From 075e9f867a57651870a8acdfe3ae0b037c26fb83 Mon Sep 17 00:00:00 2001 From: Sebastian Obregoso Date: Fri, 10 Jan 2025 15:58:30 +0100 Subject: [PATCH 1/2] removing bidi chars --- README.md | 8 +++-- .../sourcecode/bidirectional-characters.yml | 29 ------------------- .../sourcecode/bidirectional-characters.py | 11 ------- 3 files changed, 6 insertions(+), 42 deletions(-) delete mode 100644 guarddog/analyzer/sourcecode/bidirectional-characters.yml delete mode 100644 tests/analyzer/sourcecode/bidirectional-characters.py diff --git a/README.md b/README.md index 546d703d..c575515b 100644 --- a/README.md +++ b/README.md @@ -90,7 +90,6 @@ Source code heuristics: | exec-base64 | Identify when a package dynamically executes base64-encoded code | | silent-process-execution | Identify when a package silently executes an executable | | dll-hijacking | Identifies when a malicious package manipulates a trusted application into loading a malicious DLL | -| bidirectional-characters | Identify when a package contains bidirectional characters, which can be used to display source code differently than its actual execution. See more at https://trojansource.codes/ | | steganography | Identify when a package retrieves hidden data from an image and executes it | | code-execution | Identify when an OS command is executed in the setup.py file | | cmd-overwrite | Identify when the 'install' command is overwritten in setup.py, indicating a piece of code automatically running when the package is installed | @@ -123,7 +122,6 @@ Source code heuristics: | npm-exec-base64 | Identify when a package dynamically executes code through 'eval' | | npm-install-script | Identify when a package has a pre or post-install script automatically running commands | | npm-steganography | Identify when a package retrieves hidden data from an image and executes it | -| bidirectional-characters | Identify when a package contains bidirectional characters, which can be used to display source code differently than its actual execution. See more at https://trojansource.codes/ | | npm-dll-hijacking | Identifies when a malicious package manipulates a trusted application into loading a malicious DLL | | npm-exfiltrate-sensitive-data | Identify when a package reads and exfiltrates sensitive data from the local system | @@ -149,8 +147,14 @@ Source code heuristics: | **Heuristic** | **Description** | |:-------------:|:---------------:| | shady-links | Identify when a package contains an URL to a domain with a suspicious extension | + +Metadata heuristics: + +| **Heuristic** | **Description** | +|:-------------:|:---------------:| | typosquatting | Identify packages that are named closely to an highly popular package | + ## Custom Rules diff --git a/guarddog/analyzer/sourcecode/bidirectional-characters.yml b/guarddog/analyzer/sourcecode/bidirectional-characters.yml deleted file mode 100644 index 0b778ad3..00000000 --- a/guarddog/analyzer/sourcecode/bidirectional-characters.yml +++ /dev/null @@ -1,29 +0,0 @@ -rules: - - id: bidirectional-characters - message: This package contains bidirectional (bidi) characters - metadata: - description: Identify when a package contains bidirectional characters, which can be used to display source code differently than its actual execution. See more at https://trojansource.codes/ - patterns: - - pattern-either: - # Try treating following text as left-to-right. - - pattern-regex: ‪ - # Try treating following text as right-to-left. - - pattern-regex: ‫ - # Force treating following text as left-to-right. - - pattern-regex: ‭ - # Force treating following text as right-to-left. - - pattern-regex: ‮ - # Force treating following text as left-to-right without affecting adjacent text. - - pattern-regex: ⁦ - # Force treating following text as right-to-left without affecting adjacent text. - - pattern-regex: ⁧ - # Force treating following text in direction indicated by the next character. - - pattern-regex: ⁨ - # Terminate nearest LRE, RLE, LRO, or RLO. - - pattern-regex: ‬ - # Terminate nearest LRI or RLI. - - pattern-regex: ⁩ - languages: - - python - - javascript - severity: WARNING diff --git a/tests/analyzer/sourcecode/bidirectional-characters.py b/tests/analyzer/sourcecode/bidirectional-characters.py deleted file mode 100644 index 84bc7a66..00000000 --- a/tests/analyzer/sourcecode/bidirectional-characters.py +++ /dev/null @@ -1,11 +0,0 @@ -def demo(): - amount = 100 - # ruleid: bidirectional-characters - ''' comment ⁧''' ;amount -= 70 - print(f"Amount: {amount}") - -def demo(): - print("first comment") - # ruleid: bidirectional-characters - ''' comment ⁧''' ;return - print("last comment") From 1f685b3b5a5e310b0ebb2f8507f130f3e1503ea7 Mon Sep 17 00:00:00 2001 From: Sebastian Obregoso Date: Mon, 13 Jan 2025 12:02:29 +0100 Subject: [PATCH 2/2] pin semgrep to a working version --- poetry.lock | 9 +++++++-- pyproject.toml | 2 +- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/poetry.lock b/poetry.lock index b5f3b97e..db95d041 100644 --- a/poetry.lock +++ b/poetry.lock @@ -1,4 +1,4 @@ -# This file is automatically @generated by Poetry 1.8.5 and should not be changed by hand. +# This file is automatically @generated by Poetry 1.8.0.dev0 and should not be changed by hand. [[package]] name = "attrs" @@ -1078,24 +1078,29 @@ files = [ {file = "matplotlib-3.9.1-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:dd2a59ff4b83d33bca3b5ec58203cc65985367812cb8c257f3e101632be86d92"}, {file = "matplotlib-3.9.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:0fc001516ffcf1a221beb51198b194d9230199d6842c540108e4ce109ac05cc0"}, {file = "matplotlib-3.9.1-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:83c6a792f1465d174c86d06f3ae85a8fe36e6f5964633ae8106312ec0921fdf5"}, + {file = "matplotlib-3.9.1-cp310-cp310-win_amd64.whl", hash = "sha256:421851f4f57350bcf0811edd754a708d2275533e84f52f6760b740766c6747a7"}, {file = "matplotlib-3.9.1-cp311-cp311-macosx_10_12_x86_64.whl", hash = "sha256:b3fce58971b465e01b5c538f9d44915640c20ec5ff31346e963c9e1cd66fa812"}, {file = "matplotlib-3.9.1-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:a973c53ad0668c53e0ed76b27d2eeeae8799836fd0d0caaa4ecc66bf4e6676c0"}, {file = "matplotlib-3.9.1-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:82cd5acf8f3ef43f7532c2f230249720f5dc5dd40ecafaf1c60ac8200d46d7eb"}, {file = "matplotlib-3.9.1-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:ab38a4f3772523179b2f772103d8030215b318fef6360cb40558f585bf3d017f"}, {file = "matplotlib-3.9.1-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:2315837485ca6188a4b632c5199900e28d33b481eb083663f6a44cfc8987ded3"}, + {file = "matplotlib-3.9.1-cp311-cp311-win_amd64.whl", hash = "sha256:a0c977c5c382f6696caf0bd277ef4f936da7e2aa202ff66cad5f0ac1428ee15b"}, {file = "matplotlib-3.9.1-cp312-cp312-macosx_10_12_x86_64.whl", hash = "sha256:565d572efea2b94f264dd86ef27919515aa6d629252a169b42ce5f570db7f37b"}, {file = "matplotlib-3.9.1-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:6d397fd8ccc64af2ec0af1f0efc3bacd745ebfb9d507f3f552e8adb689ed730a"}, {file = "matplotlib-3.9.1-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:26040c8f5121cd1ad712abffcd4b5222a8aec3a0fe40bc8542c94331deb8780d"}, {file = "matplotlib-3.9.1-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:d12cb1837cffaac087ad6b44399d5e22b78c729de3cdae4629e252067b705e2b"}, {file = "matplotlib-3.9.1-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:0e835c6988edc3d2d08794f73c323cc62483e13df0194719ecb0723b564e0b5c"}, + {file = "matplotlib-3.9.1-cp312-cp312-win_amd64.whl", hash = "sha256:44a21d922f78ce40435cb35b43dd7d573cf2a30138d5c4b709d19f00e3907fd7"}, {file = "matplotlib-3.9.1-cp39-cp39-macosx_10_12_x86_64.whl", hash = "sha256:0c584210c755ae921283d21d01f03a49ef46d1afa184134dd0f95b0202ee6f03"}, {file = "matplotlib-3.9.1-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:11fed08f34fa682c2b792942f8902e7aefeed400da71f9e5816bea40a7ce28fe"}, {file = "matplotlib-3.9.1-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:0000354e32efcfd86bda75729716b92f5c2edd5b947200be9881f0a671565c33"}, {file = "matplotlib-3.9.1-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:4db17fea0ae3aceb8e9ac69c7e3051bae0b3d083bfec932240f9bf5d0197a049"}, {file = "matplotlib-3.9.1-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:208cbce658b72bf6a8e675058fbbf59f67814057ae78165d8a2f87c45b48d0ff"}, + {file = "matplotlib-3.9.1-cp39-cp39-win_amd64.whl", hash = "sha256:dc23f48ab630474264276be156d0d7710ac6c5a09648ccdf49fef9200d8cbe80"}, {file = "matplotlib-3.9.1-pp39-pypy39_pp73-macosx_10_15_x86_64.whl", hash = "sha256:3fda72d4d472e2ccd1be0e9ccb6bf0d2eaf635e7f8f51d737ed7e465ac020cb3"}, {file = "matplotlib-3.9.1-pp39-pypy39_pp73-macosx_11_0_arm64.whl", hash = "sha256:84b3ba8429935a444f1fdc80ed930babbe06725bcf09fbeb5c8757a2cd74af04"}, {file = "matplotlib-3.9.1-pp39-pypy39_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:b918770bf3e07845408716e5bbda17eadfc3fcbd9307dc67f37d6cf834bb3d98"}, + {file = "matplotlib-3.9.1-pp39-pypy39_pp73-win_amd64.whl", hash = "sha256:f1f2e5d29e9435c97ad4c36fb6668e89aee13d48c75893e25cef064675038ac9"}, {file = "matplotlib-3.9.1.tar.gz", hash = "sha256:de06b19b8db95dd33d0dc17c926c7c9ebed9f572074b6fac4f65068a6814d010"}, ] @@ -2345,4 +2350,4 @@ type = ["pytest-mypy"] [metadata] lock-version = "2.0" python-versions = ">=3.10,<4" -content-hash = "c2346ec16c21697eca59d1d88cbdb60da6148d62bcf73f4187fdeb270be5e675" +content-hash = "5eb9f8c6eeea913f137cac65f035e9b7a48272b13fa4d14fc600b750ae123ff3" diff --git a/pyproject.toml b/pyproject.toml index 92423c3d..9b4e9dd8 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -12,7 +12,7 @@ guarddog = "guarddog.cli:cli" [tool.poetry.dependencies] python = ">=3.10,<4" -semgrep = "^1.97.0" +semgrep = "1.97.0" requests = "^2.29.0" python-dateutil = "^2.8.2" click = "^8.1.3"