From ad04616d3e3dac7e6a7e4cc1440ebc90b1844183 Mon Sep 17 00:00:00 2001 From: Carl Flottmann Date: Mon, 13 Jan 2025 10:42:28 +1000 Subject: [PATCH] refactor: reworded 'anomalistic' to 'anomalous' --- src/macaron/config/defaults.ini | 9 ++--- .../pypi_heuristics/heuristics.py | 6 ++-- ...listic_version.py => anomalous_version.py} | 12 +++---- .../checks/detect_malicious_metadata_check.py | 34 +++++++++---------- ...c_version.py => test_anomalous_version.py} | 16 ++++----- 5 files changed, 39 insertions(+), 38 deletions(-) rename src/macaron/malware_analyzer/pypi_heuristics/metadata/{anomalistic_version.py => anomalous_version.py} (95%) rename tests/malware_analyzer/pypi/{test_anomalistic_version.py => test_anomalous_version.py} (95%) diff --git a/src/macaron/config/defaults.ini b/src/macaron/config/defaults.ini index 65ff37d80..f895c20aa 100644 --- a/src/macaron/config/defaults.ini +++ b/src/macaron/config/defaults.ini @@ -584,12 +584,13 @@ include = * [heuristic.pypi] releases_frequency_threshold = 2 # The gap threshold. -# The timedelta indicate the gap between the date maintainer registers their pypi's account and the date of latest release. +# The timedelta represents the gap between when the date maintainer registers their pypi account, and the +# date of the latest release. timedelta_threshold_of_join_release = 5 -# Any major version above this value is detected as anomalistic and marked as suspicious +# Any major version above this value is detected as anomalous and marked as suspicious. major_threshold = 20 -# Any epoch number avove this value is detected as anomalistic and marked as suspicious +# Any epoch number avove this value is detected as anomalous and marked as suspicious. epoch_threshold = 3 -# The number of days +/- the day of publish the calendar versioning day may be +# The number of days +/- the day of publish the calendar versioning day may be. day_publish_error = 4 diff --git a/src/macaron/malware_analyzer/pypi_heuristics/heuristics.py b/src/macaron/malware_analyzer/pypi_heuristics/heuristics.py index 6c7a3f61d..1bd724fad 100644 --- a/src/macaron/malware_analyzer/pypi_heuristics/heuristics.py +++ b/src/macaron/malware_analyzer/pypi_heuristics/heuristics.py @@ -31,11 +31,11 @@ class Heuristics(str, Enum): #: Indicates that the setup.py file contains suspicious imports, such as base64 and requests. SUSPICIOUS_SETUP = "suspicious_setup" - #: Indicates that the package does not include a .whl file + #: Indicates that the package does not include a .whl file. WHEEL_ABSENCE = "wheel_absence" - #: Indicates that the package has an unusually large version number for a single release - ANOMALISTIC_VERSION = "anomalistic_version" + #: Indicates that the package has an unusually large version number for a single release. + ANOMALOUS_VERSION = "anomalous_version" class HeuristicResult(str, Enum): diff --git a/src/macaron/malware_analyzer/pypi_heuristics/metadata/anomalistic_version.py b/src/macaron/malware_analyzer/pypi_heuristics/metadata/anomalous_version.py similarity index 95% rename from src/macaron/malware_analyzer/pypi_heuristics/metadata/anomalistic_version.py rename to src/macaron/malware_analyzer/pypi_heuristics/metadata/anomalous_version.py index 0307ae205..2f39d6f70 100644 --- a/src/macaron/malware_analyzer/pypi_heuristics/metadata/anomalistic_version.py +++ b/src/macaron/malware_analyzer/pypi_heuristics/metadata/anomalous_version.py @@ -1,7 +1,7 @@ # Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. -"""The heuristic analyzer to check for an anomalistic package version.""" +"""The heuristic analyzer to check for an anomalous package version.""" import logging from enum import Enum @@ -19,11 +19,11 @@ logger: logging.Logger = logging.getLogger(__name__) -class AnomalisticVersionAnalyzer(BaseHeuristicAnalyzer): +class AnomalousVersionAnalyzer(BaseHeuristicAnalyzer): """ - Analyze the version number (if there is only a single release) to detect if it is anomalistic. + Analyze the version number (if there is only a single release) to detect if it is anomalous. - A version number is anomalistic if it is above the thresholds for an epoch, major, or minor value. + A version number is anomalous if any of its values are greater than the epoch, major, or minor threshold values. If the version does not adhere to PyPI standards (PEP 440, as per the 'packaging' module), this heuristic cannot analyze it. @@ -62,8 +62,8 @@ class AnomalisticVersionAnalyzer(BaseHeuristicAnalyzer): def __init__(self) -> None: super().__init__( - name="anomalistic_version_analyzer", - heuristic=Heuristics.ANOMALISTIC_VERSION, + name="anomalous_version_analyzer", + heuristic=Heuristics.ANOMALOUS_VERSION, depends_on=[(Heuristics.ONE_RELEASE, HeuristicResult.FAIL)], ) self.major_threshold, self.epoch_threshold, self.day_publish_error = self._load_defaults() diff --git a/src/macaron/slsa_analyzer/checks/detect_malicious_metadata_check.py b/src/macaron/slsa_analyzer/checks/detect_malicious_metadata_check.py index 181f27600..0e2fe0039 100644 --- a/src/macaron/slsa_analyzer/checks/detect_malicious_metadata_check.py +++ b/src/macaron/slsa_analyzer/checks/detect_malicious_metadata_check.py @@ -15,7 +15,7 @@ from macaron.json_tools import JsonType, json_extract from macaron.malware_analyzer.pypi_heuristics.base_analyzer import BaseHeuristicAnalyzer from macaron.malware_analyzer.pypi_heuristics.heuristics import HeuristicResult, Heuristics -from macaron.malware_analyzer.pypi_heuristics.metadata.anomalistic_version import AnomalisticVersionAnalyzer +from macaron.malware_analyzer.pypi_heuristics.metadata.anomalous_version import AnomalousVersionAnalyzer from macaron.malware_analyzer.pypi_heuristics.metadata.closer_release_join_date import CloserReleaseJoinDateAnalyzer from macaron.malware_analyzer.pypi_heuristics.metadata.empty_project_link import EmptyProjectLinkAnalyzer from macaron.malware_analyzer.pypi_heuristics.metadata.high_release_frequency import HighReleaseFrequencyAnalyzer @@ -76,7 +76,7 @@ class MaliciousMetadataFacts(CheckFacts): CloserReleaseJoinDateAnalyzer, SuspiciousSetupAnalyzer, WheelAbsenceAnalyzer, - AnomalisticVersionAnalyzer, + AnomalousVersionAnalyzer, ] @@ -104,11 +104,11 @@ class MaliciousMetadataFacts(CheckFacts): HeuristicResult.FAIL, # Closer Release Join Date HeuristicResult.FAIL, # Suspicious Setup HeuristicResult.FAIL, # Wheel Absence - HeuristicResult.FAIL, # Anomalistic Version + HeuristicResult.FAIL, # Anomalous Version # No project link, only one release, and the maintainer released it shortly # after account registration. # The setup.py file contains suspicious imports and .whl file isn't present. - # Anomalistic version has no effect. + # Anomalous version has no effect. ): Confidence.HIGH, ( HeuristicResult.FAIL, # Empty Project @@ -119,11 +119,11 @@ class MaliciousMetadataFacts(CheckFacts): HeuristicResult.FAIL, # Closer Release Join Date HeuristicResult.FAIL, # Suspicious Setup HeuristicResult.FAIL, # Wheel Absence - HeuristicResult.PASS, # Anomalistic Version + HeuristicResult.PASS, # Anomalous Version # No project link, only one release, and the maintainer released it shortly # after account registration. # The setup.py file contains suspicious imports and .whl file isn't present. - # Anomalistic version has no effect. + # Anomalous version has no effect. ): Confidence.HIGH, ( HeuristicResult.FAIL, # Empty Project @@ -134,7 +134,7 @@ class MaliciousMetadataFacts(CheckFacts): HeuristicResult.FAIL, # Closer Release Join Date HeuristicResult.FAIL, # Suspicious Setup HeuristicResult.FAIL, # Wheel Absence - HeuristicResult.SKIP, # Anomalistic Version + HeuristicResult.SKIP, # Anomalous Version # No project link, frequent releases of multiple versions without modifying the content, # and the maintainer released it shortly after account registration. # The setup.py file contains suspicious imports and .whl file isn't present. @@ -148,7 +148,7 @@ class MaliciousMetadataFacts(CheckFacts): HeuristicResult.FAIL, # Closer Release Join Date HeuristicResult.FAIL, # Suspicious Setup HeuristicResult.FAIL, # Wheel Absence - HeuristicResult.SKIP, # Anomalistic Version + HeuristicResult.SKIP, # Anomalous Version # No project link, frequent releases of multiple versions, # and the maintainer released it shortly after account registration. # The setup.py file contains suspicious imports and .whl file isn't present. @@ -162,7 +162,7 @@ class MaliciousMetadataFacts(CheckFacts): HeuristicResult.FAIL, # Closer Release Join Date HeuristicResult.PASS, # Suspicious Setup HeuristicResult.PASS, # Wheel Absence - HeuristicResult.SKIP, # Anomalistic Version + HeuristicResult.SKIP, # Anomalous Version # No project link, frequent releases of multiple versions without modifying the content, # and the maintainer released it shortly after account registration. Presence/Absence of # .whl file has no effect @@ -176,7 +176,7 @@ class MaliciousMetadataFacts(CheckFacts): HeuristicResult.FAIL, # Closer Release Join Date HeuristicResult.PASS, # Suspicious Setup HeuristicResult.FAIL, # Wheel Absence - HeuristicResult.SKIP, # Anomalistic Version + HeuristicResult.SKIP, # Anomalous Version # No project link, frequent releases of multiple versions without modifying the content, # and the maintainer released it shortly after account registration. Presence/Absence of # .whl file has no effect @@ -190,7 +190,7 @@ class MaliciousMetadataFacts(CheckFacts): HeuristicResult.FAIL, # Closer Release Join Date HeuristicResult.FAIL, # Suspicious Setup HeuristicResult.FAIL, # Wheel Absence - HeuristicResult.SKIP, # Anomalistic Version + HeuristicResult.SKIP, # Anomalous Version # All project links are unreachable, frequent releases of multiple versions, # and the maintainer released it shortly after account registration. # The setup.py file contains suspicious imports and .whl file isn't present. @@ -204,11 +204,11 @@ class MaliciousMetadataFacts(CheckFacts): HeuristicResult.FAIL, # Closer Release Join Date HeuristicResult.PASS, # Suspicious Setup HeuristicResult.PASS, # Wheel Absence - HeuristicResult.FAIL, # Anomalistic Version + HeuristicResult.FAIL, # Anomalous Version # No project link, only one release, and the maintainer released it shortly # after account registration. # The setup.py file has no effect and .whl file is present. - # The version number is anomalistic. + # The version number is anomalous. ): Confidence.MEDIUM, ( HeuristicResult.FAIL, # Empty Project @@ -219,11 +219,11 @@ class MaliciousMetadataFacts(CheckFacts): HeuristicResult.FAIL, # Closer Release Join Date HeuristicResult.FAIL, # Suspicious Setup HeuristicResult.PASS, # Wheel Absence - HeuristicResult.FAIL, # Anomalistic Version + HeuristicResult.FAIL, # Anomalous Version # No project link, only one release, and the maintainer released it shortly # after account registration. # The setup.py file has no effect and .whl file is present. - # The version number is anomalistic. + # The version number is anomalous. ): Confidence.MEDIUM, ( HeuristicResult.FAIL, # Empty Project @@ -234,11 +234,11 @@ class MaliciousMetadataFacts(CheckFacts): HeuristicResult.FAIL, # Closer Release Join Date HeuristicResult.SKIP, # Suspicious Setup HeuristicResult.PASS, # Wheel Absence - HeuristicResult.FAIL, # Anomalistic Version + HeuristicResult.FAIL, # Anomalous Version # No project link, only one release, and the maintainer released it shortly # after account registration. # The setup.py file has no effect and .whl file is present. - # The version number is anomalistic. + # The version number is anomalous. ): Confidence.MEDIUM, } diff --git a/tests/malware_analyzer/pypi/test_anomalistic_version.py b/tests/malware_analyzer/pypi/test_anomalous_version.py similarity index 95% rename from tests/malware_analyzer/pypi/test_anomalistic_version.py rename to tests/malware_analyzer/pypi/test_anomalous_version.py index 9f24bd07c..3edd73d0c 100644 --- a/tests/malware_analyzer/pypi/test_anomalistic_version.py +++ b/tests/malware_analyzer/pypi/test_anomalous_version.py @@ -1,19 +1,19 @@ # Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. -"""Tests for heuristic detecting anomalistic version numbers""" +"""Tests for heuristic detecting anomalous version numbers""" from unittest.mock import MagicMock import pytest from macaron.errors import HeuristicAnalyzerValueError from macaron.malware_analyzer.pypi_heuristics.heuristics import HeuristicResult -from macaron.malware_analyzer.pypi_heuristics.metadata.anomalistic_version import AnomalisticVersionAnalyzer, Versioning +from macaron.malware_analyzer.pypi_heuristics.metadata.anomalous_version import AnomalousVersionAnalyzer, Versioning def test_analyze_no_information(pypi_package_json: MagicMock) -> None: """Test for when there is no release information, so error""" - analyzer = AnomalisticVersionAnalyzer() + analyzer = AnomalousVersionAnalyzer() pypi_package_json.get_releases.return_value = None @@ -23,7 +23,7 @@ def test_analyze_no_information(pypi_package_json: MagicMock) -> None: def test_analyze_invalid_time(pypi_package_json: MagicMock) -> None: """Test for when the supplied upload time does not conform with PEP 440, so error.""" - analyzer = AnomalisticVersionAnalyzer() + analyzer = AnomalousVersionAnalyzer() version = "1.1" release = { version: [ @@ -61,7 +61,7 @@ def test_analyze_invalid_time(pypi_package_json: MagicMock) -> None: def test_analyze_no_time(pypi_package_json: MagicMock) -> None: """Test for when there is no supplied upload time, so error.""" - analyzer = AnomalisticVersionAnalyzer() + analyzer = AnomalousVersionAnalyzer() version = "1.1" release = { version: [ @@ -249,7 +249,7 @@ def test_analyze( pypi_package_json: MagicMock, version: str, upload_date: str, result: HeuristicResult, versioning: str ) -> None: """ - Generic test for the expected return value of the anomalistic version heuristic. + Generic test for the expected return value of the anomalous version heuristic. Parameters ---------- @@ -262,7 +262,7 @@ def test_analyze( versioning : str which versioning system the heuristic should have identified. """ - analyzer = AnomalisticVersionAnalyzer() + analyzer = AnomalousVersionAnalyzer() release = { version: [ { @@ -292,7 +292,7 @@ def test_analyze( pypi_package_json.get_releases.return_value = release pypi_package_json.get_latest_version.return_value = version - expected_result: tuple[HeuristicResult, dict] = (result, {AnomalisticVersionAnalyzer.DETAIL_INFO_KEY: versioning}) + expected_result: tuple[HeuristicResult, dict] = (result, {AnomalousVersionAnalyzer.DETAIL_INFO_KEY: versioning}) actual_result = analyzer.analyze(pypi_package_json)