guarddog 2.6.0__py3-none-any.whl → 2.7.1__py3-none-any.whl

guarddog/analyzer/metadata/typosquatting.py

@@ -5,14 +5,16 @@ from guarddog.analyzer.metadata.detector import Detector
 
 
 class TyposquatDetector(Detector):
-    MESSAGE_TEMPLATE = "This package closely resembles the following package names, and might be a typosquatting " \
-                       "attempt: %s"
+    MESSAGE_TEMPLATE = (
+        "This package closely resembles the following package names, and might be a typosquatting "
+        "attempt: %s"
+    )
 
     def __init__(self) -> None:
         self.popular_packages = self._get_top_packages()  # Find top PyPI packages
         super().__init__(
             name="typosquatting",
-            description="Identify packages that are named closely to an highly popular package"
+            description="Identify packages that are named closely to an highly popular package",
         )
 
     @abc.abstractmethod
@@ -37,19 +39,19 @@ class TyposquatDetector(Detector):
         # Addition to name2
         if len(name1) > len(name2):
             for i in range(len(name1)):
-                if name1[:i] + name1[i + 1:] == name2:
+                if name1[:i] + name1[i + 1 :] == name2:
                     return True
 
         # Addition to name1
         elif len(name2) > len(name1):
             for i in range(len(name2)):
-                if name2[:i] + name2[i + 1:] == name1:
+                if name2[:i] + name2[i + 1 :] == name1:
                     return True
 
         # Edit character
         else:
             for i in range(len(name1)):
-                if name1[:i] + name1[i + 1:] == name2[:i] + name2[i + 1:]:
+                if name1[:i] + name1[i + 1 :] == name2[:i] + name2[i + 1 :]:
                     return True
 
         return False
@@ -68,7 +70,7 @@ class TyposquatDetector(Detector):
 
         if len(name1) == len(name2):
             for i in range(len(name1) - 1):
-                swapped_name1 = name1[:i] + name1[i + 1] + name1[i] + name1[i + 2:]
+                swapped_name1 = name1[:i] + name1[i + 1] + name1[i] + name1[i + 2 :]
                 if swapped_name1 == name2:
                     return True
 
@@ -106,7 +108,9 @@ class TyposquatDetector(Detector):
             bool: True
         """
 
-        return self._is_distance_one_Levenshtein(package1, package2) or self._is_swapped_typo(package1, package2)
+        return self._is_distance_one_Levenshtein(
+            package1, package2
+        ) or self._is_swapped_typo(package1, package2)
 
     @abc.abstractmethod
     def _get_confused_forms(self, package_name) -> list:

guarddog/analyzer/metadata/unclaimed_maintainer_email_domain.py

@@ -20,8 +20,13 @@ class UnclaimedMaintainerEmailDomainDetector(Detector):
         )
         self.ecosystem = ecosystem
 
-    def detect(self, package_info, path: Optional[str] = None, name: Optional[str] = None,
-               version: Optional[str] = None) -> tuple[bool, str]:
+    def detect(
+        self,
+        package_info,
+        path: Optional[str] = None,
+        name: Optional[str] = None,
+        version: Optional[str] = None,
+    ) -> tuple[bool, str]:
         """
         Uses a package's information to determine
         if the maintainer's email domain is unclaimed and thus exposed to hijacking

guarddog/analyzer/metadata/utils.py

@@ -26,7 +26,7 @@ def get_domain_creation_date(domain) -> tuple[Optional[datetime], bool]:
 
     try:
         domain_information = whois.whois(domain)
-    except whois.parser.PywhoisError as e:
+    except whois.exceptions.PywhoisError as e:
         # The domain doesn't exist at all, if that's the case we consider it vulnerable
         # since someone could register it
         return None, (not str(e).lower().startswith("no match for"))

guarddog/analyzer/sourcecode/__init__.py

@@ -11,17 +11,23 @@ from guarddog.ecosystems import ECOSYSTEM
 
 current_dir = pathlib.Path(__file__).parent.resolve()
 
+EXTENSION_YARA_PREFIX = "extension_"
 
 # These data class aim to reduce the spreading of the logic
-# Instead of using the a dict as a structure and parse it difffently depending on the type
+# Instead of using the a dict as a structure and parse it difffently
+# depending on the type
+
+
 @dataclass
 class SourceCodeRule:
     """
     Base class for source code rules
     """
+
     id: str
     file: str
     description: str
+    ecosystem: Optional[ECOSYSTEM]  # None means "any ecosystem"
 
 
 @dataclass
@@ -29,6 +35,7 @@ class YaraRule(SourceCodeRule):
     """
     Yara rule just reimplements base
     """
+
     pass
 
 
@@ -38,7 +45,7 @@ class SempgrepRule(SourceCodeRule):
     Semgrep rule are language specific
     Content of rule in yaml format is accessible through rule_content
     """
-    ecosystem: ECOSYSTEM
+
     rule_content: dict
 
 
@@ -54,7 +61,8 @@ def get_sourcecode_rules(
     for rule in SOURCECODE_RULES:
         if kind and not isinstance(rule, kind):
             continue
-        if not (getattr(rule, "ecosystem", ecosystem) == ecosystem):
+        # Include rules that match the specific ecosystem OR rules that apply to any ecosystem (None)
+        if rule.ecosystem is not None and rule.ecosystem != ecosystem:
             continue
         yield rule
 
@@ -78,13 +86,15 @@ for file_name in semgrep_rule_file_names:
                     case "javascript" | "typescript" | "json":
                         ecosystems.add(ECOSYSTEM.NPM)
                         ecosystems.add(ECOSYSTEM.GITHUB_ACTION)
+                        ecosystems.add(ECOSYSTEM.EXTENSION)
                     case "go":
                         ecosystems.add(ECOSYSTEM.GO)
                     case _:
                         continue
 
                 for ecosystem in ecosystems:
-                    # avoids duplicates when multiple languages are supported by a rule
+                    # avoids duplicates when multiple languages are supported
+                    # by a rule
                     if not next(
                         filter(
                             lambda r: r.id == rule["id"],
@@ -96,7 +106,9 @@ for file_name in semgrep_rule_file_names:
                             SempgrepRule(
                                 id=rule["id"],
                                 ecosystem=ecosystem,
-                                description=rule.get("metadata", {}).get("description", ""),
+                                description=rule.get("metadata", {}).get(
+                                    "description", ""
+                                ),
                                 file=file_name,
                                 rule_content=rule,
                             )
@@ -109,11 +121,26 @@ yara_rule_file_names = list(
 # refer to README.md for more information
 for file_name in yara_rule_file_names:
     rule_id = pathlib.Path(file_name).stem
-    description_regex = fr'\s*rule\s+{rule_id}[^}}]+meta:[^}}]+description\s*=\s*\"(.+?)\"'
+    description_regex = (
+        rf"\s*rule\s+{rule_id}[^}}]+meta:[^}}]+description\s*=\s*\"(.+?)\""
+    )
+
+    # Determine ecosystem based on filename prefix
+    rule_ecosystem: Optional[ECOSYSTEM] = (
+        ECOSYSTEM.EXTENSION if file_name.startswith(EXTENSION_YARA_PREFIX) else None
+    )
 
     with open(os.path.join(current_dir, file_name), "r") as fd:
         match = re.search(description_regex, fd.read())
         rule_description = ""
         if match:
             rule_description = match.group(1)
-        SOURCECODE_RULES.append(YaraRule(id=rule_id, file=file_name, description=rule_description))
+
+        SOURCECODE_RULES.append(
+            YaraRule(
+                id=rule_id,
+                file=file_name,
+                description=rule_description,
+                ecosystem=rule_ecosystem,
+            )
+        )

guarddog/analyzer/sourcecode/api-obfuscation.yml

@@ -0,0 +1,42 @@
+rules:
+    - id: api-obfuscation
+      languages:
+        - python
+      message: This package uses obfuscated API calls that may evade static analysis detection
+      metadata:
+        description: Identify obfuscated API calls using alternative Python syntax patterns
+      severity: WARNING
+      patterns:
+        - pattern-either:
+          # Covered cases:
+          # 1) __dict__ access patterns: $MODULE.__dict__[$METHOD](...) / .__call__(...)
+          # 2) __getattribute__ patterns: $MODULE.__getattribute__($METHOD)(...) / .__call__(...)
+          # 3) getattr patterns: getattr($MODULE, $METHOD)(...) / .__call__(...)
+          # It also covers the case where $MODULE is imported as __import__('mod')
+          - patterns:
+              - pattern-either:
+                  - pattern: $MODULE.__dict__[$METHOD]($...ARGS)
+                  - pattern: $MODULE.__dict__[$METHOD].__call__($...ARGS)
+                  - pattern: $MODULE.__getattribute__($METHOD)($...ARGS)
+                  - pattern: $MODULE.__getattribute__($METHOD).__call__($...ARGS)
+                  - pattern: getattr($MODULE, $METHOD)($...ARGS)
+                  - pattern: getattr($MODULE, $METHOD).__call__($...ARGS)
+              - metavariable-regex:
+                  metavariable: $MODULE
+                  regex: "^[A-Za-z_][A-Za-z0-9_\\.]*$|^__import__\\([\"'][A-Za-z_][A-Za-z0-9_]*[\"']\\)$"
+              - metavariable-regex:
+                  metavariable: $METHOD
+                  regex: "^[\"'][A-Za-z_][A-Za-z0-9_]*[\"']$"
+
+          # --- Additional Cases: __import__('mod').method(...) / .__call__(...)
+          - patterns:
+              - pattern-either:
+                  - pattern: __import__($MODULE).$METHOD($...ARGS)
+                  - pattern: __import__($MODULE).$METHOD.__call__($...ARGS)
+              - metavariable-regex:
+                  metavariable: $MODULE
+                  regex: "^[\"'][A-Za-z_][A-Za-z0-9_]*[\"']$"
+              - metavariable-regex:
+                  metavariable: $METHOD
+                  # avoid matching __getattribute__
+                  regex: "[^(__getattribute__)][A-Za-z_][A-Za-z0-9_]*"

guarddog/analyzer/sourcecode/code-execution.yml

@@ -123,6 +123,7 @@ rules:
       include:
         - "*/setup.py"
         - "*/code-execution.py"
+        - "*/__init__.py"
     severity: WARNING
 
 

guarddog/analyzer/sourcecode/dll-hijacking.yml

@@ -55,8 +55,13 @@ rules:
       # dll injection
       - pattern-either:
         - pattern: ....WriteProcessMemory
+        - pattern: getattr(..., "WriteProcessMemory")
         - pattern: ....CreateRemoteThread
+        - pattern: getattr(..., "CreateRemoteThread")
         - pattern: ....LoadLibraryA
+        - pattern: getattr(..., "LoadLibraryA")
+        - pattern: ....CDLL
+        - pattern: getattr(..., "CDLL")
 
       # phantom dll
       - patterns:

guarddog/analyzer/sourcecode/shady-links.yml

@@ -43,7 +43,7 @@ rules:
             - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(files\.catbox\.moe)\b)
 
             # top-level domains
-            - pattern-regex: (https?:\/\/[^\n\[\/\?#"']*?\.(link|xyz|tk|ml|ga|cf|gq|pw|top|club|mw|bd|ke|am|sbs|date|quest|cd|bid|cd|ws|icu|cam|uno|email|stream|zip)\/)
+            - pattern-regex: (https?:\/\/[^\n\[\/\?#"']*?\.(link|xyz|tk|ml|ga|cf|gq|pw|top|club|mw|bd|ke|am|sbs|date|quest|cd|bid|cd|ws|icu|cam|uno|email|stream|zip)\b)
             # IPv4
             - pattern-regex: (https?:\/\/[^\n\[\/\?#"']*?(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}))
             # IPv6

guarddog/analyzer/sourcecode/suspicious_passwd_access_linux.yar

@@ -0,0 +1,12 @@
+rule suspicious_passwd_access_linux
+{
+    meta:
+        author = "T HAMDOUNI, Datadog"
+        description = "Detects suspicious read access to /etc/passwd file, which is often targeted by malware for credential harvesting"
+
+    strings:
+        $cli = /(cat|less|more|head|tail)\s+.{0,100}\/etc\/passwd/ nocase
+        $read = /(readFile|readFileSync)\(\s*['"]\/etc\/passwd/ nocase
+    condition:
+        $cli or $read
+}

guarddog/analyzer/sourcecode/unicode.yml

@@ -0,0 +1,75 @@
+# Ignores string contents to reduce false positives!
+
+rules:
+  - id: unicode
+    message:
+      This package uses uncommon unicode characters in its code, it may try to
+      avoid detection.
+    metadata:
+      description: Identify suspicious unicode characters
+    languages:
+      - python
+    severity: WARNING
+    patterns:
+      # ignore comments
+      - pattern-not-regex: \#(.*)$
+
+      # ignore strings
+      - pattern-not-regex: (["'].*?["'])
+      - pattern-not-regex: ("""(.|\n)*?""")
+      - pattern-not-regex: ('''(.|\n)*?''')
+
+      - pattern-either:
+          - pattern-regex: ([ªᵃₐⓐａ𝐚𝑎𝒂𝒶𝓪𝔞𝕒𝖆𝖺𝗮𝘢𝙖𝚊])
+          - pattern-regex: ([ᵇⓑｂ𝐛𝑏𝒃𝒷𝓫𝔟𝕓𝖇𝖻𝗯𝘣𝙗𝚋])
+          - pattern-regex: ([ᶜⅽⓒｃ𝐜𝑐𝒄𝒸𝓬𝔠𝕔𝖈𝖼𝗰𝘤𝙘𝚌])
+          - pattern-regex: ([ᵈⅆⅾⓓｄ𝐝𝑑𝒅𝒹𝓭𝔡𝕕𝖉𝖽𝗱𝘥𝙙𝚍])
+          - pattern-regex: ([ᵉₑℯⅇⓔｅ𝐞𝑒𝒆𝓮𝔢𝕖𝖊𝖾𝗲𝘦𝙚𝚎])
+          - pattern-regex: ([ᶠⓕｆ𝐟𝑓𝒇𝒻𝓯𝔣𝕗𝖋𝖿𝗳𝘧𝙛𝚏])
+          - pattern-regex: ([ᵍℊⓖｇ𝐠𝑔𝒈𝓰𝔤𝕘𝖌𝗀𝗴𝘨𝙜𝚐])
+          - pattern-regex: ([ʰₕℎⓗｈ𝐡𝒉𝒽𝓱𝔥𝕙𝖍𝗁𝗵𝘩𝙝𝚑])
+          - pattern-regex: ([ᵢⁱℹⅈⅰⓘｉ𝐢𝑖𝒊𝒾𝓲𝔦𝕚𝖎𝗂𝗶𝘪𝙞𝚒])
+          - pattern-regex: ([ʲⅉⓙⱼｊ𝐣𝑗𝒋𝒿𝓳𝔧𝕛𝖏𝗃𝗷𝘫𝙟𝚓])
+          - pattern-regex: ([ᵏₖⓚｋ𝐤𝑘𝒌𝓀𝓴𝔨𝕜𝖐𝗄𝗸𝘬𝙠𝚔])
+          - pattern-regex: ([ˡₗℓⅼⓛｌ𝐥𝑙𝒍𝓁𝓵𝔩𝕝𝖑𝗅𝗹𝘭𝙡𝚕])
+          - pattern-regex: ([ᵐₘⅿⓜｍ𝐦𝑚𝒎𝓂𝓶𝔪𝕞𝖒𝗆𝗺𝘮𝙢𝚖])
+          - pattern-regex: ([ⁿₙⓝｎ𝐧𝑛𝒏𝓃𝓷𝔫𝕟𝖓𝗇𝗻𝘯𝙣𝚗])
+          - pattern-regex: ([ºᵒₒℴⓞｏ𝐨𝑜𝒐𝓸𝔬𝕠𝖔𝗈𝗼𝘰𝙤𝚘])
+          - pattern-regex: ([ᵖₚⓟｐ𝐩𝑝𝒑𝓅𝓹𝔭𝕡𝖕𝗉𝗽𝘱𝙥𝚙])
+          - pattern-regex: ([ⓠｑ𐞥𝐪𝑞𝒒𝓆𝓺𝔮𝕢𝖖𝗊𝗾𝘲𝙦𝚚])
+          - pattern-regex: ([ʳᵣⓡｒ𝐫𝑟𝒓𝓇𝓻𝔯𝕣𝖗𝗋𝗿𝘳𝙧𝚛])
+          - pattern-regex: ([ſˢₛⓢｓ𝐬𝑠𝒔𝓈𝓼𝔰𝕤𝖘𝗌𝘀𝘴𝙨𝚜])
+          - pattern-regex: ([ᵗₜⓣｔ𝐭𝑡𝒕𝓉𝓽𝔱𝕥𝖙𝗍𝘁𝘵𝙩𝚝])
+          - pattern-regex: ([ᵘᵤⓤｕ𝐮𝑢𝒖𝓊𝓾𝔲𝕦𝖚𝗎𝘂𝘶𝙪𝚞])
+          - pattern-regex: ([ᵛᵥⅴⓥｖ𝐯𝑣𝒗𝓋𝓿𝔳𝕧𝖛𝗏𝘃𝘷𝙫𝚟])
+          - pattern-regex: ([ʷⓦｗ𝐰𝑤𝒘𝓌𝔀𝔴𝕨𝖜𝗐𝘄𝘸𝙬𝚠])
+          - pattern-regex: ([ˣₓⅹⓧｘ𝐱𝑥𝒙𝓍𝔁𝔵𝕩𝖝𝗑𝘅𝘹𝙭𝚡])
+          - pattern-regex: ([ʸⓨｙ𝐲𝑦𝒚𝓎𝔂𝔶𝕪𝖞𝗒𝘆𝘺𝙮𝚢])
+          - pattern-regex: ([ᶻⓩｚ𝐳𝑧𝒛𝓏𝔃𝔷𝕫𝖟𝗓𝘇𝘻𝙯𝚣])
+
+          - pattern-regex: ([ᴬⒶＡ𝐀𝐴𝑨𝒜𝓐𝔄𝔸𝕬𝖠𝗔𝘈𝘼𝙰🄰])
+          - pattern-regex: ([ᴮℬⒷＢ𝐁𝐵𝑩𝓑𝔅𝔹𝕭𝖡𝗕𝘉𝘽𝙱🄱])
+          - pattern-regex: ([ℂℭⅭⒸꟲＣ𝐂𝐶𝑪𝒞𝓒𝕮𝖢𝗖𝘊𝘾𝙲🄫🄲])
+          - pattern-regex: ([ᴰⅅⅮⒹＤ𝐃𝐷𝑫𝒟𝓓𝔇𝔻𝕯𝖣𝗗𝘋𝘿𝙳🄳])
+          - pattern-regex: ([ᴱℰⒺＥ𝐄𝐸𝑬𝓔𝔈𝔼𝕰𝖤𝗘𝘌𝙀𝙴🄴])
+          - pattern-regex: ([ℱⒻꟳＦ𝐅𝐹𝑭𝓕𝔉𝔽𝕱𝖥𝗙𝘍𝙁𝙵🄵])
+          - pattern-regex: ([ᴳⒼＧ𝐆𝐺𝑮𝒢𝓖𝔊𝔾𝕲𝖦𝗚𝘎𝙂𝙶🄶])
+          - pattern-regex: ([ᴴℋℌℍⒽＨ𝐇𝐻𝑯𝓗𝕳𝖧𝗛𝘏𝙃𝙷🄷])
+          - pattern-regex: ([ᴵℐℑⅠⒾＩ𝐈𝐼𝑰𝓘𝕀𝕴𝖨𝗜𝘐𝙄𝙸🄸])
+          - pattern-regex: ([ᴶⒿＪ𝐉𝐽𝑱𝒥𝓙𝔍𝕁𝕵𝖩𝗝𝘑𝙅𝙹🄹])
+          - pattern-regex: ([ᴷKⓀＫ𝐊𝐾𝑲𝒦𝓚𝔎𝕂𝕶𝖪𝗞𝘒𝙆𝙺🄺])
+          - pattern-regex: ([ᴸℒⅬⓁＬ𝐋𝐿𝑳𝓛𝔏𝕃𝕷𝖫𝗟𝘓𝙇𝙻🄻])
+          - pattern-regex: ([ᴹℳⅯⓂＭ𝐌𝑀𝑴𝓜𝔐𝕄𝕸𝖬𝗠𝘔𝙈𝙼🄼])
+          - pattern-regex: ([ᴺℕⓃＮ𝐍𝑁𝑵𝒩𝓝𝔑𝕹𝖭𝗡𝘕𝙉𝙽🄽])
+          - pattern-regex: ([ᴼⓄＯ𝐎𝑂𝑶𝒪𝓞𝔒𝕆𝕺𝖮𝗢𝘖𝙊𝙾🄾])
+          - pattern-regex: ([ᴾℙⓅＰ𝐏𝑃𝑷𝒫𝓟𝔓𝕻𝖯𝗣𝘗𝙋𝙿🄿])
+          - pattern-regex: ([ℚⓆꟴＱ𝐐𝑄𝑸𝒬𝓠𝔔𝕼𝖰𝗤𝘘𝙌𝚀🅀])
+          - pattern-regex: ([ᴿℛℜℝⓇＲ𝐑𝑅𝑹𝓡𝕽𝖱𝗥𝘙𝙍𝚁🄬🅁])
+          - pattern-regex: ([ⓈＳ𝐒𝑆𝑺𝒮𝓢𝔖𝕊𝕾𝖲𝗦𝘚𝙎𝚂🅂])
+          - pattern-regex: ([ᵀⓉＴ𝐓𝑇𝑻𝒯𝓣𝔗𝕋𝕿𝖳𝗧𝘛𝙏𝚃🅃])
+          - pattern-regex: ([ᵁⓊＵ𝐔𝑈𝑼𝒰𝓤𝔘𝕌𝖀𝖴𝗨𝘜𝙐𝚄🅄])
+          - pattern-regex: ([ⅤⓋⱽＶ𝐕𝑉𝑽𝒱𝓥𝔙𝕍𝖁𝖵𝗩𝘝𝙑𝚅🅅])
+          - pattern-regex: ([ᵂⓌＷ𝐖𝑊𝑾𝒲𝓦𝔚𝕎𝖂𝖶𝗪𝘞𝙒𝚆🅆])
+          - pattern-regex: ([ⅩⓍＸ𝐗𝑋𝑿𝒳𝓧𝔛𝕏𝖃𝖷𝗫𝘟𝙓𝚇🅇])
+          - pattern-regex: ([ⓎＹ𝐘𝑌𝒀𝒴𝓨𝔜𝕐𝖄𝖸𝗬𝘠𝙔𝚈🅈])
+          - pattern-regex: ([ℤℨⓏＺ𝐙𝑍𝒁𝒵𝓩𝖅𝖹𝗭𝘡𝙕𝚉🅉])

guarddog/ecosystems.py

@@ -6,6 +6,7 @@ class ECOSYSTEM(Enum):
     NPM = "npm"
     GO = "go"
     GITHUB_ACTION = "github-action"
+    EXTENSION = "extension"
 
 
 def get_friendly_name(ecosystem: ECOSYSTEM) -> str:
@@ -18,5 +19,7 @@ def get_friendly_name(ecosystem: ECOSYSTEM) -> str:
             return "go"
         case ECOSYSTEM.GITHUB_ACTION:
             return "GitHub Action"
+        case ECOSYSTEM.EXTENSION:
+            return "Extension"
         case _:
             return ecosystem.value

guarddog/scanners/__init__.py

@@ -8,6 +8,7 @@ from .pypi_project_scanner import PypiRequirementsScanner
 from .go_package_scanner import GoModuleScanner
 from .go_project_scanner import GoDependenciesScanner
 from .github_action_scanner import GithubActionScanner
+from .extension_scanner import ExtensionScanner
 from .scanner import PackageScanner, ProjectScanner
 from ..ecosystems import ECOSYSTEM
 
@@ -33,6 +34,8 @@ def get_package_scanner(ecosystem: ECOSYSTEM) -> Optional[PackageScanner]:
             return GoModuleScanner()
         case ECOSYSTEM.GITHUB_ACTION:
             return GithubActionScanner()
+        case ECOSYSTEM.EXTENSION:
+            return ExtensionScanner()
     return None
 
 
@@ -57,4 +60,6 @@ def get_project_scanner(ecosystem: ECOSYSTEM) -> Optional[ProjectScanner]:
             return GoDependenciesScanner()
         case ECOSYSTEM.GITHUB_ACTION:
             return GitHubActionDependencyScanner()
+        case ECOSYSTEM.EXTENSION:
+            return None  # we're not including dependency scanning for this PR
     return None

guarddog/scanners/extension_scanner.py

@@ -0,0 +1,152 @@
+import logging
+import os
+import typing
+
+import requests
+
+from guarddog.analyzer.analyzer import Analyzer
+from guarddog.ecosystems import ECOSYSTEM
+from guarddog.scanners.scanner import PackageScanner, noop
+
+log = logging.getLogger("guarddog")
+
+MARKETPLACE_URL = (
+    "https://marketplace.visualstudio.com/_apis/public/gallery/extensionquery"
+)
+MARKETPLACE_HEADERS = {
+    "Content-Type": "application/json",
+    "Accept": "application/json;api-version=3.0-preview.1",
+}
+MARKETPLACE_DOWNLOAD_LINK_ASSET_TYPE = "Microsoft.VisualStudio.Services.VSIXPackage"
+VSIX_FILE_EXTENSION = ".vsix"
+
+# VSCode Marketplace API filter types
+# FilterType 7 = publisherName.extensionName (search by exact extension identifier)
+MARKETPLACE_FILTER_TYPE_EXTENSION_NAME = 7
+
+# VSCode Marketplace API flags (bitwise combination)
+# 446 = IncludeVersions | IncludeFiles | IncludeMetadata
+MARKETPLACE_FLAGS_FULL_METADATA = 446
+
+
+class ExtensionScanner(PackageScanner):
+    def __init__(self) -> None:
+        super().__init__(Analyzer(ECOSYSTEM.EXTENSION))
+
+    def download_and_get_package_info(
+        self, directory: str, package_name: str, version=None
+    ) -> typing.Tuple[dict, str]:
+        """
+        Downloads a VSCode extension from the marketplace and extracts it
+
+        Args:
+            directory: Directory to download to
+            package_name: Extension identifier (publisher.extension format)
+            version: Specific version or default to latest
+
+        Returns:
+            Tuple of (marketplace API response, extracted_path)
+        """
+        marketplace_data, vsix_url = self._get_marketplace_info_and_url(
+            package_name, version
+        )
+
+        vsix_path = os.path.join(
+            directory, package_name.replace("/", "-") + VSIX_FILE_EXTENSION
+        )
+        extracted_path = vsix_path.removesuffix(VSIX_FILE_EXTENSION)
+
+        log.debug(f"Downloading VSCode extension from {vsix_url}")
+
+        self.download_compressed(vsix_url, vsix_path, extracted_path)
+
+        return marketplace_data, extracted_path
+
+    def _get_marketplace_info_and_url(
+        self, package_name: str, version: typing.Optional[str] = None
+    ) -> typing.Tuple[dict, str]:
+        """Get marketplace metadata and VSIX download URL"""
+        payload = {
+            "filters": [
+                {
+                    "criteria": [
+                        {
+                            "filterType": MARKETPLACE_FILTER_TYPE_EXTENSION_NAME,
+                            "value": package_name,
+                        }
+                    ]
+                }
+            ],
+            "flags": MARKETPLACE_FLAGS_FULL_METADATA,
+        }
+
+        response = requests.post(
+            MARKETPLACE_URL, headers=MARKETPLACE_HEADERS, json=payload
+        )
+
+        response.raise_for_status()
+
+        data = response.json()
+
+        if not data.get("results") or not data["results"][0].get("extensions"):
+            raise ValueError(f"Extension {package_name} not found in marketplace")
+
+        extension_info = data["results"][0]["extensions"][0]
+        versions = extension_info.get("versions", [])
+
+        if not versions:
+            raise ValueError(
+                f"No versions available for this extension: {package_name}"
+            )
+
+        target_version = None
+        if version is None:
+            # if not version is provided, default to latest
+            target_version = versions[0]
+        else:
+            for v in versions:
+                if v.get("version") == version:
+                    target_version = v
+                    break
+            if target_version is None:
+                raise ValueError(
+                    f"Version {version} not found for extension: {package_name}"
+                )
+
+        # Extract download URL
+        files = target_version.get("files", [])
+        vsix_url = None
+        for file_info in files:
+            if file_info.get("assetType") == MARKETPLACE_DOWNLOAD_LINK_ASSET_TYPE:
+                vsix_url = file_info.get("source")
+                break
+
+        if not vsix_url:
+            raise ValueError(
+                f"No VSIX download link available for this extension: {package_name}"
+            )
+
+        return data, vsix_url
+
+    def scan_local(
+        self, path: str, rules=None, callback: typing.Callable[[dict], None] = noop
+    ) -> dict:
+        """
+        Scan a local VSCode extension directory
+
+        Args:
+            path: Path to extension directory containing package.json
+            rules: Set of rules to use
+            callback: Callback to apply to analyzer output
+
+        Returns:
+            Scan results
+        """
+        if rules is not None:
+            rules = set(rules)
+
+        # Use only sourcecode analysis for local scans, consistent with other ecosystems
+        results = self.analyzer.analyze_sourcecode(path, rules=rules)
+        callback(results)
+
+        return results

guarddog/scanners/github_action_scanner.py

@@ -15,7 +15,9 @@ class GithubActionScanner(PackageScanner):
     def __init__(self) -> None:
         super().__init__(Analyzer(ECOSYSTEM.GITHUB_ACTION))
 
-    def download_and_get_package_info(self, directory: str, package_name: str, version=None) -> typing.Tuple[dict, str]:
+    def download_and_get_package_info(
+        self, directory: str, package_name: str, version=None
+    ) -> typing.Tuple[dict, str]:
         repo = self._get_repo(package_name)
         tarball_url = self._get_git_tarball_url(repo, version)
 
@@ -25,7 +27,9 @@ class GithubActionScanner(PackageScanner):
         if file_extension == "":
             file_extension = ".zip"
 
-        zippath = os.path.join(directory, package_name.replace("/", "-") + file_extension)
+        zippath = os.path.join(
+            directory, package_name.replace("/", "-") + file_extension
+        )
         unzippedpath = zippath.removesuffix(file_extension)
         self.download_compressed(tarball_url, zippath, unzippedpath)
 

guarddog/scanners/go_project_scanner.py

@@ -54,7 +54,7 @@ class GoDependenciesScanner(ProjectScanner):
                     lambda d: d.name == name,
                     dependencies,
                 ),
-                None
+                None,
             )
             if not dep:
                 dep = Dependency(name=name, versions=set())

guarddog/scanners/npm_package_scanner.py

@@ -17,9 +17,13 @@ class NPMPackageScanner(PackageScanner):
     def __init__(self) -> None:
         super().__init__(Analyzer(ECOSYSTEM.NPM))
 
-    def download_and_get_package_info(self, directory: str, package_name: str, version=None) -> typing.Tuple[dict, str]:
+    def download_and_get_package_info(
+        self, directory: str, package_name: str, version=None
+    ) -> typing.Tuple[dict, str]:
         git_target = None
-        if urlparse(package_name).hostname is not None and package_name.endswith('.git'):
+        if urlparse(package_name).hostname is not None and package_name.endswith(
+            ".git"
+        ):
             git_target = package_name
 
         if not package_name.startswith("@") and package_name.count("/") == 1:
@@ -33,7 +37,9 @@ class NPMPackageScanner(PackageScanner):
         response = requests.get(url)
 
         if response.status_code != 200:
-            raise Exception("Received status code: " + str(response.status_code) + " from npm")
+            raise Exception(
+                "Received status code: " + str(response.status_code) + " from npm"
+            )
         data = response.json()
         if "name" not in data:
             raise Exception(f"Error retrieving package: {package_name}")
@@ -45,7 +51,9 @@ class NPMPackageScanner(PackageScanner):
 
         tarball_url = details["dist"]["tarball"]
         file_extension = pathlib.Path(tarball_url).suffix
-        zippath = os.path.join(directory, package_name.replace("/", "-") + file_extension)
+        zippath = os.path.join(
+            directory, package_name.replace("/", "-") + file_extension
+        )
         unzippedpath = zippath.removesuffix(file_extension)
         self.download_compressed(tarball_url, zippath, unzippedpath)
 

guarddog/scanners/pypi_package_scanner.py

@@ -12,7 +12,9 @@ class PypiPackageScanner(PackageScanner):
     def __init__(self) -> None:
         super().__init__(Analyzer(ECOSYSTEM.PYPI))
 
-    def download_and_get_package_info(self, directory: str, package_name: str, version=None) -> typing.Tuple[dict, str]:
+    def download_and_get_package_info(
+        self, directory: str, package_name: str, version=None
+    ) -> typing.Tuple[dict, str]:
         extract_dir = self.download_package(package_name, directory, version)
         return get_package_info(package_name), extract_dir
 
@@ -40,7 +42,9 @@ class PypiPackageScanner(PackageScanner):
             version = data["info"]["version"]
 
         if version not in releases:
-            raise Exception(f"Version {version} for package {package_name} doesn't exist.")
+            raise Exception(
+                f"Version {version} for package {package_name} doesn't exist."
+            )
 
         files = releases[version]
         url, file_extension = None, None
@@ -52,7 +56,9 @@ class PypiPackageScanner(PackageScanner):
                 break
 
         if not (url and file_extension):
-            raise Exception(f"Compressed file for {package_name} does not exist on PyPI.")
+            raise Exception(
+                f"Compressed file for {package_name} does not exist on PyPI."
+            )
 
         # Path to compressed package
         zippath = os.path.join(directory, package_name + file_extension)