Skip to content

feat(heuristics): add two analyzers to detect dependency confusion and distinguish from stub packages#1117

Merged
behnazh-w merged 3 commits into
oracle:mainfrom
AmineRaouane:dependency-confusion
Sep 9, 2025
Merged

feat(heuristics): add two analyzers to detect dependency confusion and distinguish from stub packages#1117
behnazh-w merged 3 commits into
oracle:mainfrom
AmineRaouane:dependency-confusion

Conversation

@AmineRaouane

@AmineRaouane AmineRaouane commented Jul 5, 2025
edited
Loading

Copy link
Copy Markdown
Member

Summary

This PR adds three new heuristic analyzers designed to detect potential dependency confusion attacks and differentiate them from harmless stub or placeholder packages.

Description of changes

  • Implemented two new analyzers :
    • minimal_content : Indicates that the package has minimal content ( low number of files).
    • unsecure_description : Indicates that the package's description is unsecure, such as not having a descriptive keywords that indicates it's a stub package .
  • Integrated these analyzers into the heuristics.py.

Related issues

None

Checklist

  • I have reviewed the contribution guide.
  • My PR title and commits follow the Conventional Commits convention.
  • My commits include the "Signed-off-by" line.
  • I have signed my commits following the instructions provided by GitHub. Note that we run GitHub's commit verification tool to check the commit signatures. A green verified label should appear next to all of your commits on GitHub.
  • I have updated the relevant documentation, if applicable.
  • I have tested my changes and verified they work as expected.

@oracle-contributor-agreement oracle-contributor-agreement Bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Jul 5, 2025
github-advanced-security[bot]
github-advanced-security AI found potential problems Jul 5, 2025
View reviewed changes
Comment thread src/macaron/malware_analyzer/pypi_heuristics/metadata/unknown_organization.py Fixed
@AmineRaouane AmineRaouane force-pushed the dependency-confusion branch from 2585e75 to ab17698 Compare July 5, 2025 13:37
@AmineRaouane AmineRaouane changed the title Dependency confusion detection feat(heuristics): add three analyzers to detect dependency confusion and distinguish from stub packages Jul 5, 2025
@AmineRaouane AmineRaouane force-pushed the dependency-confusion branch from ab17698 to ae021e1 Compare July 5, 2025 13:54
@AmineRaouane AmineRaouane changed the title feat(heuristics): add three analyzers to detect dependency confusion and distinguish from stub packages feat(heuristics): add two analyzers to detect dependency confusion and distinguish from stub packages Aug 6, 2025
@AmineRaouane AmineRaouane force-pushed the dependency-confusion branch from d555c54 to 7b6f07c Compare August 7, 2025 22:45
art1f1c3R
art1f1c3R reviewed Aug 8, 2025
View reviewed changes
Comment thread src/macaron/malware_analyzer/README.md Outdated
art1f1c3R
art1f1c3R reviewed Aug 8, 2025
View reviewed changes
Comment thread src/macaron/slsa_analyzer/checks/detect_malicious_metadata_check.py
@AmineRaouane AmineRaouane force-pushed the dependency-confusion branch from 7b6f07c to 157c1c2 Compare August 8, 2025 09:08
Amine added 2 commits September 5, 2025 02:12
feat(heuristics): add three analyzers to detect dependency confusion …
c02b403 
…and distinguish from stub packages

Signed-off-by: Amine <amine.raouane@enim.ac.ma>
refactor(heuristics): remove Unknown Organization heuristic
36379a1 
Signed-off-by: Amine <amine.raouane@enim.ac.ma>
art1f1c3R
art1f1c3R reviewed Sep 5, 2025
View reviewed changes
Comment thread src/macaron/malware_analyzer/pypi_heuristics/metadata/minimal_content.py
@behnazh-w behnazh-w merged commit ca1fc9c into oracle:main Sep 9, 2025
13 of 14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@behnazh-w behnazh-w behnazh-w approved these changes

@tromai tromai Awaiting requested review from tromai

+1 more reviewer

@art1f1c3R art1f1c3R art1f1c3R left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

OCA Verified All contributors have signed the Oracle Contributor Agreement.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@AmineRaouane @behnazh-w @github-advanced-security @art1f1c3R