feat(heuristics): add whitespace check to detect excessive spacing and invisible characters for malware check

[AmineRaouane]

Summary

This PR adds a new heuristic that analyzes code to detect suspicious use of excessive spaces and invisible characters. It checks whether the amount of spacing and invisible Unicode characters exceeds a defined threshold.

Description of changes

• Implemented the WhiteSpaces heuristic in a new Python module.
• Registered the new heuristic inside the main heuristics.py file.
• Created unit tests to verify the behavior of the WhiteSpacesAnalyzer heuristic.
• Updated detect_malicious_metadata_check.py to integrate and execute the new heuristic logic during analysis.
• The heuristic scans the codebase for abnormal invisible characters and spaces in the code.
• This heuristic is combined with ForceSetup to justify high confidence in detection, as the presence of extra spaces alone could be due to poor formatting rather than malicious intent.

Related issues

None

Checklist

• I have reviewed the contribution guide.
• My PR title and commits follow the Conventional Commits convention.
• My commits include the "Signed-off-by" line.
• I have signed my commits following the instructions provided by GitHub. Note that we run GitHub's commit verification tool to check the commit signatures. A green verified label should appear next to all of your commits on GitHub.
• I have updated the relevant documentation, if applicable.
• I have tested my changes and verified they work as expected.

[art1f1c3R]

The CI test seems to be failing due to detecting excessive whitespace in django@5.0.6 for django/utils/html.py:149 and tests/gis_tests/distapp/tests.py:384.

Dismissing approval until integration test failure is resolved.

[art1f1c3R]

I have investigated this problem. in django/utils/html.py:149-150 the following text appears in a docstring:

      format_html_join('\n', "<li>{} {}</li>", ((u.first_name, u.last_name)
                                                  for u in users))

In tests/gis_tests/distapp/tests.py:384-386 the following text also appears in a docstring:

================================

                                                | Projected Geometry | Lon/lat Geometry

Both of these examples are triggered by the excessive whitespace Semgrep rule as there are over 50 spaces before some of the indented lines. Both of these examples occur in docstrings, so my proposed solution (which I have tested does not trigger on django@5.0.6) is to alter the rule to this:

- id: obfuscation_excessive-spacing
  metadata:
    description: Detects the use of excessive spacing in code, which may indicate obfuscation or hidden code.
  message: Hidden code after excessive spacing
  languages:
  - python
  severity: WARNING
  pattern-either:
  - pattern-regex: '[\s]{50,}(\S)+' # The 50 here is the threshold for excessive spacing , more than that is considered obfuscation
  - pattern-not-inside: |
        """ ... """

I have used \s for whitespace characters and \S for non-whitespace characters for clarity here. The pattern-not-inside makes the rule avoid docstrings. Please try and see if this resolves the CI test failing issue.

Something we may have to be wary of is benign code blocks that are excessively indented and will cause this to trigger. Many projects will not encounter this, as the indentation level will not reach more than 50 spaces and/or code linters will prevent this from happening, so I don't expect too many false positives with that, but it is a possibility.

[art1f1c3R]

CI error has been resolved by ignoring excessive spacing present in docstrings.

[art1f1c3R]

I have investigated this problem. in django/utils/html.py:149-150 the following text appears in a docstring:

      format_html_join('\n', "<li>{} {}</li>", ((u.first_name, u.last_name)
                                                  for u in users))

In tests/gis_tests/distapp/tests.py:384-386 the following text also appears in a docstring:

================================

                                                | Projected Geometry | Lon/lat Geometry

Both of these examples are triggered by the excessive whitespace Semgrep rule as there are over 50 spaces before some of the indented lines. Both of these examples occur in docstrings, so my proposed solution (which I have tested does not trigger on django@5.0.6) is to alter the rule to this:

- id: obfuscation_excessive-spacing
  metadata:
    description: Detects the use of excessive spacing in code, which may indicate obfuscation or hidden code.
  message: Hidden code after excessive spacing
  languages:
  - python
  severity: WARNING
  pattern-either:
  - pattern-regex: '[\s]{50,}(\S)+' # The 50 here is the threshold for excessive spacing , more than that is considered obfuscation
  - pattern-not-inside: |
        """ ... """

I have used \s for whitespace characters and \S for non-whitespace characters for clarity here. The pattern-not-inside makes the rule avoid docstrings. Please try and see if this resolves the CI test failing issue.

Something we may have to be wary of is benign code blocks that are excessively indented and will cause this to trigger. Many projects will not encounter this, as the indentation level will not reach more than 50 spaces and/or code linters will prevent this from happening, so I don't expect too many false positives with that, but it is a possibility.

The pattern-not-inside was incorrectly formatted, which was fixed in this commit.