Wrong information showing on terminal #353
Comments
|
This happens with the union of NPM_RULES = set(get_metadata_detectors(ECOSYSTEM.NPM).keys()) | SEMGREP_RULE_NAMES
PYPI_RULES = set(get_metadata_detectors(ECOSYSTEM.PYPI).keys()) | SEMGREP_RULES_NAMESIf you remove it you're left with correct metadata heuristics for each ecosystem. Adding source code heuristics can be done as follows, but not sure if this is the best solution # Add source code rules to PYPI / NPM set
for ecosystem, rules in SOURCECODE_RULES.items():
for rule in rules:
rule_id = rule["id"]
if rule_id.startswith("npm"):
NPM_RULES.add(rule_id)
else:
PYPI_RULES.add(rule_id)After that: pypi: Usage: python -m guarddog pypi scan [OPTIONS] TARGET
Scan a given PyPI package
Options:
--exit-non-zero-on-finding Exit with a non-zero status code if at least
one issue is identified
-v, --version TEXT Specify a version to scan
--output-format [json]
-x, --exclude-rules [potentially_compromised_email_domain|typosquatting|bundled_binary|unclaimed_maintainer_email_domain|repository_integrity_mismatch|single_python_file|shady-links|exec-base64|download-executable|clipboard-access|cmd-overwrite|code-execution|steganography|exfiltrate-sensitive-data|silent-process-execution|empty_information|obfuscation|release_zero]
-r, --rules [potentially_compromised_email_domain|typosquatting|bundled_binary|unclaimed_maintainer_email_domain|repository_integrity_mismatch|single_python_file|shady-links|exec-base64|download-executable|clipboard-access|cmd-overwrite|code-execution|steganography|exfiltrate-sensitive-data|silent-process-execution|empty_information|obfuscation|release_zero]
--help Show this message and exit.npm: Usage: python -m guarddog npm scan [OPTIONS] TARGET
Scan a given npm package
Options:
--exit-non-zero-on-finding Exit with a non-zero status code if at least
one issue is identified
-v, --version TEXT Specify a version to scan
--output-format [json]
-x, --exclude-rules [potentially_compromised_email_domain|unclaimed_maintainer_email_domain|direct_url_dependency|npm-silent-process-execution|bundled_binary|npm-exec-base64|typosquatting|empty_information|npm-obfuscation|npm-install-script|npm-exfiltrate-sensitive-data|npm-serialize-environment|npm_metadata_mismatch|release_zero]
-r, --rules [potentially_compromised_email_domain|unclaimed_maintainer_email_domain|direct_url_dependency|npm-silent-process-execution|bundled_binary|npm-exec-base64|typosquatting|empty_information|npm-obfuscation|npm-install-script|npm-exfiltrate-sensitive-data|npm-serialize-environment|npm_metadata_mismatch|release_zero]
--help Show this message and exit.@sobregosodd / @christophetd any thoughts? |
|
After doing a thorough review of the source code, I got these findings:
NPM_RULES = set(get_metadata_detectors(ECOSYSTEM.NPM).keys()) | set([rules["id"] for rules in SOURCECODE_RULES[ECOSYSTEM.NPM]])
PYPI_RULES = set(get_metadata_detectors(ECOSYSTEM.PYPI).keys()) | set([rules["id"] for rules in SOURCECODE_RULES[ECOSYSTEM.PYPI]])
self.sourcecode_ruleset = PYPI_SOURCE_RULES if ecosystem is ECOSYSTEM.PYPI else NPM_SOURCE_RULES[OUTPUT]
Another recommendation: Feel free to let me know your choice and any suggestions! I can request a PR to fix this issue. |
Yes, I like this approach better than mine.
I am merely just a contributor, but I like your changes. Feel free to open a PR, and hopefully they'll review it. |
Command$ guarddog pypi scan --help
Output:
Issue:
The information displayed in the console is confusing because the PyPI scan should not include npm-related information.
The same situation occurred in the results returned by the scanner.
The text was updated successfully, but these errors were encountered: