guarddog 2.0.6__py3-none-any.whl → 2.2.0__py3-none-any.whl

guarddog/analyzer/analyzer.py

@@ -178,7 +178,7 @@ class Analyzer:
         errors: Dict[str, str] = {}
         issues = 0
 
-        rule_results = defaultdict(list)
+        rule_results: defaultdict[dict, list[dict]] = defaultdict(list)
 
         rules_path = {
             rule_name: os.path.join(SOURCECODE_RULES_PATH, f"{rule_name}.yar")
@@ -210,6 +210,17 @@ class Analyzer:
                                     "code": self.trim_code_snippet(str(i.matched_data)),
                                     'message': m.meta.get("description", f"{m.rule} rule matched")
                                 }
+
+                                # since yara can match the multiple times in the same file
+                                # leading to finding several times the same word or pattern
+                                # this dedup the matches
+                                if [
+                                    f
+                                    for f in rule_results[m.rule]
+                                    if finding["code"] == f["code"]
+                                ]:
+                                    continue
+
                                 issues += len(m.strings)
                                 rule_results[m.rule].append(finding)
         except Exception as e:
@@ -272,6 +283,7 @@ class Analyzer:
             cmd.append("--no-git-ignore")
             cmd.append("--json")
             cmd.append("--quiet")
+            cmd.append("--disable-nosem")
             cmd.append(f"--max-target-bytes={SEMGREP_MAX_TARGET_BYTES}")
             cmd.append(target)
             log.debug(f"Invoking semgrep with command line: {' '.join(cmd)}")

guarddog/analyzer/metadata/go/__init__.py

@@ -1,8 +1,13 @@
+from typing import Type
+
 from guarddog.analyzer.metadata import Detector
+from guarddog.analyzer.metadata.go.typosquatting import GoTyposquatDetector
 
 GO_METADATA_RULES = {}
 
-classes: list[Detector] = []
+classes: list[Type[Detector]] = [
+    GoTyposquatDetector,
+]
 
 for detectorClass in classes:
     detectorInstance = detectorClass()  # type: ignore

guarddog/analyzer/metadata/go/typosquatting.py

@@ -0,0 +1,118 @@
+import json
+import os
+from typing import Optional
+
+from guarddog.analyzer.metadata.typosquatting import TyposquatDetector
+from guarddog.utils.config import TOP_PACKAGES_CACHE_LOCATION
+
+
+class GoTyposquatDetector(TyposquatDetector):
+    """Detector for typosquatting attacks for go modules. Checks for distance one Levenshtein,
+    one-off character swaps, permutations around hyphens, and substrings.
+
+    Attributes:
+        popular_packages (set): set of top 500 most popular Go packages,
+          as determined by count of references across top starred repositories
+    """
+
+    def _get_top_packages(self) -> set:
+        top_packages_filename = "top_go_packages.json"
+
+        resources_dir = TOP_PACKAGES_CACHE_LOCATION
+        if resources_dir is None:
+            resources_dir = os.path.abspath(
+                os.path.join(os.path.dirname(__file__), "..", "resources")
+            )
+
+        top_packages_path = os.path.join(resources_dir, top_packages_filename)
+
+        top_packages_information = None
+
+        if top_packages_filename in os.listdir(resources_dir):
+            with open(top_packages_path, "r") as top_packages_file:
+                top_packages_information = json.load(top_packages_file)
+
+        if top_packages_information is None:
+            raise Exception(
+                f"Could not retrieve top Go packages from {top_packages_path}")
+
+        return set(top_packages_information)
+
+    def detect(
+        self,
+        package_info,
+        path: Optional[str] = None,
+        name: Optional[str] = None,
+        version: Optional[str] = None,
+    ) -> tuple[bool, Optional[str]]:
+        """
+        Uses a Go package's name to determine the
+        package is attempting a typosquatting attack
+
+        Args:
+            name (str): The name of the package,
+                also known as the import path
+
+        Returns:
+            Tuple[bool, Optional[str]]: True if package is typosquatted,
+               along with a message indicating the similar package name.
+               False if not typosquatted and None
+        """
+
+        similar_package_names = self.get_typosquatted_package(name)
+        if len(similar_package_names) > 0:
+            return True, TyposquatDetector.MESSAGE_TEMPLATE % ", ".join(
+                similar_package_names
+            )
+        return False, None
+
+    def _get_confused_forms(self, package_name) -> list:
+        """
+        Gets confused terms for Go packages
+        Confused terms are:
+            - golang to go swaps (or vice versa)
+            - the removal of go/golang terms
+            - gitlab.com to github.com swaps (or vice versa)
+
+        Args:
+            package_name (str): name of the package
+
+        Returns:
+            list: list of confused terms
+        """
+
+        confused_forms = []
+
+        if package_name.startswith("github.com/"):
+            replaced = package_name.replace("github.com/", "gitlab.com/", 1)
+            confused_forms.append(replaced)
+        elif package_name.startswith("gitlab.com/"):
+            replaced = package_name.replace("gitlab.com/", "github.com/", 1)
+            confused_forms.append(replaced)
+
+        terms = package_name.split("-")
+
+        # Detect swaps like golang-package -> go-package
+        for i in range(len(terms)):
+            confused_term = None
+
+            if "golang" in terms[i]:
+                confused_term = terms[i].replace("golang", "go")
+            elif "go" in terms[i]:
+                confused_term = terms[i].replace("go", "golang")
+            else:
+                continue
+
+            # Get form when replacing or removing go/golang term
+            replaced_form = terms[:i] + [confused_term] + terms[i + 1:]
+            removed_form = terms[:i] + terms[i + 1:]
+
+            for form in (replaced_form, removed_form):
+                confused_forms.append("-".join(form))
+
+        return confused_forms
+
+
+if __name__ == "__main__":
+    # update top_npm_packages.json
+    GoTyposquatDetector()._get_top_packages()

guarddog/analyzer/metadata/npm/typosquatting.py

@@ -78,6 +78,12 @@ class NPMTyposquatDetector(TyposquatDetector):
             )
         return False, None
 
+    def _get_confused_forms(self, package_name) -> list:
+        """ Gets confused terms for npm packages.
+        Currently, there are no confused terms for npm packages.
+        """
+        return []
+
 
 if __name__ == "__main__":
     # update top_npm_packages.json

guarddog/analyzer/metadata/pypi/typosquatting.py

@@ -91,6 +91,44 @@ class PypiTyposquatDetector(TyposquatDetector):
             return True, TyposquatDetector.MESSAGE_TEMPLATE % ", ".join(similar_package_names)
         return False, None
 
+    def _get_confused_forms(self, package_name) -> list:
+        """
+        Gets confused terms for python packages
+        Confused terms are:
+            - py to python swaps (or vice versa)
+            - the removal of py/python terms
+
+        Args:
+            package_name (str): name of the package
+
+        Returns:
+            list: list of confused terms
+        """
+
+        confused_forms = []
+
+        terms = package_name.split("-")
+
+        # Detect swaps like python-package -> py-package
+        for i in range(len(terms)):
+            confused_term = None
+
+            if "python" in terms[i]:
+                confused_term = terms[i].replace("python", "py")
+            elif "py" in terms[i]:
+                confused_term = terms[i].replace("py", "python")
+            else:
+                continue
+
+            # Get form when replacing or removing py/python term
+            replaced_form = terms[:i] + [confused_term] + terms[i + 1:]
+            removed_form = terms[:i] + terms[i + 1:]
+
+            for form in (replaced_form, removed_form):
+                confused_forms.append("-".join(form))
+
+        return confused_forms
+
 
 if __name__ == "__main__":
     # update top_pypi_packages.json