Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: improve the malicious metadata check #797

Merged
merged 14 commits into from
Jul 30, 2024
Merged

chore: improve the malicious metadata check #797

merged 14 commits into from
Jul 30, 2024

Conversation

behnazh-w
Copy link
Member

@behnazh-w behnazh-w commented Jul 21, 2024
edited
Loading

This PR refactors and improves the _detect_malicious_metadata_check:

  • Moves the check under src/macaron/slsa_analyzer/checks/
  • Refactors the implementation of the check to avoid storing the metadata in the PyPIRegistry object and uses the AssetLocator representation instead.
  • Uses DB JSON type to store the serialized metadata info instead of dumping it as a string value.
  • Adds a new unit test for the check and improves the other relevant tests.
  • Adds the check to the django integration test case and its dependencies.
  • Ensures that the source code retrieved by the PyPIRegistry API is the version that matches the artifact PURL.
  • Removes the heuristics that introduce too many FPs.

@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Jul 21, 2024
@behnazh-w behnazh-w force-pushed the behnazh/refactor-python-mal-check branch 3 times, most recently from 96fbbbf to f80e70e Compare July 24, 2024 06:03
@behnazh-w behnazh-w closed this Jul 25, 2024
@behnazh-w behnazh-w reopened this Jul 25, 2024
@behnazh-w behnazh-w marked this pull request as ready for review July 25, 2024 04:47
@behnazh-w behnazh-w requested a review from tromai as a code owner July 25, 2024 04:47
@behnazh-w behnazh-w requested a review from benmss July 25, 2024 04:48
@behnazh-w behnazh-w mentioned this pull request Jul 25, 2024
Open
behnazh-w added 10 commits July 25, 2024 15:10
@behnazh-w
chore: improve detect_malicious_metadata_check
72f10b6 
Signed-off-by: behnazh-w <[email protected]>
@behnazh-w
chore: move the check to the right place
19a1214 
Signed-off-by: behnazh-w <[email protected]>
@behnazh-w
test: add and improve unit tests
9c4726b 
Signed-off-by: behnazh-w <[email protected]>
@behnazh-w
chore: rename attestation to package_json
51f61e3 
Signed-off-by: behnazh-w <[email protected]>
@behnazh-w
docs: fix the documentation pages
233b3f7 
Signed-off-by: behnazh-w <[email protected]>
@behnazh-w
test: add mcn_detect_malicious_metadata_1 to django integration test
446b03d 
Signed-off-by: behnazh-w <[email protected]>
@behnazh-w
refactor: use AssetLocator for PyPI package JSON
c328dfb
@behnazh-w
test: rename the name of the test source tarball
576779f 
Signed-off-by: behnazh-w <[email protected]>
@behnazh-w
chore: remove heuristics that have high FP
13803f9 
Signed-off-by: behnazh-w <[email protected]>
@behnazh-w
docs: improve comments in test_detect_malicious_metadata_check
693d79a 
Signed-off-by: behnazh-w <[email protected]>
@behnazh-w behnazh-w force-pushed the behnazh/refactor-python-mal-check branch from cf3ffac to 693d79a Compare July 25, 2024 05:11
tromai
tromai approved these changes Jul 30, 2024
View reviewed changes
Copy link
Member

@tromai tromai left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks for the change.

@behnazh-w behnazh-w merged commit 5c2dbec into staging Jul 30, 2024
15 checks passed
@behnazh-w behnazh-w deleted the behnazh/refactor-python-mal-check branch September 23, 2024 03:57
art1f1c3R pushed a commit that referenced this pull request Nov 29, 2024
@behnazh-w
chore: improve the malicious metadata check (#797)
8f2e757 
This PR refactors and improves the _detect_malicious_metadata_check:

* Moves the check under src/macaron/slsa_analyzer/checks/
* Refactors the implementation of the check to avoid storing the metadata in the PyPIRegistry object and uses the * AssetLocator representation instead.
* Uses DB JSON type to store the serialized metadata info instead of dumping it as a string value.
* Adds a new unit test for the check and improves the other relevant tests.
* Adds the check to the django integration test case and its dependencies.
* Ensures that the source code retrieved by the PyPIRegistry API is the version that matches the artifact PURL.
* Removes the heuristics that introduce too many FPs.

Signed-off-by: behnazh-w <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tromai tromai tromai approved these changes

@benmss benmss benmss approved these changes

Assignees
No one assigned
Labels
OCA Verified All contributors have signed the Oracle Contributor Agreement.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@behnazh-w @benmss @tromai