guarddog 2.5.0__py3-none-any.whl → 2.7.0__py3-none-any.whl

guarddog/analyzer/analyzer.py

@@ -13,9 +13,10 @@ from guarddog.analyzer.sourcecode import get_sourcecode_rules, SempgrepRule, Yar
 from guarddog.utils.config import YARA_EXT_EXCLUDE
 from guarddog.ecosystems import ECOSYSTEM
 
-SEMGREP_MAX_TARGET_BYTES = 10_000_000
-SOURCECODE_RULES_PATH = os.path.join(os.path.dirname(__file__), "sourcecode")
+MAX_BYTES_DEFAULT = 10_000_000
+SEMGREP_TIMEOUT_DEFAULT = 10
 
+SOURCECODE_RULES_PATH = os.path.join(os.path.dirname(__file__), "sourcecode")
 log = logging.getLogger("guarddog")
 
 
@@ -64,7 +65,14 @@ class Analyzer:
             ".semgrep_logs",
         ]
 
-    def analyze(self, path, info=None, rules=None, name: Optional[str] = None, version: Optional[str] = None) -> dict:
+    def analyze(
+        self,
+        path,
+        info=None,
+        rules=None,
+        name: Optional[str] = None,
+        version: Optional[str] = None,
+    ) -> dict:
         """
         Analyzes a package in the given path
 
@@ -94,8 +102,14 @@ class Analyzer:
 
         return {"issues": issues, "errors": errors, "results": results, "path": path}
 
-    def analyze_metadata(self, path: str, info, rules=None, name: Optional[str] = None,
-                         version: Optional[str] = None) -> dict:
+    def analyze_metadata(
+        self,
+        path: str,
+        info,
+        rules=None,
+        name: Optional[str] = None,
+        version: Optional[str] = None,
+    ) -> dict:
         """
         Analyzes the metadata of a given package
 
@@ -124,7 +138,9 @@ class Analyzer:
         for rule in all_rules:
             try:
                 log.debug(f"Running rule {rule} against package '{name}'")
-                rule_matches, message = self.metadata_detectors[rule].detect(info, path, name, version)
+                rule_matches, message = self.metadata_detectors[rule].detect(
+                    info, path, name, version
+                )
                 results[rule] = None
                 if rule_matches:
                     issues += 1
@@ -199,16 +215,21 @@ class Analyzer:
                         continue
 
                     scan_file_target_abspath = os.path.join(root, f)
-                    scan_file_target_relpath = os.path.relpath(scan_file_target_abspath, path)
+                    scan_file_target_relpath = os.path.relpath(
+                        scan_file_target_abspath, path
+                    )
 
                     matches = scan_rules.match(scan_file_target_abspath)
                     for m in matches:
+
                         for s in m.strings:
                             for i in s.instances:
                                 finding = {
                                     "location": f"{scan_file_target_relpath}:{i.offset}",
                                     "code": self.trim_code_snippet(str(i.matched_data)),
-                                    'message': m.meta.get("description", f"{m.rule} rule matched")
+                                    "message": m.meta.get(
+                                        "description", f"{m.rule} rule matched"
+                                    ),
                                 }
 
                                 # since yara can match the multiple times in the same file
@@ -251,10 +272,14 @@ class Analyzer:
         errors = {}
         issues = 0
 
-        rules_path = list(map(
-            lambda rule_name: os.path.join(SOURCECODE_RULES_PATH, f"{rule_name}.yml"),
-            all_rules
-        ))
+        rules_path = list(
+            map(
+                lambda rule_name: os.path.join(
+                    SOURCECODE_RULES_PATH, f"{rule_name}.yml"
+                ),
+                all_rules,
+            )
+        )
 
         if len(rules_path) == 0:
             log.debug("No semgrep code rules to run")
@@ -263,7 +288,9 @@ class Analyzer:
         try:
             log.debug(f"Running semgrep code rules against {path}")
             response = self._invoke_semgrep(target=path, rules=rules_path)
-            rule_results = self._format_semgrep_response(response, targetpath=targetpath)
+            rule_results = self._format_semgrep_response(
+                response, targetpath=targetpath
+            )
             issues += sum(len(res) for res in rule_results.values())
 
             results = results | rule_results
@@ -274,12 +301,19 @@ class Analyzer:
 
     def _invoke_semgrep(self, target: str, rules: Iterable[str]):
         try:
+            SEMGREP_MAX_TARGET_BYTES = int(
+                os.getenv("GUARDDOG_SEMGREP_MAX_TARGET_BYTES", MAX_BYTES_DEFAULT)
+            )
+            SEMGREP_TIMEOUT = int(
+                os.getenv("GUARDDOG_SEMGREP_TIMEOUT", SEMGREP_TIMEOUT_DEFAULT)
+            )
             cmd = ["semgrep"]
             for rule in rules:
                 cmd.extend(["--config", rule])
 
             for excluded in self.exclude:
                 cmd.append(f"--exclude='{excluded}'")
+            cmd.append(f"--timeout={SEMGREP_TIMEOUT}")
             cmd.append("--no-git-ignore")
             cmd.append("--json")
             cmd.append("--quiet")
@@ -287,7 +321,9 @@ class Analyzer:
             cmd.append(f"--max-target-bytes={SEMGREP_MAX_TARGET_BYTES}")
             cmd.append(target)
             log.debug(f"Invoking semgrep with command line: {' '.join(cmd)}")
-            result = subprocess.run(cmd, capture_output=True, check=True, encoding="utf-8")
+            result = subprocess.run(
+                cmd, capture_output=True, check=True, encoding="utf-8"
+            )
             return json.loads(str(result.stdout))
         except FileNotFoundError:
             raise Exception("unable to find semgrep binary")
@@ -302,6 +338,8 @@ output: {e.output}
             raise Exception(error_message)
         except json.JSONDecodeError as e:
             raise Exception("unable to parse semgrep JSON output: " + str(e))
+        except ValueError as e:
+            raise Exception("Invalid environment variable value: " + str(e))
 
     def _format_semgrep_response(self, response, rule=None, targetpath=None):
         """
@@ -348,9 +386,9 @@ output: {e.output}
             location = file_path + ":" + str(start_line)
 
             finding = {
-                'location': location,
-                'code': code,
-                'message': result["extra"]["message"]
+                "location": location,
+                "code": code,
+                "message": result["extra"]["message"],
             }
 
             rule_results = results[rule_name]
@@ -374,7 +412,7 @@ output: {e.output}
         """
         snippet = []
         try:
-            with open(file_path, 'r') as file:
+            with open(file_path, "r") as file:
                 for current_line_number, line in enumerate(file, start=1):
                     if start_line <= current_line_number <= end_line:
                         snippet.append(line)
@@ -385,12 +423,12 @@ output: {e.output}
         except Exception as e:
             log.error(f"Error reading file {file_path}: {str(e)}")
 
-        return ''.join(snippet)
+        return "".join(snippet)
 
     # Makes sure the matching code to be displayed isn't too long
     def trim_code_snippet(self, code):
         THRESHOLD = 250
         if len(code) > THRESHOLD:
-            return code[: THRESHOLD - 10] + '...' + code[len(code) - 10:]
+            return code[: THRESHOLD - 10] + "..." + code[len(code) - 10 :]
         else:
             return code

guarddog/analyzer/metadata/__init__.py

@@ -16,3 +16,5 @@ def get_metadata_detectors(ecosystem: ECOSYSTEM) -> dict[str, Detector]:
             return GO_METADATA_RULES
         case ECOSYSTEM.GITHUB_ACTION:
             return GITHUB_ACTION_METADATA_RULES
+        case ECOSYSTEM.EXTENSION:
+            return {}  # No metadata detectors for extensions currently

guarddog/analyzer/metadata/bundled_binary.py

@@ -15,10 +15,10 @@ class BundledBinary(Detector):
     # magic bytes are the first few bytes of a file that can be used to identify the file type
     # regardless of their extension
     magic_bytes = {
-        "exe": b"\x4D\x5A",
-        "elf": b"\x7F\x45\x4C\x46",
-        "macho32": b"\xFE\xED\xFA\xCE",
-        "macho64": b"\xFE\xED\xFA\xCF",
+        "exe": b"\x4d\x5a",
+        "elf": b"\x7f\x45\x4c\x46",
+        "macho32": b"\xfe\xed\xfa\xce",
+        "macho64": b"\xfe\xed\xfa\xcf",
     }
 
     def __init__(self):
@@ -40,7 +40,7 @@ class BundledBinary(Detector):
         def sha256(file: str) -> str:
             with open(file, "rb") as f:
                 hasher = hashlib.sha256()
-                while (chunk := f.read(4096)):
+                while chunk := f.read(4096):
                     hasher.update(chunk)
                 return hasher.hexdigest()
 
@@ -65,7 +65,7 @@ class BundledBinary(Detector):
         if not bin_files:
             return False, ""
 
-        output_lines = '\n'.join(
+        output_lines = "\n".join(
             f"{digest}: {', '.join(files)}" for digest, files in bin_files.items()
         )
         return True, f"Binary file/s detected in package:\n{output_lines}"

guarddog/analyzer/metadata/deceptive_author.py

@@ -41,7 +41,9 @@ class DeceptiveAuthorDetector(Detector):
         # read internal maintained list of placeholder email domains
         # this domains are usually used by authors who want to don't want to reveal their real email
         placeholder_email_domains_data = None
-        with open(placeholder_email_domains_path, "r") as placeholder_email_domains_file:
+        with open(
+            placeholder_email_domains_path, "r"
+        ) as placeholder_email_domains_file:
             placeholder_email_domains_data = set(
                 placeholder_email_domains_file.read().split("\n")
             )

guarddog/analyzer/metadata/detector.py

@@ -11,8 +11,13 @@ class Detector:
 
     # returns (ruleMatches, message)
     @abstractmethod
-    def detect(self, package_info, path: Optional[str] = None, name: Optional[str] = None,
-               version: Optional[str] = None) -> tuple[bool, Optional[str]]:
+    def detect(
+        self,
+        package_info,
+        path: Optional[str] = None,
+        name: Optional[str] = None,
+        version: Optional[str] = None,
+    ) -> tuple[bool, Optional[str]]:
         pass  # pragma: no cover
 
     def get_name(self) -> str:

guarddog/analyzer/metadata/empty_information.py

@@ -15,12 +15,17 @@ class EmptyInfoDetector(Detector):
     def __init__(self):
         super().__init__(
             name="empty_information",
-            description="Identify packages with an empty description field"
+            description="Identify packages with an empty description field",
         )
 
     @abstractmethod
-    def detect(self, package_info, path: Optional[str] = None, name: Optional[str] = None,
-               version: Optional[str] = None) -> tuple[bool, str]:
+    def detect(
+        self,
+        package_info,
+        path: Optional[str] = None,
+        name: Optional[str] = None,
+        version: Optional[str] = None,
+    ) -> tuple[bool, str]:
         """
         Uses a package's information from PyPI's JSON API to determine
         if the package has an empty description

guarddog/analyzer/metadata/go/typosquatting.py

@@ -34,7 +34,8 @@ class GoTyposquatDetector(TyposquatDetector):
 
         if top_packages_information is None:
             raise Exception(
-                f"Could not retrieve top Go packages from {top_packages_path}")
+                f"Could not retrieve top Go packages from {top_packages_path}"
+            )
 
         return set(top_packages_information)
 
@@ -104,8 +105,8 @@ class GoTyposquatDetector(TyposquatDetector):
                 continue
 
             # Get form when replacing or removing go/golang term
-            replaced_form = terms[:i] + [confused_term] + terms[i + 1:]
-            removed_form = terms[:i] + terms[i + 1:]
+            replaced_form = terms[:i] + [confused_term] + terms[i + 1 :]
+            removed_form = terms[:i] + terms[i + 1 :]
 
             for form in (replaced_form, removed_form):
                 confused_forms.append("-".join(form))

guarddog/analyzer/metadata/npm/bundled_binary.py

@@ -3,6 +3,11 @@ from typing import Optional
 
 
 class NPMBundledBinary(BundledBinary):
-    def detect(self, package_info, path: Optional[str] = None, name: Optional[str] = None,
-               version: Optional[str] = None) -> tuple[bool, str]:
+    def detect(
+        self,
+        package_info,
+        path: Optional[str] = None,
+        name: Optional[str] = None,
+        version: Optional[str] = None,
+    ) -> tuple[bool, str]:
         return super().detect(package_info, path, name, version)

guarddog/analyzer/metadata/npm/deceptive_author.py

@@ -1,4 +1,4 @@
-""" Deceptive Author Detector
+"""Deceptive Author Detector
 
 Detects when an author of is using a disposable email
 """

guarddog/analyzer/metadata/npm/direct_url_dependency.py

@@ -1,7 +1,8 @@
-""" Direct URL Dependency Detector
+"""Direct URL Dependency Detector
 
 Detects if a package depends on direct URL dependencies
 """
+
 from typing import Optional
 import re
 

guarddog/analyzer/metadata/npm/empty_information.py

@@ -1,7 +1,8 @@
-""" Empty Information Detector
+"""Empty Information Detector
 
 Detects if a package contains an empty description
 """
+
 import os.path
 from typing import Optional
 
@@ -12,13 +13,15 @@ MESSAGE = "This package has an empty description on PyPi"
 
 class NPMEmptyInfoDetector(EmptyInfoDetector):
 
-    def detect(self, package_info, path: Optional[str] = None, name: Optional[str] = None,
-               version: Optional[str] = None) -> tuple[bool, str]:
+    def detect(
+        self,
+        package_info,
+        path: Optional[str] = None,
+        name: Optional[str] = None,
+        version: Optional[str] = None,
+    ) -> tuple[bool, str]:
         if path is None:
             raise TypeError("path must be a string")
         package_path = os.path.join(path, "package")
-        content = map(
-            lambda x: x.lower(),
-            os.listdir(package_path)
-        )
+        content = map(lambda x: x.lower(), os.listdir(package_path))
         return "readme.md" not in content, EmptyInfoDetector.MESSAGE_TEMPLATE % "npm"

guarddog/analyzer/metadata/npm/potentially_compromised_email_domain.py

@@ -1,4 +1,4 @@
-""" Compromised Email Detector
+"""Compromised Email Detector
 
 Detects if a maintainer's email domain might have been compromised.
 """
@@ -8,8 +8,9 @@ from typing import Optional
 
 from dateutil import parser
 
-from guarddog.analyzer.metadata.potentially_compromised_email_domain import \
-    PotentiallyCompromisedEmailDomainDetector
+from guarddog.analyzer.metadata.potentially_compromised_email_domain import (
+    PotentiallyCompromisedEmailDomainDetector,
+)
 
 from .utils import NPM_API_MAINTAINER_EMAIL_WARNING, get_email_addresses
 

guarddog/analyzer/metadata/npm/release_zero.py

@@ -1,7 +1,8 @@
-""" Empty Information Detector
+"""Empty Information Detector
 
 Detects when a package has its latest release version to 0.0.0
 """
+
 from typing import Optional
 
 from guarddog.analyzer.metadata.release_zero import ReleaseZeroDetector
@@ -9,7 +10,14 @@ from guarddog.analyzer.metadata.release_zero import ReleaseZeroDetector
 
 class NPMReleaseZeroDetector(ReleaseZeroDetector):
 
-    def detect(self, package_info, path: Optional[str] = None, name: Optional[str] = None,
-               version: Optional[str] = None) -> tuple[bool, str]:
-        return package_info["dist-tags"]["latest"] in ["0.0.0", "0.0", "0"], \
-            ReleaseZeroDetector.MESSAGE_TEMPLATE % package_info["dist-tags"]["latest"]
+    def detect(
+        self,
+        package_info,
+        path: Optional[str] = None,
+        name: Optional[str] = None,
+        version: Optional[str] = None,
+    ) -> tuple[bool, str]:
+        return (
+            package_info["dist-tags"]["latest"] in ["0.0.0", "0.0", "0"],
+            ReleaseZeroDetector.MESSAGE_TEMPLATE % package_info["dist-tags"]["latest"],
+        )

guarddog/analyzer/metadata/npm/typosquatting.py

@@ -79,7 +79,7 @@ class NPMTyposquatDetector(TyposquatDetector):
         return False, None
 
     def _get_confused_forms(self, package_name) -> list:
-        """ Gets confused terms for npm packages.
+        """Gets confused terms for npm packages.
         Currently, there are no confused terms for npm packages.
         """
         return []

guarddog/analyzer/metadata/npm/unclaimed_maintainer_email_domain.py

@@ -1,7 +1,8 @@
 from typing import Optional
 
-from guarddog.analyzer.metadata.unclaimed_maintainer_email_domain import \
-    UnclaimedMaintainerEmailDomainDetector
+from guarddog.analyzer.metadata.unclaimed_maintainer_email_domain import (
+    UnclaimedMaintainerEmailDomainDetector,
+)
 
 from .utils import NPM_API_MAINTAINER_EMAIL_WARNING, get_email_addresses
 

guarddog/analyzer/metadata/npm/utils.py

@@ -6,8 +6,7 @@ NPM_API_MAINTAINER_EMAIL_WARNING = (
 
 
 def get_email_addresses(package_info: dict) -> set[str]:
-    return {
-        m["email"]
-        for m in package_info.get("maintainers", [])
-        if "email" in m
-    } - {None, ""}
+    return {m["email"] for m in package_info.get("maintainers", []) if "email" in m} - {
+        None,
+        "",
+    }

guarddog/analyzer/metadata/potentially_compromised_email_domain.py

@@ -60,10 +60,14 @@ class PotentiallyCompromisedEmailDomainDetector(Detector):
                 has_issues = True
 
                 messages.append(
-                    f"The domain name of the maintainer's email address ({email}) was"" re-registered after"
-                    " the latest release of this ""package. This can be an indicator that this is a"
-                    " custom domain that expired, and was leveraged by"" an attacker to compromise the"
-                    f" package owner's {self.ecosystem}"" account."
+                    f"The domain name of the maintainer's email address ({email}) was"
+                    " re-registered after"
+                    " the latest release of this "
+                    "package. This can be an indicator that this is a"
+                    " custom domain that expired, and was leveraged by"
+                    " an attacker to compromise the"
+                    f" package owner's {self.ecosystem}"
+                    " account."
                 )
 
         return has_issues, "\n".join(messages)

guarddog/analyzer/metadata/pypi/__init__.py

@@ -1,11 +1,17 @@
 from guarddog.analyzer.metadata.pypi.empty_information import PypiEmptyInfoDetector
-from guarddog.analyzer.metadata.pypi.potentially_compromised_email_domain import \
-    PypiPotentiallyCompromisedEmailDomainDetector
-from guarddog.analyzer.metadata.pypi.unclaimed_maintainer_email_domain import \
-    PypiUnclaimedMaintainerEmailDomainDetector
+from guarddog.analyzer.metadata.pypi.potentially_compromised_email_domain import (
+    PypiPotentiallyCompromisedEmailDomainDetector,
+)
+from guarddog.analyzer.metadata.pypi.unclaimed_maintainer_email_domain import (
+    PypiUnclaimedMaintainerEmailDomainDetector,
+)
 from guarddog.analyzer.metadata.pypi.release_zero import PypiReleaseZeroDetector
-from guarddog.analyzer.metadata.pypi.repository_integrity_mismatch import PypiIntegrityMismatchDetector
-from guarddog.analyzer.metadata.pypi.single_python_file import PypiSinglePythonFileDetector
+from guarddog.analyzer.metadata.pypi.repository_integrity_mismatch import (
+    PypiIntegrityMismatchDetector,
+)
+from guarddog.analyzer.metadata.pypi.single_python_file import (
+    PypiSinglePythonFileDetector,
+)
 from guarddog.analyzer.metadata.pypi.typosquatting import PypiTyposquatDetector
 from guarddog.analyzer.metadata.pypi.bundled_binary import PypiBundledBinary
 from guarddog.analyzer.metadata.pypi.deceptive_author import PypiDeceptiveAuthor

guarddog/analyzer/metadata/pypi/bundled_binary.py

@@ -3,6 +3,11 @@ from typing import Optional
 
 
 class PypiBundledBinary(BundledBinary):
-    def detect(self, package_info, path: Optional[str] = None, name: Optional[str] = None,
-               version: Optional[str] = None) -> tuple[bool, str]:
+    def detect(
+        self,
+        package_info,
+        path: Optional[str] = None,
+        name: Optional[str] = None,
+        version: Optional[str] = None,
+    ) -> tuple[bool, str]:
         return super().detect(package_info, path, name, version)

guarddog/analyzer/metadata/pypi/deceptive_author.py

@@ -1,4 +1,4 @@
-""" Deceptive Author Detector
+"""Deceptive Author Detector
 
 Detects when an author of is using a disposable email
 """

guarddog/analyzer/metadata/pypi/empty_information.py

@@ -1,7 +1,8 @@
-""" Empty Information Detector
+"""Empty Information Detector
 
 Detects if a package contains an empty description
 """
+
 import logging
 from typing import Optional
 
@@ -13,7 +14,17 @@ log = logging.getLogger("guarddog")
 
 
 class PypiEmptyInfoDetector(EmptyInfoDetector):
-    def detect(self, package_info, path: Optional[str] = None, name: Optional[str] = None,
-               version: Optional[str] = None) -> tuple[bool, str]:
-        log.debug(f"Running PyPI empty description heuristic on package {name} version {version}")
-        return len(package_info["info"]["description"].strip()) == 0, EmptyInfoDetector.MESSAGE_TEMPLATE % "PyPI"
+    def detect(
+        self,
+        package_info,
+        path: Optional[str] = None,
+        name: Optional[str] = None,
+        version: Optional[str] = None,
+    ) -> tuple[bool, str]:
+        log.debug(
+            f"Running PyPI empty description heuristic on package {name} version {version}"
+        )
+        return (
+            len(package_info["info"]["description"].strip()) == 0,
+            EmptyInfoDetector.MESSAGE_TEMPLATE % "PyPI",
+        )

guarddog/analyzer/metadata/pypi/potentially_compromised_email_domain.py

@@ -1,4 +1,4 @@
-""" Compromised Email Detector
+"""Compromised Email Detector
 
 Detects if a maintainer's email domain might have been compromised.
 """
@@ -9,8 +9,9 @@ from typing import Optional
 from dateutil import parser
 from packaging import version
 
-from guarddog.analyzer.metadata.potentially_compromised_email_domain import \
-    PotentiallyCompromisedEmailDomainDetector
+from guarddog.analyzer.metadata.potentially_compromised_email_domain import (
+    PotentiallyCompromisedEmailDomainDetector,
+)
 
 from .utils import get_email_addresses
 

guarddog/analyzer/metadata/pypi/release_zero.py

@@ -1,7 +1,8 @@
-""" Empty Information Detector
+"""Empty Information Detector
 
 Detects when a package has its latest release version to 0.0.0
 """
+
 import logging
 from typing import Optional
 
@@ -12,8 +13,17 @@ log = logging.getLogger("guarddog")
 
 class PypiReleaseZeroDetector(ReleaseZeroDetector):
 
-    def detect(self, package_info, path: Optional[str] = None, name: Optional[str] = None,
-               version: Optional[str] = None) -> tuple[bool, str]:
-        log.debug(f"Running zero version heuristic on PyPI package {name} version {version}")
-        return (package_info["info"]["version"] in ["0.0.0", "0.0"],
-                ReleaseZeroDetector.MESSAGE_TEMPLATE % package_info["info"]["version"])
+    def detect(
+        self,
+        package_info,
+        path: Optional[str] = None,
+        name: Optional[str] = None,
+        version: Optional[str] = None,
+    ) -> tuple[bool, str]:
+        log.debug(
+            f"Running zero version heuristic on PyPI package {name} version {version}"
+        )
+        return (
+            package_info["info"]["version"] in ["0.0.0", "0.0"],
+            ReleaseZeroDetector.MESSAGE_TEMPLATE % package_info["info"]["version"],
+        )