guarddog 2.7.1__py3-none-any.whl → 2.8.4__py3-none-any.whl

guarddog-2.8.4.dist-info/METADATA

@@ -0,0 +1,471 @@
+Metadata-Version: 2.4
+Name: guarddog
+Version: 2.8.4
+Summary: GuardDog is a CLI tool for identifying malicious open source packages
+License: Apache-2.0
+License-File: LICENSE
+License-File: LICENSE-3rdparty.csv
+License-File: NOTICE
+Author: Ellen Wang
+Requires-Python: >=3.10,<4
+Classifier: License :: OSI Approved :: Apache Software License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: 3.14
+Requires-Dist: click (>=8.1.3,<9.0.0)
+Requires-Dist: configparser (>=5.3,<8.0)
+Requires-Dist: disposable-email-domains (>=0.0.103,<0.0.121)
+Requires-Dist: prettytable (>=3.6.0,<4.0.0)
+Requires-Dist: pygit2 (>=1.11,<1.19)
+Requires-Dist: python-dateutil (>=2.8.2,<3.0.0)
+Requires-Dist: python-whois (>=0.8,<0.10)
+Requires-Dist: pyyaml (>=6.0,<7.0)
+Requires-Dist: requests (>=2.29.0,<3.0.0)
+Requires-Dist: semantic-version (>=2.10.0,<3.0.0)
+Requires-Dist: semgrep (>=1.147.0,<2.0.0)
+Requires-Dist: tarsafe (>=0.0.5,<0.0.6)
+Requires-Dist: termcolor (>=2.1.0,<3.0.0)
+Requires-Dist: urllib3 (>=2.5.0,<3.0.0)
+Requires-Dist: yara-python (>=4.5.1,<5.0.0)
+Project-URL: Repository, https://github.com/DataDog/guarddog
+Description-Content-Type: text/markdown
+
+# GuardDog
+
+[![Test](https://github.com/DataDog/guarddog/actions/workflows/checks.yml/badge.svg)](https://github.com/DataDog/guarddog/actions/workflows/checks.yml)
+
+<p align="center">
+  <img src="https://github.com/DataDog/guarddog/blob/main/docs/images/logo.png?raw=true" alt="GuardDog" width="300" />
+</p>
+
+GuardDog is a CLI tool that allows to identify malicious PyPI and npm packages, Go modules, RubyGems, GitHub actions, or VSCode extensions. It runs a set of heuristics on the package source code (through Semgrep rules) and on the package metadata.
+
+GuardDog can be used to scan local or remote PyPI and npm packages, Go modules, RubyGems, GitHub actions, or VSCode extensions using any of the available [heuristics](#heuristics).
+
+It downloads and scans code from:
+
+* NPM: Packages hosted in [npmjs.org](https://www.npmjs.com/)
+* PyPI: Source files (tar.gz) packages hosted in [PyPI.org](https://pypi.org/)
+* Go: GoLang source files of repositories hosted in [GitHub.com](https://github.com)
+* RubyGems: Gem packages hosted in [rubygems.org](https://rubygems.org/)
+* GitHub Actions: Javascript source files of repositories hosted in [GitHub.com](https://github.com)
+* VSCode Extensions: Extensions (.vsix) packages hosted in [marketplace.visualstudio.com](https://marketplace.visualstudio.com/)
+
+![GuardDog demo usage](https://github.com/DataDog/guarddog/blob/main/docs/images/demo.png?raw=true)
+
+## Getting started
+
+### Installation
+
+```sh
+pip install guarddog
+```
+
+Or use the Docker image:
+
+```sh
+docker pull ghcr.io/datadog/guarddog
+alias guarddog='docker run --rm ghcr.io/datadog/guarddog'
+```
+
+*Note: On Windows, the only supported installation method is Docker.*
+
+### Sample usage
+
+```sh
+# Scan the most recent version of the 'requests' package
+guarddog pypi scan requests
+
+# Scan a specific version of the 'requests' package
+guarddog pypi scan requests --version 2.28.1
+
+# Scan the 'request' package using 2 specific heuristics
+guarddog pypi scan requests --rules exec-base64 --rules code-execution
+
+# Scan the 'requests' package using all rules but one
+guarddog pypi scan requests --exclude-rules exec-base64
+
+# Scan a local package archive
+guarddog pypi scan /tmp/triage.tar.gz
+
+# Scan a local package directory
+guarddog pypi scan /tmp/triage/
+
+# Scan every package referenced in a requirements.txt file of a local folder
+guarddog pypi verify workspace/guarddog/requirements.txt
+
+# Scan every package referenced in a requirements.txt file and output a sarif file - works only for verify
+guarddog pypi verify --output-format=sarif workspace/guarddog/requirements.txt
+
+# Output JSON to standard output - works for every command
+guarddog pypi scan requests --output-format=json
+
+# All the commands also work on npm, go, rubygems
+guarddog npm scan express
+
+guarddog go scan github.com/DataDog/dd-trace-go
+
+guarddog go verify /tmp/repo/go.mod
+
+# Scan RubyGems packages
+guarddog rubygems scan rails
+
+guarddog rubygems verify /tmp/repo/Gemfile.lock
+
+# Additionally can support scanning GitHub actions that are implemented in JavaScript
+guarddog github_action scan DataDog/synthetics-ci-github-action
+
+guarddog github_action verify /tmp/repo/.github/workflows/main.yml
+
+# Scan VSCode extensions from the marketplace
+guarddog extension scan ms-python.python
+
+# Scan a specific version of a VSCode extension
+guarddog extension scan ms-python.python --version 2023.20.0
+
+# Scan a local VSCode extension directory or VSIX archive
+guarddog extension scan /tmp/my-extension/
+
+# Run in debug mode
+guarddog --log-level debug npm scan express
+```
+
+
+## Heuristics
+
+GuardDog comes with 2 types of heuristics:
+
+* [**Source code heuristics**](https://github.com/DataDog/guarddog/tree/main/guarddog/analyzer/sourcecode): Semgrep rules running against the package source code.
+
+* [**Package metadata heuristics**](https://github.com/DataDog/guarddog/tree/main/guarddog/analyzer/metadata): Python or Javascript heuristics running against the package metadata on PyPI or npm.
+
+<!-- BEGIN_RULE_LIST -->
+### PyPI
+
+Source code heuristics:
+
+| **Heuristic** | **Description** |
+|:-------------:|:---------------:|
+| api-obfuscation | Identify obfuscated API calls using alternative Python syntax patterns |
+| shady-links | Identify when a package contains an URL to a domain with a suspicious extension |
+| obfuscation | Identify when a package uses a common obfuscation method often used by malware |
+| clipboard-access | Identify when a package reads or write data from the clipboard |
+| exfiltrate-sensitive-data | Identify when a package reads and exfiltrates sensitive data from the local system |
+| download-executable | Identify when a package downloads and makes executable a remote binary |
+| exec-base64 | Identify when a package dynamically executes base64-encoded code |
+| silent-process-execution | Identify when a package silently executes an executable |
+| dll-hijacking | Identifies when a malicious package manipulates a trusted application into loading a malicious DLL |
+| steganography | Identify when a package retrieves hidden data from an image and executes it |
+| code-execution | Identify when an OS command is executed in the setup.py file |
+| unicode | Identify suspicious unicode characters |
+| cmd-overwrite | Identify when the 'install' command is overwritten in setup.py, indicating a piece of code automatically running when the package is installed |
+| suspicious_passwd_access_linux | Detects suspicious read access to /etc/passwd file, which is often targeted by malware for credential harvesting |
+
+Metadata heuristics:
+
+| **Heuristic** | **Description** |
+|:-------------:|:---------------:|
+| empty_information | Identify packages with an empty description field |
+| release_zero | Identify packages with an release version that's 0.0 or 0.0.0 |
+| typosquatting | Identify packages that are named closely to an highly popular package |
+| potentially_compromised_email_domain | Identify when a package maintainer e-mail domain (and therefore package manager account) might have been compromised |
+| unclaimed_maintainer_email_domain | Identify when a package maintainer e-mail domain (and therefore npm account) is unclaimed and can be registered by an attacker |
+| repository_integrity_mismatch | Identify packages with a linked GitHub repository where the package has extra unexpected files |
+| single_python_file | Identify packages that have only a single Python file |
+| bundled_binary | Identify packages bundling binaries |
+| deceptive_author | This heuristic detects when an author is using a disposable email |
+
+
+### npm
+
+Source code heuristics:
+
+| **Heuristic** | **Description** |
+|:-------------:|:---------------:|
+| npm-serialize-environment | Identify when a package serializes 'process.env' to exfiltrate environment variables |
+| npm-obfuscation | Identify when a package uses a common obfuscation method often used by malware |
+| npm-silent-process-execution | Identify when a package silently executes an executable |
+| shady-links | Identify when a package contains an URL to a domain with a suspicious extension |
+| npm-exec-base64 | Identify when a package dynamically executes code through 'eval' |
+| npm-install-script | Identify when a package has a pre or post-install script automatically running commands |
+| npm-steganography | Identify when a package retrieves hidden data from an image and executes it |
+| npm-dll-hijacking | Identifies when a malicious package manipulates a trusted application into loading a malicious DLL |
+| npm-exfiltrate-sensitive-data | Identify when a package reads and exfiltrates sensitive data from the local system |
+| suspicious_passwd_access_linux | Detects suspicious read access to /etc/passwd file, which is often targeted by malware for credential harvesting |
+
+Metadata heuristics:
+
+| **Heuristic** | **Description** |
+|:-------------:|:---------------:|
+| empty_information | Identify packages with an empty description field |
+| release_zero | Identify packages with an release version that's 0.0 or 0.0.0 |
+| potentially_compromised_email_domain | Identify when a package maintainer e-mail domain (and therefore package manager account) might have been compromised; note that NPM's API may not provide accurate information regarding the maintainer's email, so this detector may cause false positives for NPM packages. see https://www.theregister.com/2022/05/10/security_npm_email/ |
+| unclaimed_maintainer_email_domain | Identify when a package maintainer e-mail domain (and therefore npm account) is unclaimed and can be registered by an attacker; note that NPM's API may not provide accurate information regarding the maintainer's email, so this detector may cause false positives for NPM packages. see https://www.theregister.com/2022/05/10/security_npm_email/ |
+| typosquatting | Identify packages that are named closely to an highly popular package |
+| direct_url_dependency | Identify packages with direct URL dependencies. Dependencies fetched this way are not immutable and can be used to inject untrusted code or reduce the likelihood of a reproducible install. |
+| npm_metadata_mismatch | Identify packages which have mismatches between the npm package manifest and the package info for some critical fields |
+| bundled_binary | Identify packages bundling binaries |
+| deceptive_author | This heuristic detects when an author is using a disposable email |
+
+
+### go
+
+Source code heuristics:
+
+| **Heuristic** | **Description** |
+|:-------------:|:---------------:|
+| shady-links | Identify when a package contains an URL to a domain with a suspicious extension |
+| go-exec-base64 | Identify Base64-decoded content being passed to execution functions in Go |
+| go-exfiltrate-sensitive-data | This rule identifies when a package reads and exfiltrates sensitive data from the local system. |
+| go-exec-download | This rule downloads and executes a remote binary after setting executable permissions. |
+| suspicious_passwd_access_linux | Detects suspicious read access to /etc/passwd file, which is often targeted by malware for credential harvesting |
+
+Metadata heuristics:
+
+| **Heuristic** | **Description** |
+|:-------------:|:---------------:|
+| typosquatting | Identify packages that are named closely to an highly popular package |
+
+
+### GitHub Action
+
+Source code heuristics:
+
+| **Heuristic** | **Description** |
+|:-------------:|:---------------:|
+| npm-serialize-environment | Identify when a package serializes 'process.env' to exfiltrate environment variables |
+| npm-obfuscation | Identify when a package uses a common obfuscation method often used by malware |
+| npm-silent-process-execution | Identify when a package silently executes an executable |
+| shady-links | Identify when a package contains an URL to a domain with a suspicious extension |
+| npm-exec-base64 | Identify when a package dynamically executes code through 'eval' |
+| npm-install-script | Identify when a package has a pre or post-install script automatically running commands |
+| npm-steganography | Identify when a package retrieves hidden data from an image and executes it |
+| npm-dll-hijacking | Identifies when a malicious package manipulates a trusted application into loading a malicious DLL |
+| npm-exfiltrate-sensitive-data | Identify when a package reads and exfiltrates sensitive data from the local system |
+| suspicious_passwd_access_linux | Detects suspicious read access to /etc/passwd file, which is often targeted by malware for credential harvesting |
+### Extension
+
+Source code heuristics:
+
+| **Heuristic** | **Description** |
+|:-------------:|:---------------:|
+| npm-serialize-environment | Identify when a package serializes 'process.env' to exfiltrate environment variables |
+| npm-obfuscation | Identify when a package uses a common obfuscation method often used by malware |
+| npm-silent-process-execution | Identify when a package silently executes an executable |
+| shady-links | Identify when a package contains an URL to a domain with a suspicious extension |
+| npm-exec-base64 | Identify when a package dynamically executes code through 'eval' |
+| npm-install-script | Identify when a package has a pre or post-install script automatically running commands |
+| npm-steganography | Identify when a package retrieves hidden data from an image and executes it |
+| npm-dll-hijacking | Identifies when a malicious package manipulates a trusted application into loading a malicious DLL |
+| npm-exfiltrate-sensitive-data | Identify when a package reads and exfiltrates sensitive data from the local system |
+| suspicious_passwd_access_linux | Detects suspicious read access to /etc/passwd file, which is often targeted by malware for credential harvesting |
+### RubyGems
+
+Source code heuristics:
+
+| **Heuristic** | **Description** |
+|:-------------:|:---------------:|
+| rubygems-code-execution | Identify when a gem executes OS commands |
+| rubygems-exfiltrate-sensitive-data | Identify when a package reads and exfiltrates sensitive data from the local system |
+| rubygems-serialize-environment | Identify when a package serializes ENV to exfiltrate environment variables |
+| rubygems-network-on-require | Identify when a gem makes network requests when required |
+| rubygems-install-hook | Identify when a gem registers installation hooks |
+| rubygems-exec-base64 | Identify when a package dynamically executes base64-encoded code |
+| suspicious_passwd_access_linux | Detects suspicious read access to /etc/passwd file, which is often targeted by malware for credential harvesting |
+
+Metadata heuristics:
+
+| **Heuristic** | **Description** |
+|:-------------:|:---------------:|
+| typosquatting | Identify packages that are named closely to an highly popular package |
+| empty_information | Identify packages with an empty description field |
+| release_zero | Identify packages with an release version that's 0.0 or 0.0.0 |
+| bundled_binary | Identify packages bundling binaries |
+| repository_integrity_mismatch | Identify packages with a linked GitHub repository where the package has extra unexpected files |
+
+
+<!-- END_RULE_LIST -->
+
+## Custom Rules
+
+Guarddog allows to implement custom sourcecode rules.
+Sourcecode rules live under the [guarddog/analyzer/sourcecode](guarddog/analyzer/sourcecode) directory, and supported formats are [Semgrep](https://github.com/semgrep/semgrep) or [Yara](https://github.com/VirusTotal/yara).
+
+* Semgrep rules are language-dependent, and Guarddog will import all `.yml` rules where the language matches the ecosystem selected by the user in CLI.
+* Yara rules on the other hand are language agnostic, therefore all matching `.yar` rules present will be imported.
+
+Is possible then to write your own rule and drop it into that directory, Guarddog will allow you to select it or exclude it as any built-in rule as well as appending the findings to its output.
+
+For example, you can create the following semgrep rule:
+```yaml
+rules:
+  - id: sample-rule
+    languages:
+      - python
+    message: Output message when rule matches
+    metadata:
+      description: Description used in the CLI help
+    patterns:
+        YOUR RULE HEURISTICS GO HERE
+    severity: WARNING
+```
+
+Then you'll need to save it as `sample-rule.yml` and note that the id must match the filename
+
+In the case of Yara, you can create the following rule:
+```
+rule sample-rule
+{
+  meta:
+    description = "Description used in the output message"
+    target_entity = "file"
+  strings:
+    $exec = "exec"
+  condition:
+    1 of them
+}
+```
+Then you'll need to save it as `sample-rule.yar`.
+
+Note that in both cases, the rule id must match the filename
+
+## Running GuardDog in a GitHub Action
+
+The easiest way to integrate GuardDog in your CI pipeline is to leverage the SARIF output format, and upload it to GitHub's [code scanning](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning) feature.
+
+Using this, you get:
+* Automated comments to your pull requests based on the GuardDog scan output
+* Built-in false positive management directly in the GitHub UI
+
+
+Sample GitHub Action using GuardDog:
+
+```yaml
+name: GuardDog
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  guarddog:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+    name: Scan dependencies
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.10"
+
+      - name: Install GuardDog
+        run: pip install guarddog
+
+      - run: guarddog pypi verify requirements.txt --output-format sarif --exclude-rules repository_integrity_mismatch > guarddog.sarif
+
+      - name: Upload SARIF file to GitHub
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          category: guarddog-builtin
+          sarif_file: guarddog.sarif
+```
+
+
+## Development
+
+### Running a local version of GuardDog
+
+* Ensure poetry has an env with `python >=3.10` `poetry env use 3.10.0`
+* Install dependencies `poetry install`
+* Run guarddog `poetry run guarddog` or `poetry shell` then run `guarddog`
+
+### Unit tests
+
+Running all unit tests: `make test`
+
+Running unit tests against Semgrep rules: `make test-semgrep-rules` (tests are [here](https://github.com/DataDog/guarddog/tree/main/tests/analyzer/sourcecode)). These use the standard methodology for [testing Semgrep rules](https://semgrep.dev/docs/writing-rules/testing-rules/).
+
+Running unit tests against package metadata heuristics: `make test-metadata-rules` (tests are [here](https://github.com/DataDog/guarddog/tree/main/tests/analyzer/metadata)).
+
+### Benchmarking
+
+You can run GuardDog on legitimate and malicious packages to determine false positives and false negatives. See [./tests/samples](./tests/samples)
+
+### Code quality checks
+
+Run the type checker with
+```shell
+mypy --install-types --non-interactive guarddog
+```
+and the linter with
+```shell
+flake8 guarddog --count --select=E9,F63,F7,F82 --show-source --statistics --exclude tests/analyzer/sourcecode,tests/analyzer/metadata/resources,evaluator/data
+flake8 guarddog --count --max-line-length=120 --statistics --exclude tests/analyzer/sourcecode,tests/analyzer/metadata/resources,evaluator/data --ignore=E203,W503
+```
+
+### Configuration via Environment Variables
+
+GuardDog's behavior can be customized using environment variables:
+
+#### General Configuration
+
+| Environment Variable | Description | Default Value |
+|---------------------|-------------|---------------|
+| `GUARDDOG_PARALLELISM` | Number of threads to use for parallel processing | Number of CPUs available |
+| `GUARDDOG_VERIFY_EXHAUSTIVE_DEPENDENCIES` | Analyze all possible versions of dependencies (`true`/`false`) | `false` |
+| `GUARDDOG_TOP_PACKAGES_CACHE_LOCATION` | Location of the top packages cache directory | `guarddog/analyzer/metadata/resources` |
+| `GUARDDOG_YARA_EXT_EXCLUDE` | Comma-separated list of file extensions to exclude from YARA scanning | `ini,md,rst,txt,lock,json,yaml,yml,toml,xml,html,csv,sql,pdf,doc,docx,ppt,pptx,xls,xlsx,odt,changelog,readme,makefile,dockerfile,pkg-info,d.ts` |
+
+#### Semgrep Configuration
+
+GuardDog uses `Semgrep`, a powerful static analysis tool that scans code for patterns. 
+
+| Environment Variable | Description | Default Value |
+|---------------------|-------------|---------------|
+| `GUARDDOG_SEMGREP_MAX_TARGET_BYTES` | Maximum size of a file that Semgrep will analyze (files exceeding this will be skipped) | 10MB (10485760 bytes) |
+| `GUARDDOG_SEMGREP_TIMEOUT` | Maximum time in seconds that Semgrep will spend running a rule on a single file | 10 seconds |
+
+#### Archive Extraction Security Limits
+
+GuardDog implements multiple security checks when extracting package archives to protect against compression bombs and file descriptor exhaustion attacks:
+
+| Environment Variable | Description | Default Value |
+|---------------------|-------------|---------------|
+| `GUARDDOG_MAX_UNCOMPRESSED_SIZE` | Maximum allowed uncompressed size in bytes (prevents disk space exhaustion) | 2147483648 (2 GB) |
+| `GUARDDOG_MAX_COMPRESSION_RATIO` | Maximum allowed compression ratio (detects suspicious compression patterns) | 100 (100:1) |
+| `GUARDDOG_MAX_FILE_COUNT` | Maximum number of files allowed in an archive (prevents file descriptor/inode exhaustion) | 100000 |
+
+## Maintainers
+
+* [Sebastian Obregoso](https://www.linkedin.com/in/sebastianobregoso/)
+* [Ian Kretz](https://github.com/ikretz)
+* [Tesnim Hamdouni](https://github.com/tesnim5hamdouni)
+
+## Authors
+* [Ellen Wang](https://www.linkedin.com/in/ellen-wang-4bb5961a0/)
+* [Christophe Tafani-Dereeper](https://github.com/christophetd)
+
+## Acknowledgments
+
+Inspiration:
+* [Backstabber’s Knife Collection: A Review of Open Source Software Supply Chain Attacks](https://arxiv.org/pdf/2005.09535)
+* [What are Weak Links in the npm Supply Chain?](https://arxiv.org/pdf/2112.10165.pdf)
+* [A Survey on Common Threats in npm and PyPi Registries](https://arxiv.org/pdf/2108.09576.pdf)
+* [A Benchmark Comparison of Python Malware Detection Approaches](https://arxiv.org/pdf/2209.13288.pdf)
+* [Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages](https://arxiv.org/pdf/2002.01139)
+

{guarddog-2.7.1.dist-info → guarddog-2.8.4.dist-info}/RECORD

@@ -2,7 +2,7 @@ guarddog/__init__.py,sha256=reb53KZG9b1nFmsDxj2fropaOceOCyM9bVMUdmZ2wS8,227
 guarddog/__main__.py,sha256=GEdfW6I6g2c3H7bS0G43E4C-g7kXGUswzDCPFSwPgHY,246
 guarddog/analyzer/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 guarddog/analyzer/analyzer.py,sha256=eeWbazqGWFJBeT_OHHmEndH3hG_6PMxUajof6T9jutM,15413
-guarddog/analyzer/metadata/__init__.py,sha256=tQTwWanifLsxfCdXIytPCO3chEIiTZ583uqKiQXQOog,855
+guarddog/analyzer/metadata/__init__.py,sha256=4EOtQoMW1T_OX55qapNA2zzwvROO2zOiN4mjvloAW2U,1003
 guarddog/analyzer/metadata/bundled_binary.py,sha256=Tfgbc-exhbfvYjpgFH_Aa5KtT4ugJhrTV9SavZw1pHs,2594
 guarddog/analyzer/metadata/deceptive_author.py,sha256=CLwntpSNBO4Bji3IEw2lctvNCMLiOxz0pG7KSEzIynM,2811
 guarddog/analyzer/metadata/detector.py,sha256=dFhmoPVtxoed-Lz3Bd8GXZhorOVajvo5sIl9Iw8oCOM,641
@@ -28,32 +28,40 @@ guarddog/analyzer/metadata/pypi/deceptive_author.py,sha256=KRbi7xfGYnEiq0p5HFazj
 guarddog/analyzer/metadata/pypi/empty_information.py,sha256=Ppaa_aEIlFJ5VpRtcm2ozlBoRHrTs6CWpPyh82sTM7g,814
 guarddog/analyzer/metadata/pypi/potentially_compromised_email_domain.py,sha256=8zncGNsyfhWe04HRDF54rfP8y--_6l9ze-F-gH97pWo,1774
 guarddog/analyzer/metadata/pypi/release_zero.py,sha256=UNUAFeB34B88N0LRe-tnmoZ3Y4x4AVZbe7m0i9Q3W7U,789
-guarddog/analyzer/metadata/pypi/repository_integrity_mismatch.py,sha256=RB-Wf5Cbuh8KswkcCCHk7BVWvmOJccdHyb4mBjxiLhk,11903
+guarddog/analyzer/metadata/pypi/repository_integrity_mismatch.py,sha256=yW7TPpA-g5XNAhiDtijYiBFhOo6ilBLseuJdwvIMRHI,7670
 guarddog/analyzer/metadata/pypi/single_python_file.py,sha256=L-YlmlP1TYA9XBeTHBPfECWgVIPTenUWRRnqwCMyh-o,1402
 guarddog/analyzer/metadata/pypi/typosquatting.py,sha256=Bzx_vjIiuugeRdyR-ABg7S-6J7Udm7stM8CUU8WUafg,6042
 guarddog/analyzer/metadata/pypi/unclaimed_maintainer_email_domain.py,sha256=zfT0qTyN83O-7Yevc6tYIjmCAgh8Y_dhE6oZlKdNmm0,421
 guarddog/analyzer/metadata/pypi/utils.py,sha256=UtG2JVep8bSOMz5LkrhXqS5Oy7Na19nHVct4IQMsQik,177
 guarddog/analyzer/metadata/release_zero.py,sha256=F0I8coYivya7zns0XI1xNY4LLtTDQXoBUmze1wjwW4g,439
-guarddog/analyzer/metadata/repository_integrity_mismatch.py,sha256=WGvck9JV2iCB8xaOc6X5cEGiu59juSWFfwbf6uEah3E,792
+guarddog/analyzer/metadata/repository_integrity_mismatch.py,sha256=R77YB2ANTALGfS8jbe7KhLJ3a3U_uPQV6VqgzFELEwM,7586
 guarddog/analyzer/metadata/resources/placeholder_email_domains.txt,sha256=o3mm9u6vuaVeN4wRgDTidR5oL6ufLTCrE9ISVYbOGUc,11
 guarddog/analyzer/metadata/resources/top_go_packages.json,sha256=HHOTcuWTGqlpXDOUgF7ejgmr8sGF_T5l7NQYdXmHcKQ,104044
 guarddog/analyzer/metadata/resources/top_npm_packages.json,sha256=eeqVkFNW8ltYcGbjAJBzZrdxBEKezxa6AVVYoEpFazs,192960
 guarddog/analyzer/metadata/resources/top_pypi_packages.json,sha256=hDQZUuG6BS4h7yNTAQ191l8_N6jaqezO9n2vdsZPKhA,1474298
+guarddog/analyzer/metadata/resources/top_rubygems_packages.json,sha256=75GrX0mB_nnH-0reUQYdOvTsduELrb63yX6xvHwoSmM,20152
+guarddog/analyzer/metadata/rubygems/__init__.py,sha256=DHLvlpbRdynWCIHG2caDEa3f7q0I8WsfbmrlTe-fmwM,947
+guarddog/analyzer/metadata/rubygems/bundled_binary.py,sha256=eOeZXDAoDuwhUfB9W5CesnMWyVpR6BePPzNkGRKZqkc,397
+guarddog/analyzer/metadata/rubygems/empty_information.py,sha256=8Dxa0Y8tbcv7lV3d3LUj_QO97lpUq2kTTY2JhQE2kw8,700
+guarddog/analyzer/metadata/rubygems/release_zero.py,sha256=7rk1vxp6OxJkBTOD9kOYEEPLE7YgbApFbOVhjECnIgw,671
+guarddog/analyzer/metadata/rubygems/repository_integrity_mismatch.py,sha256=pFNMdT0VpiHL6kEkj_2eOH0BwLCbQT2XLqyWJY67tr4,1582
+guarddog/analyzer/metadata/rubygems/typosquatting.py,sha256=k9xu8mdAiyNFEGmWFgSql-E-fjch6rS6CXSObQ3G4-c,4745
 guarddog/analyzer/metadata/typosquatting.py,sha256=6xmqsB0oKwrsXfTJ9DE1z8-nUW8ukgk1ZSS32iJmapk,4587
 guarddog/analyzer/metadata/unclaimed_maintainer_email_domain.py,sha256=e-K9mSdph3y33fP_W7LNOlC7AnUVk28a1VfQJtG9vxo,2375
-guarddog/analyzer/metadata/utils.py,sha256=li7AGB8c_G4ytX0MvvyzVTFNPneK78uMp1h-pT__2qE,1772
-guarddog/analyzer/sourcecode/__init__.py,sha256=031VVi-DqTHxeYiI2mf2AuI76GaNUUyra_t0pRVqo5k,4631
-guarddog/analyzer/sourcecode/api-obfuscation.yml,sha256=y_m6PSh8CfF6nxMulj2Yx4XYxS1T5OO0Eos9WJiDR74,2137
+guarddog/analyzer/metadata/utils.py,sha256=lMzwC41_-XuUa4d6E5AMyX8XZgXqrQD_gmpQCHrIzXI,2458
+guarddog/analyzer/sourcecode/__init__.py,sha256=_xt-xn2lfpu-iQhe853eTbbTSN8ULxTutyYiBQ97NtM,4723
+guarddog/analyzer/sourcecode/api-obfuscation.yml,sha256=bDfoX5UQ1a7Za-W2WEzrIQTL22_9mi2Sea4BU4NFABk,1813
 guarddog/analyzer/sourcecode/clipboard-access.yml,sha256=B36E7xKtAVgwZ29UWtvZa1AJcyfrhvehbLo6tlJqffk,524
 guarddog/analyzer/sourcecode/cmd-overwrite.yml,sha256=l-tE3_G-LqCuCZnHab6v0PpCdMpoHPutBYcijeMZEA0,682
-guarddog/analyzer/sourcecode/code-execution.yml,sha256=YyWBMhcXGzrM6JbXzRTBBFCs7bnoNGPFJJ_FIV2OYtc,5028
+guarddog/analyzer/sourcecode/code-execution.yml,sha256=YGsPOxR51OkEU1xjeAg-vTXu5CyGmFefpbsBBhjAfro,5942
 guarddog/analyzer/sourcecode/dll-hijacking.yml,sha256=_lkYp0P4545aiGazC5lRBeCcMHhGWzaK-95zu5MfRLY,3721
 guarddog/analyzer/sourcecode/download-executable.yml,sha256=VuSNkpVh3DxHG7wfep3eAErGsOY9EL_268sNULYbfW4,3361
-guarddog/analyzer/sourcecode/exec-base64.yml,sha256=Wg1jI_ff9I58Xq8gt8wXOQMrwHcPnzkAPyAURxnKHgw,2371
-guarddog/analyzer/sourcecode/exfiltrate-sensitive-data.yml,sha256=hUxQEsJ4qF_25oMF8pdzAFOzq59m6k28WKz280uyaMg,2264
+guarddog/analyzer/sourcecode/exec-base64.yml,sha256=ohXfoEjjVK0mlPIht82qOWoBi1U9vHL0RD0zguiaM7s,3369
+guarddog/analyzer/sourcecode/exfiltrate-sensitive-data.yml,sha256=Z5pcADXvLtrHsDvhoH0AjHEnYkLVu0UU6UBvJID99RY,3383
 guarddog/analyzer/sourcecode/go-exec-base64.yml,sha256=Y5TUfLrmU1e5FTYW2zRKwn8yluBARHSXPr6Mr5vMVOY,1554
 guarddog/analyzer/sourcecode/go-exec-download.yml,sha256=ZaZOvn3Xojsd2m8MQGLW1H7p28bPdpEbmDd37q2ZiX4,2931
 guarddog/analyzer/sourcecode/go-exfiltrate-sensitive-data.yml,sha256=sb5GI-523zgE1nxNCrnRVjBSeOp7IfPy7qTQPBJMkco,3697
+guarddog/analyzer/sourcecode/npm-api-obfuscation.yml,sha256=-0HwYCO8HHaEwuUeGw9q7BAxvXrCKgz8Fs40mJ_6G4M,3641
 guarddog/analyzer/sourcecode/npm-dll-hijacking.yml,sha256=1TvI6UtCGCOMy4Ii-kM_oICYbMRGeOYdgXrG7-zmJ_Y,3460
 guarddog/analyzer/sourcecode/npm-exec-base64.yml,sha256=zc5w2FTlHoZ7ot1flzlmYBkQu1I8eG1E63S5Aki7Goc,814
 guarddog/analyzer/sourcecode/npm-exfiltrate-sensitive-data.yml,sha256=UYWXdkAab-dg_6UwVjiauHmy-9nlKiF86qcyxAwUoXg,3488
@@ -63,19 +71,25 @@ guarddog/analyzer/sourcecode/npm-serialize-environment.yml,sha256=gFpr58INp44Zwx
 guarddog/analyzer/sourcecode/npm-silent-process-execution.yml,sha256=qnJHGesNPNpxGa8n2kQMpttLGck-6vZjI_SsweDyk7M,3513
 guarddog/analyzer/sourcecode/npm-steganography.yml,sha256=XH0udcriAQq_6WOHAG4TpIedw8GgKyWx9gsG_Q_Fki8,915
 guarddog/analyzer/sourcecode/obfuscation.yml,sha256=dp0BeCYShcTS8QiijSa9U53r6jkCjrFBW5jjNVoXdUU,1224
+guarddog/analyzer/sourcecode/rubygems-code-execution.yml,sha256=DDNk2qtomXlm3oGPZkrYxSM8cz5bz4vFqCGLEQNCo8s,2123
+guarddog/analyzer/sourcecode/rubygems-exec-base64.yml,sha256=GVOD_UrTkCnyxLjb42hzUy8p8XTbIiIVKqH32ySLeZU,891
+guarddog/analyzer/sourcecode/rubygems-exfiltrate-sensitive-data.yml,sha256=Tup4P4H4wIrvZoM84_Ew8lsQmSqjewep_OYWKwPtUF4,2293
+guarddog/analyzer/sourcecode/rubygems-install-hook.yml,sha256=sjv3YXeERrZDaTu0pS28rl_B8z5BAMjohntzVLE6Fm8,1636
+guarddog/analyzer/sourcecode/rubygems-network-on-require.yml,sha256=kmuzYXcuPvarKSl5V5k5CBoPSeuvsLdFaf2_-GHYYmo,2095
+guarddog/analyzer/sourcecode/rubygems-serialize-environment.yml,sha256=qnZaV-aj9-eSZJeeF6XCi5JrnKkXNqj9xSqGjqP6AAY,1329
 guarddog/analyzer/sourcecode/shady-links.yml,sha256=H-QdBfK30PK9JRWJXk2SlFFiSSkMkuKZF0mWoCjwQ5w,3222
 guarddog/analyzer/sourcecode/silent-process-execution.yml,sha256=b6RjenMv7si7lXGak3uMmD7PMtQRuKPeJFggPW6UDNI,418
 guarddog/analyzer/sourcecode/steganography.yml,sha256=3ceO6SJhu4XpZEjfwelLdOxeZ4Ho1OgUjbcacwtOhR0,606
 guarddog/analyzer/sourcecode/suspicious_passwd_access_linux.yar,sha256=kplidsJ-ctg6W58VlYtLq10saZbcD1pm5_Xh4sqmHwk,422
 guarddog/analyzer/sourcecode/unicode.yml,sha256=7fAygEtYwJ1iNKsyCjmLAEu15CLMWApfWXx_t_W3sOA,5596
 guarddog/cli.py,sha256=Pk4WUD5a_TlPRpq2G4v_6FDGWu8IriXQPQ_ft8RXm5o,10692
-guarddog/ecosystems.py,sha256=I1XPAhPuv7OnfZT3z0xcgEecUY1tFJdrklV07sMYffg,582
+guarddog/ecosystems.py,sha256=AMbuD6gJSRda0_bSuvqXoaAQ6Vp_MlOwX4wpLgMUKzs,671
 guarddog/reporters/__init__.py,sha256=lHNa5ZDsaIpjzS7SmheD5_GGAimGitXU-DNk-Wn97bI,749
 guarddog/reporters/human_readable.py,sha256=WEyjOPdBE8adxC-tdFgwxcyDijsppLk4gIiZOUO69O0,4548
 guarddog/reporters/json.py,sha256=gpbucxGoXBA6s7fNRzhQwZ4P6gWyz7BowsmQrnm4x6U,802
 guarddog/reporters/reporter_factory.py,sha256=JUagC2UFkN2TZGpZIkI1MwMHEbwT9Ja1goQP95-k9SM,1465
 guarddog/reporters/sarif.py,sha256=diOHJcN3CkSBxBDDg6l9DiZ3ebtUNCw0Rwd7QxCpM9k,7691
-guarddog/scanners/__init__.py,sha256=dyBzyKANxTQvyd-oTjgm43gPwRMqB80eOzZ6UFNOuO8,2157
+guarddog/scanners/__init__.py,sha256=ygbe0GAmvxbJNA8Wa1rlN1VHOOLcJa4TnBK8pVQ4ZMo,2443
 guarddog/scanners/extension_scanner.py,sha256=YdZ7Ai4U-MC83RJcnoo63m_aylAf3VnylwgvhGK3ktU,4915
 guarddog/scanners/github_action_project_scanner.py,sha256=ISoBqUurwN0lMBtXwcNoalo3ghlbOJkZs9vSNZOT0kk,4216
 guarddog/scanners/github_action_scanner.py,sha256=6lriTel3U7vNmCWBf0SWti9sLCv88RPlP8SVoAgpKJs,1781
@@ -85,16 +99,18 @@ guarddog/scanners/npm_package_scanner.py,sha256=ciOvpRViMIQvNFupe5-hdXv65QLU5Obm
 guarddog/scanners/npm_project_scanner.py,sha256=liz5Fyscab53IiSPg0T21Z0vT5eotcHPc_W5Xam4A88,4957
 guarddog/scanners/pypi_package_scanner.py,sha256=ZkuRRbNejnpfFpIHJJ42GH34khiG8CUKWEPvVh_M_uk,2449
 guarddog/scanners/pypi_project_scanner.py,sha256=O91c1UP2iZju84_N7cSE7pWGrY6rKapeUqXEVyKld3A,6435
-guarddog/scanners/scanner.py,sha256=F7FhN-BQWtcTvh_gdhvj-rXYLMslzeTNxPbJsw1he2s,13695
+guarddog/scanners/rubygems_package_scanner.py,sha256=NqqkKj3aeVKj32a6dxz87ZjEu6lNDXR5BX_Zgoc3Ow4,4162
+guarddog/scanners/rubygems_project_scanner.py,sha256=v6cjkngdfChLDdW8XYqm9na48jSzeYQMsVKmo2UrniA,2277
+guarddog/scanners/scanner.py,sha256=a8Hgt5_xtQFrB2LokNOSvwqI_JzESsWQ_ZnLn3kJCAQ,14746
 guarddog/utils/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 guarddog/utils/archives.py,sha256=s1AXn6r8kD8hy5JxEOTzdHTgDpgSTImj_mFHfAI34IM,7417
 guarddog/utils/config.py,sha256=LfXghBsSeB_UH333C3zvh46UpG0doOW6MaZ7GG7_0Z8,2047
 guarddog/utils/exceptions.py,sha256=23Kzl3exqYK6X-bcGUeb8wPmSglWNX3GIDPkJ6lQzo4,54
 guarddog/utils/package_info.py,sha256=6fHJPeLn6-tHhKHw0Soedfv2ruPd8zhW2kbhlc3Aem0,975
-guarddog-2.7.1.dist-info/METADATA,sha256=rxvp3useQx0sBa_HFyCeg9cBFhnjimNEplUvC2yJics,1446
-guarddog-2.7.1.dist-info/WHEEL,sha256=zp0Cn7JsFoX2ATtOhtaFYIiE2rmFAD4OcMhtUki8W3U,88
-guarddog-2.7.1.dist-info/entry_points.txt,sha256=vX2fvhnNdkbEL4pDzrH2NqjWVxeOaEYi0sJYmNgS2-s,45
-guarddog-2.7.1.dist-info/licenses/LICENSE,sha256=w1aNZxHyoyOPJ4fSdiyrr06tCJZbTjCsH9K1uqeDVyU,11377
-guarddog-2.7.1.dist-info/licenses/LICENSE-3rdparty.csv,sha256=cS61ONZL_xlXaTMvQXyBEi3J3es-40Gg6G-6idoa5Qk,314
-guarddog-2.7.1.dist-info/licenses/NOTICE,sha256=nlyNt2IjG8IBoQkb7n6jszwAvmREpKAx0POzFO1s2JM,140
-guarddog-2.7.1.dist-info/RECORD,,
+guarddog-2.8.4.dist-info/METADATA,sha256=SgaZvtbCAfOnr2PagJwdp4E-a4rXRKRG2aNO8mubQgM,22762
+guarddog-2.8.4.dist-info/WHEEL,sha256=3ny-bZhpXrU6vSQ1UPG34FoxZBp3lVcvK0LkgUz6VLk,88
+guarddog-2.8.4.dist-info/entry_points.txt,sha256=vX2fvhnNdkbEL4pDzrH2NqjWVxeOaEYi0sJYmNgS2-s,45
+guarddog-2.8.4.dist-info/licenses/LICENSE,sha256=w1aNZxHyoyOPJ4fSdiyrr06tCJZbTjCsH9K1uqeDVyU,11377
+guarddog-2.8.4.dist-info/licenses/LICENSE-3rdparty.csv,sha256=cS61ONZL_xlXaTMvQXyBEi3J3es-40Gg6G-6idoa5Qk,314
+guarddog-2.8.4.dist-info/licenses/NOTICE,sha256=nlyNt2IjG8IBoQkb7n6jszwAvmREpKAx0POzFO1s2JM,140
+guarddog-2.8.4.dist-info/RECORD,,

{guarddog-2.7.1.dist-info → guarddog-2.8.4.dist-info}/WHEEL

@@ -1,4 +1,4 @@
 Wheel-Version: 1.0
-Generator: poetry-core 2.2.1
+Generator: poetry-core 2.3.0
 Root-Is-Purelib: true
 Tag: py3-none-any

guarddog-2.7.1.dist-info/METADATA

@@ -1,40 +0,0 @@
-Metadata-Version: 2.4
-Name: guarddog
-Version: 2.7.1
-Summary: GuardDog is a CLI tool for identifying malicious open source packages
-License: Apache-2.0
-License-File: LICENSE
-License-File: LICENSE-3rdparty.csv
-License-File: NOTICE
-Author: Ellen Wang
-Requires-Python: >=3.10,<4
-Classifier: License :: OSI Approved :: Apache Software License
-Classifier: Programming Language :: Python :: 3
-Classifier: Programming Language :: Python :: 3.10
-Classifier: Programming Language :: Python :: 3.11
-Classifier: Programming Language :: Python :: 3.12
-Classifier: Programming Language :: Python :: 3.13
-Classifier: Programming Language :: Python :: 3.14
-Requires-Dist: click (>=8.1.3,<9.0.0)
-Requires-Dist: configparser (>=5.3,<8.0)
-Requires-Dist: disposable-email-domains (>=0.0.103,<0.0.121)
-Requires-Dist: prettytable (>=3.6.0,<4.0.0)
-Requires-Dist: pygit2 (>=1.11,<1.19)
-Requires-Dist: python-dateutil (>=2.8.2,<3.0.0)
-Requires-Dist: python-whois (>=0.8,<0.10)
-Requires-Dist: pyyaml (>=6.0,<7.0)
-Requires-Dist: requests (>=2.29.0,<3.0.0)
-Requires-Dist: semantic-version (>=2.10.0,<3.0.0)
-Requires-Dist: semgrep (>=1.147.0,<2.0.0)
-Requires-Dist: tarsafe (>=0.0.5,<0.0.6)
-Requires-Dist: termcolor (>=2.1.0,<3.0.0)
-Requires-Dist: urllib3 (>=2.5.0,<3.0.0)
-Requires-Dist: yara-python (>=4.5.1,<5.0.0)
-Project-URL: Repository, https://github.com/DataDog/guarddog
-Description-Content-Type: text/x-rst
-
-GuardDog
-========
-
-See https://github.com/datadog/guarddog
-