
                 if analysis_result["decision"] == "inconsistent":
                     return HeuristicResult.FAIL, {
                         "file": file,

src/macaron/slsa_analyzer/build_tool/gradle.py

@@ -1,5 +1,4 @@
 # Copyright (c) 2022 - 2025, Oracle and/or its affiliates. All rights reserved.
-# Copyright (c) 2022 - 2025, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """This module contains the Gradle class which inherits BaseBuildTool.
@@ -70,94 +69,6 @@ def is_detected(self, repo_path: str) -> bool:
         gradle_config_files = self.build_configs + self.entry_conf
         return any(file_exists(repo_path, file) for file in gradle_config_files)
 
-    def prepare_config_files(self, wrapper_path: str, build_dir: str) -> bool:
-        """Prepare the necessary wrapper files for running the build.
-
-        This method will return False if there is any errors happened during operation.
-
-        Parameters
-        ----------
-        wrapper_path : str
-            The path where all necessary wrapper files are located.
-        build_dir : str
-            The path of the build dir. This is where all files are copied to.
-
-        Returns
-        -------
-        bool
-            True if succeed else False.
-        """
-        # The path of the needed wrapper files
-        wrapper_files = self.wrapper_files
-
-        if copy_file_bulk(wrapper_files, wrapper_path, build_dir):
-            # Ensure that gradlew is executable.
-            file_path = os.path.join(build_dir, "gradlew")
-            status = os.stat(file_path)
-            if oct(status.st_mode)[-3:] != "744":
-                logger.debug("%s does not have 744 permission. Changing it to 744.")
-                os.chmod(file_path, 0o744)
-            return True
-
-        return False
-
-    def get_dep_analyzer(self) -> CycloneDxGradle:
-        """Create a DependencyAnalyzer for the Gradle build tool.
-
-        Returns
-        -------
-        CycloneDxGradle
-            The CycloneDxGradle object.
-
-        Raises
-        ------
-        DependencyAnalyzerError
-        """
-        if "dependency.resolver" not in defaults or "dep_tool_gradle" not in defaults["dependency.resolver"]:
-            raise DependencyAnalyzerError("No default dependency analyzer is found.")
-        if not DependencyAnalyzer.tool_valid(defaults.get("dependency.resolver", "dep_tool_gradle")):
-            raise DependencyAnalyzerError(
-                f"Dependency analyzer {defaults.get('dependency.resolver', 'dep_tool_gradle')} is not valid.",
-            )
-
-        tool_name, tool_version = tuple(
-            defaults.get(
-                "dependency.resolver",
-                "dep_tool_gradle",
-                fallback="cyclonedx-gradle:1.7.3",
-            ).split(":")
-        )
-        if tool_name == DependencyTools.CYCLONEDX_GRADLE:
-            return CycloneDxGradle(
-                resources_path=global_config.resources_path,
-                file_name="bom.json",
-                tool_name=tool_name,
-                tool_version=tool_version,
-            )
-
-        raise DependencyAnalyzerError(f"Unsupported SBOM generator for Gradle: {tool_name}.")
-
-    def get_gradle_exec(self, repo_path: str) -> str:
-        """Get the Gradle executable for the repo.
-
-        Parameters
-        ----------
-        repo_path: str
-            The absolute path to a repository containing Gradle projects.
-
-        Returns
-        -------
-        str
-            The absolute path to the Gradle executable.
-        """
-        # We try to use the gradlew that comes with the repository first.
-        repo_gradlew = os.path.join(repo_path, "gradlew")
-        if os.path.isfile(repo_gradlew) and os.access(repo_gradlew, os.X_OK):
-            return repo_gradlew
-
-        # We use Macaron's built-in gradlew as a fallback option.
-        return os.path.join(os.path.join(macaron.MACARON_PATH, "resources"), "gradlew")
-
     def get_group_id(self, gradle_exec: str, project_path: str) -> str | None:
         """Get the group id of a Gradle project.
 

src/macaron/slsa_analyzer/build_tool/maven.py

@@ -64,71 +64,3 @@ def is_detected(self, repo_path: str) -> bool:
             return False
         maven_config_files = self.build_configs
         return any(file_exists(repo_path, file) for file in maven_config_files)
-
-    def prepare_config_files(self, wrapper_path: str, build_dir: str) -> bool:
-        """Prepare the necessary wrapper files for running the build.
-
-        This method will return False if there is any errors happened during operation.
-
-        Parameters
-        ----------
-        wrapper_path : str
-            The path where all necessary wrapper files are located.
-        build_dir : str
-            The path of the build dir. This is where all files are copied to.
-
-        Returns
-        -------
-        bool
-            True if succeed else False.
-        """
-        # The path of the needed wrapper files
-        wrapper_files = self.wrapper_files
-
-        if copy_file_bulk(wrapper_files, wrapper_path, build_dir):
-            # Ensure that mvnw is executable.
-            file_path = os.path.join(build_dir, "mvnw")
-            status = os.stat(file_path)
-            if oct(status.st_mode)[-3:] != "744":
-                logger.debug("%s does not have 744 permission. Changing it to 744.")
-                os.chmod(file_path, 0o744)
-            return True
-
-        return False
-
-    def get_dep_analyzer(self) -> CycloneDxMaven:
-        """
-        Create a DependencyAnalyzer for the Maven build tool.
-
-        Returns
-        -------
-        CycloneDxMaven
-            The CycloneDxMaven object.
-
-        Raises
-        ------
-        DependencyAnalyzerError
-        """
-        if "dependency.resolver" not in defaults or "dep_tool_maven" not in defaults["dependency.resolver"]:
-            raise DependencyAnalyzerError("No default dependency analyzer is found.")
-        if not DependencyAnalyzer.tool_valid(defaults.get("dependency.resolver", "dep_tool_maven")):
-            raise DependencyAnalyzerError(
-                f"Dependency analyzer {defaults.get('dependency.resolver', 'dep_tool_maven')} is not valid.",
-            )
-
-        tool_name, tool_version = tuple(
-            defaults.get(
-                "dependency.resolver",
-                "dep_tool_maven",
-                fallback="cyclonedx-maven:2.6.2",
-            ).split(":")
-        )
-        if tool_name == DependencyTools.CYCLONEDX_MAVEN:
-            return CycloneDxMaven(
-                resources_path=global_config.resources_path,
-                file_name="bom.json",
-                tool_name=tool_name,
-                tool_version=tool_version,
-            )
-
-        raise DependencyAnalyzerError(f"Unsupported SBOM generator for Maven: {tool_name}.")

src/macaron/slsa_analyzer/build_tool/pip.py

@@ -64,11 +64,6 @@ def get_dep_analyzer(self) -> DependencyAnalyzer:
         DependencyAnalyzer
             The DependencyAnalyzer object.
         """
-        tool_name = "cyclonedx_py"
-        if not DependencyAnalyzer.tool_valid(f"{tool_name}:{cyclonedx_version}"):
-            raise DependencyAnalyzerError(
-                f"Dependency analyzer {defaults.get('dependency.resolver', 'dep_tool_gradle')} is not valid.",
-            )
         return CycloneDxPython(
             resources_path=global_config.resources_path,
             file_name="python_sbom.json",

src/macaron/slsa_analyzer/build_tool/poetry.py

@@ -102,11 +102,6 @@ def get_dep_analyzer(self) -> DependencyAnalyzer:
         DependencyAnalyzer
             The DependencyAnalyzer object.
         """
-        tool_name = "cyclonedx_py"
-        if not DependencyAnalyzer.tool_valid(f"{tool_name}:{cyclonedx_version}"):
-            raise DependencyAnalyzerError(
-                f"Dependency analyzer {defaults.get('dependency.resolver', 'dep_tool_gradle')} is not valid.",
-            )
         return CycloneDxPython(
             resources_path=global_config.resources_path,
             file_name="python_sbom.json",

src/macaron/slsa_analyzer/checks/detect_malicious_metadata_check.py

@@ -450,8 +450,9 @@ def run_check(self, ctx: AnalyzeContext) -> CheckResultData:
         failed({Heuristics.SIMILAR_PROJECTS.value}),
         failed({Heuristics.HIGH_RELEASE_FREQUENCY.value}),
         failed({Heuristics.FAKE_EMAIL.value}).
+
     % Package released with a name similar to a popular package.
-    {Confidence.MEDIUM.value}::trigger(malware_medium_confidence_3) :-
+    {Confidence.MEDIUM.value}::trigger(malware_medium_confidence_5) :-
         quickUndetailed, forceSetup, failed({Heuristics.MATCHING_DOCSTRINGS.value}).
 
     % ----- Evaluation -----
@@ -461,6 +462,7 @@ def run_check(self, ctx: AnalyzeContext) -> CheckResultData:
     {problog_result_access} :- trigger(malware_high_confidence_2).
     {problog_result_access} :- trigger(malware_high_confidence_3).
     {problog_result_access} :- trigger(malware_high_confidence_4).
+    {problog_result_access} :- trigger(malware_medium_confidence_5).
     {problog_result_access} :- trigger(malware_medium_confidence_4).
     {problog_result_access} :- trigger(malware_medium_confidence_3).
     {problog_result_access} :- trigger(malware_medium_confidence_2).

tests/malware_analyzer/pypi/test_inconsistent_description.py

@@ -27,35 +27,16 @@ def skip_if_client_disabled(analyzer: InconsistentDescriptionAnalyzer) -> None:
         pytest.skip("AI client disabled - skipping test")
 
 
-def test_analyze_consistent_description_pass(
-    analyzer: InconsistentDescriptionAnalyzer, pypi_package_json: MagicMock
-) -> None:
-    """Test the analyzer passes when the description is consistent."""
-    pypi_package_json.package_json = {"info": {"description": "This is a test package."}}
-    mock_result = {"score": 80, "reason": "The description is consistent."}
-
-    with patch.object(analyzer.client, "invoke", return_value=mock_result) as mock_invoke:
-        result, info = analyzer.analyze(pypi_package_json)
-        assert result == HeuristicResult.PASS
-        assert isinstance(info["message"], str)
-        assert "consistent description with a 80 score" in info["message"]
-        mock_invoke.assert_called_once()
-
-
 def test_analyze_inconsistent_description_fail(
     analyzer: InconsistentDescriptionAnalyzer, pypi_package_json: MagicMock
 ) -> None:
     """Test the analyzer fails when the description is inconsistent."""
     pypi_package_json.package_json = {"info": {"description": "This is a misleading package."}}
-    mock_result = {"score": 30, "reason": "The description is misleading."}
 
-    with patch.object(analyzer.client, "invoke", return_value=mock_result) as mock_invoke:
-        result, info = analyzer.analyze(pypi_package_json)
-        assert result == HeuristicResult.FAIL
-        assert isinstance(info["message"], str)
-        assert "inconsistent description with score 30" in info["message"]
-        assert "because The description is misleading" in info["message"]
-        mock_invoke.assert_called_once()
+    result, info = analyzer.analyze(pypi_package_json)
+    assert result == HeuristicResult.FAIL
+    assert isinstance(info["message"], str)
+    assert info["message"].startswith("inconsistent description with score")
 
 
 def test_analyze_no_description_fail(analyzer: InconsistentDescriptionAnalyzer, pypi_package_json: MagicMock) -> None:
@@ -73,3 +54,110 @@ def test_analyze_no_info_raises_error(analyzer: InconsistentDescriptionAnalyzer,
     pypi_package_json.package_json = {}
     with pytest.raises(HeuristicAnalyzerValueError):
         analyzer.analyze(pypi_package_json)
+
+
+CONSISTENT_DESCRIPTION = """
+# Requests
+
+**Requests** is a simple, yet elegant, HTTP library.
+
+Requests allows you to send HTTP/1.1 requests extremely easily.
+There’s no need to manually add query strings to your URLs,
+or to form-encode your `PUT` & `POST` data — but nowadays, just use the `json` method!
+
+Requests is one of the most downloaded Python packages today,
+pulling in around `30M downloads / week`— according to GitHub,
+Requests is currently
+[depended upon](https://github.com/psf/requests/network/dependents?package_id=UGFja2FnZS01NzA4OTExNg%3D%3D)
+by `1,000,000+` repositories.
+You may certainly put your trust in this code.
+
+[![Downloads](https://static.pepy.tech/badge/requests/month)](https://pepy.tech/project/requests)
+[![Supported Versions](https://img.shields.io/pypi/pyversions/requests.svg)](https://pypi.org/project/requests)
+[![Contributors](https://img.shields.io/github/contributors/psf/requests.svg)](https://github.com/psf/requests/graphs/contributors)
+
+## Installing Requests and Supported Versions
+
+Requests is available on PyPI:
+
+```console
+$ python -m pip install requests
+```
+
+Requests officially supports Python 3.9+.
+
+## Supported Features & Best–Practices
+
+Requests is ready for the demands of building robust and reliable HTTP–speaking applications, for the needs of today.
+
+- Keep-Alive & Connection Pooling
+- International Domains and URLs
+- Sessions with Cookie Persistence
+- Browser-style TLS/SSL Verification
+- Basic & Digest Authentication
+- Familiar `dict`–like Cookies
+- Automatic Content Decompression and Decoding
+- Multi-part File Uploads
+- SOCKS Proxy Support
+- Connection Timeouts
+- Streaming Downloads
+- Automatic honoring of `.netrc`
+- Chunked HTTP Requests
+
+## API Reference and User Guide available on [Read the Docs](https://requests.readthedocs.io)
+
+[![Read the Docs](https://raw.githubusercontent.com/psf/requests/main/ext/ss.png)](https://requests.readthedocs.io)
+
+## Cloning the repository
+
+When cloning the Requests repository, you may need to add the `-c
+fetch.fsck.badTimezone=ignore` flag to avoid an error about a bad commit timestamp (see
+[this issue](https://github.com/psf/requests/issues/2690) for more background):
+
+```shell
+git clone -c fetch.fsck.badTimezone=ignore https://github.com/psf/requests.git
+```
+
+You can also apply this setting to your global Git config:
+
+```shell
+git config --global fetch.fsck.badTimezone ignore
+```
+
+---
+
+[![Kenneth Reitz](https://raw.githubusercontent.com/psf/requests/main/ext/kr.png)](https://kennethreitz.org)
+[![Python Software Foundation](https://raw.githubusercontent.com/psf/requests/main/ext/psf.png)](https://www.python.org/psf)
+"""
+
+
+def test_analyze_consistent_description_pass(
+    analyzer: InconsistentDescriptionAnalyzer, pypi_package_json: MagicMock
+) -> None:
+    """Test the analyzer passes when the description is consistent."""
+    pypi_package_json.package_json = {
+        "info": {
+            "description": CONSISTENT_DESCRIPTION,
+        }
+    }
+
+    result, info = analyzer.analyze(pypi_package_json)
+    assert result == HeuristicResult.PASS
+    assert isinstance(info["message"], str)
+    assert info["message"].startswith("consistent description with a ")
+
+
+def test_analyze_excessive_llm_invocation_error_skip(
+    analyzer: InconsistentDescriptionAnalyzer, pypi_package_json: MagicMock
+) -> None:
+    """Test the analyzer skips if the LLM invocation returns None multiple times."""
+    pypi_package_json.package_json = {
+        "info": {
+            "description": "description",
+        }
+    }
+
+    with patch.object(analyzer.client, "invoke", return_value=None):
+        result, info = analyzer.analyze(pypi_package_json)
+        assert result == HeuristicResult.SKIP
+        assert not info