pkgwhy 1.0.0__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- pkgwhy/__init__.py +3 -0
- pkgwhy/__main__.py +6 -0
- pkgwhy/agent/__init__.py +2 -0
- pkgwhy/agent/judge.py +93 -0
- pkgwhy/cli.py +676 -0
- pkgwhy/core/__init__.py +2 -0
- pkgwhy/core/constants.py +13 -0
- pkgwhy/core/models.py +608 -0
- pkgwhy/dependencies/__init__.py +2 -0
- pkgwhy/dependencies/graph.py +68 -0
- pkgwhy/dependencies/reason.py +79 -0
- pkgwhy/dynamic/__init__.py +2 -0
- pkgwhy/dynamic/analysis.py +156 -0
- pkgwhy/explanations/__init__.py +2 -0
- pkgwhy/explanations/explain.py +47 -0
- pkgwhy/explanations/local_db.py +52 -0
- pkgwhy/imports/__init__.py +2 -0
- pkgwhy/imports/scanner.py +43 -0
- pkgwhy/inspection/__init__.py +2 -0
- pkgwhy/inspection/files.py +540 -0
- pkgwhy/inspection/python_static.py +323 -0
- pkgwhy/inspection/size.py +58 -0
- pkgwhy/inspection/text_patterns.py +135 -0
- pkgwhy/manifests/__init__.py +2 -0
- pkgwhy/manifests/lockfiles.py +51 -0
- pkgwhy/manifests/pyproject.py +37 -0
- pkgwhy/manifests/requirements.py +27 -0
- pkgwhy/metadata/__init__.py +2 -0
- pkgwhy/metadata/installed.py +83 -0
- pkgwhy/metadata/pypi.py +199 -0
- pkgwhy/policy/__init__.py +1 -0
- pkgwhy/policy/agent_policy.py +114 -0
- pkgwhy/policy/audit_log.py +60 -0
- pkgwhy/policy/tool_execution.py +76 -0
- pkgwhy/provenance/__init__.py +2 -0
- pkgwhy/provenance/installed.py +45 -0
- pkgwhy/registry/__init__.py +2 -0
- pkgwhy/registry/local.py +178 -0
- pkgwhy/registry/manifest.py +78 -0
- pkgwhy/registry/publish.py +142 -0
- pkgwhy/registry/run.py +148 -0
- pkgwhy/registry/tools.py +121 -0
- pkgwhy/reports/__init__.py +2 -0
- pkgwhy/reports/audit.py +81 -0
- pkgwhy/risk/__init__.py +5 -0
- pkgwhy/risk/rules.py +372 -0
- pkgwhy/risk/scoring.py +231 -0
- pkgwhy/typosquat/__init__.py +2 -0
- pkgwhy/typosquat/detector.py +182 -0
- pkgwhy/typosquat/popular_packages.py +34 -0
- pkgwhy/vulnerabilities/__init__.py +2 -0
- pkgwhy/vulnerabilities/matching.py +122 -0
- pkgwhy/vulnerabilities/osv.py +330 -0
- pkgwhy-1.0.0.dist-info/METADATA +688 -0
- pkgwhy-1.0.0.dist-info/RECORD +58 -0
- pkgwhy-1.0.0.dist-info/WHEEL +4 -0
- pkgwhy-1.0.0.dist-info/entry_points.txt +2 -0
- pkgwhy-1.0.0.dist-info/licenses/LICENSE +22 -0
pkgwhy/__init__.py
ADDED
pkgwhy/__main__.py
ADDED
pkgwhy/agent/__init__.py
ADDED
pkgwhy/agent/judge.py
ADDED
|
@@ -0,0 +1,93 @@
|
|
|
1
|
+
from __future__ import annotations
|
|
2
|
+
|
|
3
|
+
from pathlib import Path
|
|
4
|
+
|
|
5
|
+
from pkgwhy.core.models import (
|
|
6
|
+
PackageIdentity,
|
|
7
|
+
PackageInspection,
|
|
8
|
+
PackageJudgement,
|
|
9
|
+
PackageMetadata,
|
|
10
|
+
PackageProvenance,
|
|
11
|
+
VulnerabilityMatch,
|
|
12
|
+
)
|
|
13
|
+
from pkgwhy.core.models import ReadabilityStatus, SourceAvailability
|
|
14
|
+
from pkgwhy.inspection.files import (
|
|
15
|
+
analyze_file_signals,
|
|
16
|
+
distribution_file_paths,
|
|
17
|
+
infer_readability,
|
|
18
|
+
infer_source_availability,
|
|
19
|
+
)
|
|
20
|
+
from pkgwhy.inspection.python_static import analyze_python_files
|
|
21
|
+
from pkgwhy.inspection.size import measure_distribution_size
|
|
22
|
+
from pkgwhy.metadata.installed import get_distribution, get_installed_package, normalize_package_name
|
|
23
|
+
from pkgwhy.risk.scoring import judge_inspection
|
|
24
|
+
|
|
25
|
+
MAX_REPORTED_PATHS = 20
|
|
26
|
+
|
|
27
|
+
|
|
28
|
+
def inspect_installed_package(name: str) -> PackageInspection | None:
|
|
29
|
+
metadata = get_installed_package(name)
|
|
30
|
+
dist = get_distribution(name)
|
|
31
|
+
if metadata is None or dist is None:
|
|
32
|
+
return None
|
|
33
|
+
|
|
34
|
+
paths = distribution_file_paths(dist)
|
|
35
|
+
size = measure_distribution_size(dist)
|
|
36
|
+
file_analysis = analyze_file_signals(paths, metadata.entry_points)
|
|
37
|
+
python_analysis = analyze_python_files(paths)
|
|
38
|
+
capabilities = sorted(
|
|
39
|
+
set(file_analysis.detected_capabilities)
|
|
40
|
+
| set(python_analysis.detected_capabilities)
|
|
41
|
+
)
|
|
42
|
+
evidence = [
|
|
43
|
+
"Read installed distribution metadata with importlib.metadata.",
|
|
44
|
+
"Measured installed files listed by distribution metadata.",
|
|
45
|
+
f"Statically parsed {python_analysis.files_scanned} Python files with AST.",
|
|
46
|
+
"Did not import or execute inspected package code.",
|
|
47
|
+
]
|
|
48
|
+
evidence.extend(file_analysis.evidence)
|
|
49
|
+
evidence.extend(python_analysis.evidence)
|
|
50
|
+
rule_evidence = list(file_analysis.rule_evidence)
|
|
51
|
+
rule_evidence.extend(python_analysis.rule_evidence)
|
|
52
|
+
warnings: list[str] = []
|
|
53
|
+
warnings.extend(file_analysis.warnings)
|
|
54
|
+
warnings.extend(python_analysis.warnings)
|
|
55
|
+
if not paths:
|
|
56
|
+
warnings.append("Distribution metadata did not expose installed files for static file inspection.")
|
|
57
|
+
|
|
58
|
+
return PackageInspection(
|
|
59
|
+
metadata=metadata,
|
|
60
|
+
source_availability=infer_source_availability(paths),
|
|
61
|
+
readability=infer_readability(paths, file_analysis),
|
|
62
|
+
size=size,
|
|
63
|
+
package_paths=[Path(path) for path in paths[:MAX_REPORTED_PATHS]],
|
|
64
|
+
detected_capabilities=capabilities,
|
|
65
|
+
warnings=warnings,
|
|
66
|
+
evidence=evidence,
|
|
67
|
+
rule_evidence=rule_evidence,
|
|
68
|
+
file_analysis=file_analysis,
|
|
69
|
+
)
|
|
70
|
+
|
|
71
|
+
|
|
72
|
+
def judge_installed_package(
|
|
73
|
+
name: str,
|
|
74
|
+
known_vulnerabilities: list[VulnerabilityMatch] | None = None,
|
|
75
|
+
provenance: PackageProvenance | None = None,
|
|
76
|
+
) -> PackageJudgement:
|
|
77
|
+
inspection = inspect_installed_package(name)
|
|
78
|
+
if inspection is None:
|
|
79
|
+
metadata = PackageMetadata(
|
|
80
|
+
identity=PackageIdentity(name=name, normalized_name=normalize_package_name(name), version=None),
|
|
81
|
+
metadata_available=False,
|
|
82
|
+
)
|
|
83
|
+
inspection = PackageInspection(
|
|
84
|
+
metadata=metadata,
|
|
85
|
+
source_availability=SourceAvailability.NOT_INSTALLED,
|
|
86
|
+
readability=ReadabilityStatus.NOT_ENOUGH_SOURCE_AVAILABLE,
|
|
87
|
+
size=measure_distribution_size(None),
|
|
88
|
+
package_paths=[],
|
|
89
|
+
detected_capabilities=[],
|
|
90
|
+
warnings=["Package is not installed in the active Python environment."],
|
|
91
|
+
evidence=["Checked active environment metadata without importing package code."],
|
|
92
|
+
)
|
|
93
|
+
return judge_inspection(inspection, known_vulnerabilities=known_vulnerabilities, provenance=provenance)
|