chore: add CLOSER_RELEASE_JOIN_DATE heuristic as a dependency of SUSPICIOUS_SETUP

[behnazh-w]

Right now the CLOSER_RELEASE_JOIN_DATE heuristic in the mcn_detect_malicious_metadata_1 check does not depend on any other heuristic results. However, all the heuristic combinations require the CLOSER_RELEASE_JOIN_DATE heuristic to fail. This PR adds the CLOSER_RELEASE_JOIN_DATE heuristic as a dependency of SUSPICIOUS_SETUP to avoid running SUSPICIOUS_SETUP analyzer unnecessarily and improve performance.

[tromai]

For this Heuristic -

macaron/src/macaron/slsa_analyzer/checks/detect_malicious_metadata_check.py

Lines 116 to 126 in 5c2dbec

	): Confidence.HIGH,
	(
	HeuristicResult.FAIL, # Empty Project
	HeuristicResult.SKIP, # Unreachable Project Links
	HeuristicResult.PASS, # One Release
	HeuristicResult.FAIL, # High Release Frequency
	HeuristicResult.FAIL, # Unchanged Release
	HeuristicResult.FAIL, # Closer Release Join Date
	HeuristicResult.PASS, # Suspicious Setup
	# No project link, frequent releases of multiple versions without modifying the content,
	# and the maintainer released it shortly after account registration.

If SUSPICIOUS_SETUP passes, it would mean that CLOSER_RELEASE_JOIN_DATE will be SKIPPED. This means that we will miss this heuristic combination.

[behnazh-w]

For this Heuristic -

macaron/src/macaron/slsa_analyzer/checks/detect_malicious_metadata_check.py

Lines 116 to 126 in 5c2dbec

	): Confidence.HIGH,
	(
	HeuristicResult.FAIL, # Empty Project
	HeuristicResult.SKIP, # Unreachable Project Links
	HeuristicResult.PASS, # One Release
	HeuristicResult.FAIL, # High Release Frequency
	HeuristicResult.FAIL, # Unchanged Release
	HeuristicResult.FAIL, # Closer Release Join Date
	HeuristicResult.PASS, # Suspicious Setup
	# No project link, frequent releases of multiple versions without modifying the content,
	# and the maintainer released it shortly after account registration.

If SUSPICIOUS_SETUP passes, it would mean that CLOSER_RELEASE_JOIN_DATE will be SKIPPED. This means that we will miss this heuristic combination.

That's not how the heuristics work and this scenario should not be possible. If heuristic A depends on heuristic B with result R, A will only run if B runs and returns R. With the change in this PR, SUSPICIOUS_SETUP will depend on CLOSER_RELEASE_JOIN_DATE. So, only if CLOSER_RELEASE_JOIN_DATE fails, SUSPICIOUS_SETUP will run, and will be skipped otherwise.

[tromai]

Ah I see. Thanks for the clarification, I looked at the PR description

This PR adds the CLOSER_RELEASE_JOIN_DATE heuristic as a dependency of SUSPICIOUS_SETUP to avoid running SUSPICIOUS_SETUP analyzer unnecessarily and improve performance.

And I thought that we are planning to make CLOSER_RELEASE_JOIN_DATE a children of SUSPICIOUS_SETUP.