feat(heuristics): add three analyzers to detect dependency confusion and distinguish from stub packages

Signed-off-by: Amine <[email protected]>

Author: AmineRaouane

src/macaron/malware_analyzer/README.md

@@ -56,6 +56,22 @@ When a heuristic fails, with `HeuristicResult.FAIL`, then that is an indicator b
     - **Description**:  Checks if the package name is suspiciously similar to any package name in a predefined list of popular packages. The similarity check incorporates the Jaro-Winkler distance and considers keyboard layout proximity to identify potential typosquatting.
     - **Rule**: Return `HeuristicResult.FAIL` if the similarity ratio between the package name and any popular package name meets or exceeds a defined threshold; otherwise, return `HeuristicResult.PASS`.
     - **Dependency**: None.
+
+11. **Minimal Content**
+    - **Description**: Checks if the package has a small number of files.
+    - **Rule**: Return `HeuristicResult.FAIL` if the number of files is strictly less than FILES_THRESHOLD; otherwise, return `HeuristicResult.PASS`.
+    - **Dependency**: None.
+
+12. **Unsecure Description**
+    - **Description**: Checks if the package description is unsecure, such as not having a descriptive keywords that indicates its a stub package .
+    - **Rule**: Return `HeuristicResult.FAIL` if no descriptive word is found in the package description or summary ; otherwise, return `HeuristicResult.PASS`.
+    - **Dependency**: None.
+
+13. **Unknown Organization**
+    - **Description**: Checks if the package is from a known organization.
+    - **Rule**: Return `HeuristicResult.FAIL` if no organisation in the trusted organisation file found in the package metadata ; otherwise, return `HeuristicResult.PASS`.
+    - **Dependency**: None.
+
 ### Source Code Analysis with Semgrep
 **PyPI Source Code Analyzer**
 - **Description**: Uses Semgrep, with default rules written in `src/macaron/resources/pypi_malware_rules` and custom rules available by supplying a path to `custom_semgrep_rules` in `defaults.ini`, to scan the package `.tar` source code.

src/macaron/malware_analyzer/pypi_heuristics/heuristics.py

@@ -43,6 +43,15 @@ class Heuristics(str, Enum):
     #: Indicates that the package source code contains suspicious code patterns.
     SUSPICIOUS_PATTERNS = "suspicious_patterns"
 
+    #: Indicates that the package is associated with an unknown organization.
+    UNKNOWN_ORGANIZATION = "unknown_organization"
+
+    #: Indicates that the package has minimal content.
+    MINIMAL_CONTENT = "minimal_content"
+
+    #: Indicates that the package's description is unsecure, such as not having a descriptive keywords.
+    UNSECURE_DESCRIPTION = "unsecure_description"
+
 
 class HeuristicResult(str, Enum):
     """Result type indicating the outcome of a heuristic."""

src/macaron/malware_analyzer/pypi_heuristics/metadata/minimal_content.py

@@ -0,0 +1,54 @@
+# Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
+
+"""This analyzer checks if a PyPI package has minimal content."""
+
+import logging
+import os
+
+from macaron.errors import SourceCodeError
+from macaron.json_tools import JsonType
+from macaron.malware_analyzer.pypi_heuristics.base_analyzer import BaseHeuristicAnalyzer
+from macaron.malware_analyzer.pypi_heuristics.heuristics import HeuristicResult, Heuristics
+from macaron.slsa_analyzer.package_registry.pypi_registry import PyPIPackageJsonAsset
+
+logger: logging.Logger = logging.getLogger(__name__)
+
+
+class MinimalContentAnalyzer(BaseHeuristicAnalyzer):
+    """Check whether the package has minimal content."""
+
+    FILES_THRESHOLD = 3
+
+    def __init__(self) -> None:
+        super().__init__(
+            name="minimal_content_analyzer",
+            heuristic=Heuristics.MINIMAL_CONTENT,
+            depends_on=None,
+        )
+
+    def analyze(self, pypi_package_json: PyPIPackageJsonAsset) -> tuple[HeuristicResult, dict[str, JsonType]]:
+        """Analyze the package.
+
+        Parameters
+        ----------
+        pypi_package_json: PyPIPackageJsonAsset
+            The PyPI package JSON asset object.
+
+        Returns
+        -------
+        tuple[HeuristicResult, dict[str, JsonType]]:
+            The result and related information collected during the analysis.
+        """
+        result = pypi_package_json.download_sourcecode()
+        if not result:
+            error_msg = "No source code files have been downloaded"
+            logger.debug(error_msg)
+            raise SourceCodeError(error_msg)
+
+        file_count = sum(len(files) for _, _, files in os.walk(pypi_package_json.package_sourcecode_path))
+
+        if file_count >= self.FILES_THRESHOLD:
+            return HeuristicResult.PASS, {"message": "Package has sufficient content"}
+
+        return HeuristicResult.FAIL, {"message": "Not enough files found"}

src/macaron/malware_analyzer/pypi_heuristics/metadata/unknown_organization.py

@@ -0,0 +1,83 @@
+# Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
+
+"""This analyzer checks if a PyPI package is associated with a not trusted organization."""
+
+import logging
+import os
+import re
+
+from macaron import MACARON_PATH
+from macaron.errors import HeuristicAnalyzerValueError
+from macaron.json_tools import JsonType, json_extract
+from macaron.malware_analyzer.pypi_heuristics.base_analyzer import BaseHeuristicAnalyzer
+from macaron.malware_analyzer.pypi_heuristics.heuristics import HeuristicResult, Heuristics
+from macaron.slsa_analyzer.package_registry.pypi_registry import PyPIPackageJsonAsset
+
+logger: logging.Logger = logging.getLogger(__name__)
+
+
+class UnknownOrganizationAnalyzer(BaseHeuristicAnalyzer):
+    """Check whether the package is associated with a not trusted organization."""
+
+    def __init__(self, trusted_organizations_path: str | None = None) -> None:
+        super().__init__(
+            name="unknown_organization_analyzer", heuristic=Heuristics.UNKNOWN_ORGANIZATION, depends_on=None
+        )
+        self.path = trusted_organizations_path or os.path.join(MACARON_PATH, "resources/trusted_organizations.txt")
+        self.trusted_organizations = self._load_defaults()
+
+    def _load_defaults(self) -> list[str]:
+        """Load default settings from defaults.ini.
+
+        Returns
+        -------
+        list[str]:
+            The trusted organizations list.
+        """
+        trusted_organizations = []
+        try:
+            with open(self.path, encoding="utf-8") as file:
+                trusted_organizations = file.read().splitlines()
+        except OSError as error:
+            error_message = "Could not read trusted organizations file"
+            logger.debug(error_message)
+            raise HeuristicAnalyzerValueError(error_message) from error
+        return [organisation.lower() for organisation in trusted_organizations]
+
+    def analyze(self, pypi_package_json: PyPIPackageJsonAsset) -> tuple[HeuristicResult, dict[str, JsonType]]:
+        """Analyze the package.
+
+        Parameters
+        ----------
+        pypi_package_json: PyPIPackageJsonAsset
+            The PyPI package JSON asset object.
+
+        Returns
+        -------
+        tuple[HeuristicResult, dict[str, JsonType]]:
+            The result and related information collected during the analysis.
+        """
+        if not self.trusted_organizations:
+            warning_message = "Trusted organizations file is empty"
+            logger.warning(warning_message)
+            return HeuristicResult.SKIP, {"warning": warning_message}
+
+        package_json = pypi_package_json.package_json
+        if not package_json:
+            error_message = "No package JSON found in metadata"
+            logger.debug(error_message)
+            raise HeuristicAnalyzerValueError(error_message)
+
+        author = json_extract(package_json, ["info", "author"], str)
+        maintainer = json_extract(package_json, ["info", "maintainer"], str)
+        author_email = json_extract(package_json, ["info", "author_email"], str)
+        description = json_extract(package_json, ["info", "description"], str)
+        summary = json_extract(package_json, ["info", "summary"], str)
+        data = f"{author} {maintainer} {author_email} {description} {summary}"
+
+        for org in self.trusted_organizations:
+            if re.search(rf"\b{re.escape(org)}\b", data, re.IGNORECASE):
+                return HeuristicResult.PASS, {"message": "Package is associated with a trusted organization"}
+
+        return HeuristicResult.FAIL, {"message": "Package is associated with an unknown organization"}

src/macaron/malware_analyzer/pypi_heuristics/metadata/unsecure_description.py

@@ -0,0 +1,56 @@
+# Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
+
+"""This analyzer checks if a PyPI package has unsecure description."""
+
+import logging
+import re
+
+from macaron.errors import HeuristicAnalyzerValueError
+from macaron.json_tools import JsonType, json_extract
+from macaron.malware_analyzer.pypi_heuristics.base_analyzer import BaseHeuristicAnalyzer
+from macaron.malware_analyzer.pypi_heuristics.heuristics import HeuristicResult, Heuristics
+from macaron.slsa_analyzer.package_registry.pypi_registry import PyPIPackageJsonAsset
+
+logger: logging.Logger = logging.getLogger(__name__)
+
+
+class UnsecureDescriptionAnalyzer(BaseHeuristicAnalyzer):
+    """Check whether the package's description is unsecure."""
+
+    SECURE_DESCRIPTION_REGEX = re.compile(
+        r"\b(?:internal|private|stub|placeholder|dependency confusion|security|namespace protection|reserved)\b",
+        re.IGNORECASE,
+    )
+
+    def __init__(self) -> None:
+        super().__init__(
+            name="unsecure_description_analyzer", heuristic=Heuristics.UNSECURE_DESCRIPTION, depends_on=None
+        )
+
+    def analyze(self, pypi_package_json: PyPIPackageJsonAsset) -> tuple[HeuristicResult, dict[str, JsonType]]:
+        """Analyze the package.
+
+        Parameters
+        ----------
+        pypi_package_json: PyPIPackageJsonAsset
+            The PyPI package JSON asset object.
+
+        Returns
+        -------
+        tuple[HeuristicResult, dict[str, JsonType]]:
+            The result and related information collected during the analysis.
+        """
+        package_json = pypi_package_json.package_json
+        info = package_json.get("info", {})
+        if not info:
+            error_msg = "No package info found in metadata"
+            logger.debug(error_msg)
+            raise HeuristicAnalyzerValueError(error_msg)
+
+        description = json_extract(package_json, ["info", "description"], str)
+        summary = json_extract(package_json, ["info", "summary"], str)
+        data = f"{description} {summary}"
+        if self.SECURE_DESCRIPTION_REGEX.search(data):
+            return HeuristicResult.PASS, {"message": "Package description is secure"}
+        return HeuristicResult.FAIL, {"message": "Package description is unsecure"}

src/macaron/resources/trusted_organizations.txt

@@ -0,0 +1,119 @@
+Oracle
+jetbrains
+Rami Sayar
+AWS SDK Common Runtime Team
+Rafi Kurnia Putra
+Frank Seide
+Conchylicultor
+Pete Bryan
+John Evans
+Daniel van Flymen
+James Saryerwinnie
+PyTorch Team
+torchort contributors
+Ravindra Marella
+Lars van Gemerden
+Mark Saniscalchi
+Azure Red Team
+Google Cloud Datastore Team
+Mario Vilas
+Google AI Princeton
+CRE Avengers
+Microsoft Research - Causica
+Hunter Fernandes
+Deep Procedural Intelligence
+Paul O. Hayne
+Gregory Kwok
+Microsoft
+TBD
+Microsoft Corp.
+Luke Harries, Sebastian Lee, Jaroslaw Rzepecki, Katya Hofmann, Sam Devlin
+Bing Ads SDK Team
+John Schroeder
+Recommenders contributors
+Florian Berger
+pymox maintainers
+Sandeep Kumar
+Goffi (Jérôme Poisson)
+Yuxuan Dong
+Marc-Alexandre Côté
+pltrdy
+Gregory P. Smith
+piePaul
+Natalia Maximo
+Jon Wayne Parrott
+The Brotli Authors
+Microsoft Corporation License-Expression: Apache-2.0
+Mike Bayer
+David Herberth
+Google Inc.
+Darcy Mason and contributors
+Rüdiger Voigt
+Forensic artifacts
+Charles Marsh
+rego-cpp Team
+Lukas Schwab
+Google Quantum AI open-source maintainers
+Bling
+Stepan Perlov
+Eric Bridgeford
+The gRPC Authors
+hm-distro
+Capirca Team
+Microsoft Research AI Compilers Team
+PyWhy contributors
+Andy Casey
+The qsim/qsimh Developers
+Samuel Stauffer
+Tomi Pajunen
+Google
+OpenCensus Authors
+Charles Reese
+Jarek Potiuk, Szymon Przedwojski, Kamil Breguła, Feng Lu, Cameron Moberg
+Amazon Web Service
+Radovan Bast
+Mitch Garnaat
+Brian Quinlan
+The OpenFermion FQE Developers
+Project AIM
+Benjamin S. Meyers
+Kivanc Yuksel
+Patrick Costello
+PiCloud, Inc.
+Joseph DiLallo
+David Berthelot
+Holger Krekel, Bruno Oliveira, Ronny Pfannschmidt, Floris Bruynooghe, Brianna Laugher, Florian Bruhin, Others (See AUTHORS)
+Jonghak Choi
+Ludovico Magnocavallo
+Google LLC
+Dale Myers
+Tink Developers
+Amazon Web Services
+The Kubeflow Authors
+Xuan Ma
+Tim Swast, Google Inc.
+Prem Nair
+Wijnand Modderman-Lenstra
+The PyBigQuery Authors
+王振华(Zhenhua WANG)
+PyCQA
+Pedro Rodriguez
+Elizabeth Golden
+Stefan-Code
+Idin
+Michael Foord
+Matteo Cypriani
+suryapoojarypy
+Ian Hellen
+Microsoft Corporation
+MIT Lincoln Laboratory
+Dax Pryce
+Eider Moore
+James Gardner
+Jose Roberts
+JAX team
+Thea Flowers
+ScenePic Team
+Rodrigo Moraes
+The OpenFermion Developers
+Google, Inc.

src/macaron/slsa_analyzer/build_tool/gradle.py

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 - 2024, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2022 - 2025, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """This module contains the Gradle class which inherits BaseBuildTool.
@@ -122,7 +122,7 @@ def get_dep_analyzer(self) -> CycloneDxGradle:
             raise DependencyAnalyzerError("No default dependency analyzer is found.")
         if not DependencyAnalyzer.tool_valid(defaults.get("dependency.resolver", "dep_tool_gradle")):
             raise DependencyAnalyzerError(
-                f"Dependency analyzer {defaults.get('dependency.resolver','dep_tool_gradle')} is not valid.",
+                f"Dependency analyzer {defaults.get('dependency.resolver', 'dep_tool_gradle')} is not valid.",
             )
 
         tool_name, tool_version = tuple(

src/macaron/slsa_analyzer/build_tool/maven.py

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 - 2024, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2022 - 2025, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """This module contains the Maven class which inherits BaseBuildTool.
@@ -116,7 +116,7 @@ def get_dep_analyzer(self) -> CycloneDxMaven:
             raise DependencyAnalyzerError("No default dependency analyzer is found.")
         if not DependencyAnalyzer.tool_valid(defaults.get("dependency.resolver", "dep_tool_maven")):
             raise DependencyAnalyzerError(
-                f"Dependency analyzer {defaults.get('dependency.resolver','dep_tool_maven')} is not valid.",
+                f"Dependency analyzer {defaults.get('dependency.resolver', 'dep_tool_maven')} is not valid.",
             )
 
         tool_name, tool_version = tuple(

src/macaron/slsa_analyzer/build_tool/pip.py

@@ -1,4 +1,4 @@
-# Copyright (c) 2023 - 2024, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2023 - 2025, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """This module contains the Pip class which inherits BaseBuildTool.
@@ -88,7 +88,7 @@ def get_dep_analyzer(self) -> DependencyAnalyzer:
         tool_name = "cyclonedx_py"
         if not DependencyAnalyzer.tool_valid(f"{tool_name}:{cyclonedx_version}"):
             raise DependencyAnalyzerError(
-                f"Dependency analyzer {defaults.get('dependency.resolver','dep_tool_gradle')} is not valid.",
+                f"Dependency analyzer {defaults.get('dependency.resolver', 'dep_tool_gradle')} is not valid.",
             )
         return CycloneDxPython(
             resources_path=global_config.resources_path,