New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve detection for Python setuptools backdoors #164
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Fix GoReleaser * Add project_name * Remove problematic MS repository from Checks * Repository has been fixed
…d-dev#171) Bumps the all group with 1 update: [actions/checkout](https://github.com/actions/checkout). Updates `actions/checkout` from 4.1.3 to 4.1.4 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@1d96c77...0ad4b8f) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Add ThreatHunting-Keywords-yara-rules * Update README * Remove superfluous mkdir command * Fix tests * Fix tests * Remove merge artifacts * Pin rules to a known commit; add check for updates * Re-add -s * Avoid using jq for portability * Add new commit to output * Fix test
…v#172) Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 4.0.0 to 5.0.0. - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](golangci/golangci-lint-action@3cfe3a4...82d40c2) --- updated-dependencies: - dependency-name: golangci/golangci-lint-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Thomas Strömberg <t+github@chainguard.dev> Co-authored-by: Ville Aikas <11279988+vaikas@users.noreply.github.com>
tstromberg
changed the title
Improve reliability of py_setuptools rules
Improve reliability of rules that search for Python setuptools
May 7, 2024
tstromberg
changed the title
Improve reliability of rules that search for Python setuptools
Improve Python detection, particularly for setuptools
May 7, 2024
tstromberg
changed the title
Improve Python detection, particularly for setuptools
Improve Python detection, particularly around setuptools
May 7, 2024
tstromberg
changed the title
Improve Python detection, particularly around setuptools
Improve detection for Python setuptools backdoors
May 13, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Our Python rules didn't reliably match the use of "setuptools"; often we'll use the fact that the script is a library installer to up the suspicion level.
This does add a private rule that we copy around to a couple of files. The lack of re-use isn't great, and neither is the private rule behavior. The use of a private rule means we're unable to see or extract the strings related to it and present it to the user.
This also fixes a misfeature in
report.go
where we'd use the longest rule match description even if the rule had less criticality. This was being seen in the py_setuptools backdoor combo rule.