Skip to content

feat(heuristics): add two analyzers to detect dependency confusion and distinguish from stub packages #1117

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat(heuristics): add two analyzers to detect dependency confusion and distinguish from stub packages #1117

wants to merge 2 commits into from

Conversation

AmineRaouane
Copy link
Member

@AmineRaouane AmineRaouane commented Jul 5, 2025
edited
Loading

Summary

This PR adds three new heuristic analyzers designed to detect potential dependency confusion attacks and differentiate them from harmless stub or placeholder packages.

Description of changes

  • Implemented two new analyzers :
    • minimal_content : Indicates that the package has minimal content ( low number of files).
    • unsecure_description : Indicates that the package's description is unsecure, such as not having a descriptive keywords that indicates it's a stub package .
  • Integrated these analyzers into the heuristics.py.

Related issues

None

Checklist

  • I have reviewed the contribution guide.
  • My PR title and commits follow the Conventional Commits convention.
  • My commits include the "Signed-off-by" line.
  • I have signed my commits following the instructions provided by GitHub. Note that we run GitHub's commit verification tool to check the commit signatures. A green verified label should appear next to all of your commits on GitHub.
  • I have updated the relevant documentation, if applicable.
  • I have tested my changes and verified they work as expected.

@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Jul 5, 2025
@AmineRaouane AmineRaouane force-pushed the dependency-confusion branch from 2585e75 to ab17698 Compare July 5, 2025 13:37
@AmineRaouane AmineRaouane changed the title Dependency confusion detection feat(heuristics): add three analyzers to detect dependency confusion and distinguish from stub packages Jul 5, 2025
@AmineRaouane
feat(heuristics): add three analyzers to detect dependency confusion …
ae021e1 
…and distinguish from stub packages

Signed-off-by: Amine <amine.raouane@enim.ac.ma>
@AmineRaouane AmineRaouane force-pushed the dependency-confusion branch from ab17698 to ae021e1 Compare July 5, 2025 13:54
@AmineRaouane AmineRaouane changed the title feat(heuristics): add three analyzers to detect dependency confusion and distinguish from stub packages feat(heuristics): add two analyzers to detect dependency confusion and distinguish from stub packages Aug 6, 2025
@AmineRaouane AmineRaouane force-pushed the dependency-confusion branch from d555c54 to 7b6f07c Compare August 7, 2025 22:45
art1f1c3R
art1f1c3R reviewed Aug 8, 2025
View reviewed changes
src/macaron/malware_analyzer/README.md Outdated
- **Rule**: Return `HeuristicResult.FAIL` if no descriptive word is found in the package description or summary ; otherwise, return `HeuristicResult.PASS`.
- **Dependency**: None.

13. **Unknown Organization**
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this heuristic going to be included?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no no a mistake , I forgot to update the README

art1f1c3R
art1f1c3R reviewed Aug 8, 2025
View reviewed changes
src/macaron/slsa_analyzer/checks/detect_malicious_metadata_check.py
@@ -411,6 +415,12 @@ def run_check(self, ctx: AnalyzeContext) -> CheckResultData:
{Confidence.HIGH.value}::trigger(malware_high_confidence_4) :-
quickUndetailed, forceSetup, failed({Heuristics.TYPOSQUATTING_PRESENCE.value}).

% Package released with dependency confusion .
{Confidence.HIGH.value}::trigger(malware_high_confidence_5) :-
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm worried this rule may generate false positives. This is a package with more than 50 files, an anomalous version, and does not include a stub package keyword. Are there any other heuristics or properties we can add on to this rule to be more restrictive?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe forceSetup can be added

@AmineRaouane
refactor(heuristics): remove Unknown Organization heuristic
157c1c2 
Signed-off-by: Amine <amine.raouane@enim.ac.ma>
@AmineRaouane AmineRaouane force-pushed the dependency-confusion branch from 7b6f07c to 157c1c2 Compare August 8, 2025 09:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@art1f1c3R art1f1c3R art1f1c3R left review comments

@behnazh-w behnazh-w Awaiting requested review from behnazh-w behnazh-w is a code owner

@tromai tromai Awaiting requested review from tromai tromai is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
OCA Verified All contributors have signed the Oracle Contributor Agreement.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@AmineRaouane @art1f1c3R