Skip to content

Commit 9b05632

Browse files
art1f1c3Rart1f1c3R
authored
chore: change rules for fake email analyzer to reduce FPs (#1146)
Added in further heuristics in combination with the fake email analyzer to reduce FPs. Signed-off-by: Carl Flottmann <[email protected]>
1 parent 4daa784 commit 9b05632

File tree

1 file changed

+13
-6
lines changed

1 file changed

+13
-6
lines changed

src/macaron/slsa_analyzer/checks/detect_malicious_metadata_check.py

Lines changed: 13 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -433,22 +433,29 @@ def run_check(self, ctx: AnalyzeContext) -> CheckResultData:
433433
failed({Heuristics.ONE_RELEASE.value}),
434434
failed({Heuristics.ANOMALOUS_VERSION.value}).
435435
436-
% Package released recently with the a maintainer email address that is not valid.
436+
% Package has no links, one release or multiple quick releases, and a suspicious maintainer who recently
437+
% joined, has a fake email address, and other similarly-structured projects.
437438
{Confidence.MEDIUM.value}::trigger(malware_medium_confidence_3) :-
438439
quickUndetailed,
439-
failed({Heuristics.FAKE_EMAIL.value}),
440-
failed({Heuristics.SIMILAR_PROJECTS.value}).
441-
440+
failed({Heuristics.SIMILAR_PROJECTS.value}),
441+
failed({Heuristics.ONE_RELEASE.value}),
442+
failed({Heuristics.FAKE_EMAIL.value}).
443+
{Confidence.MEDIUM.value}::trigger(malware_medium_confidence_4) :-
444+
quickUndetailed,
445+
failed({Heuristics.SIMILAR_PROJECTS.value}),
446+
failed({Heuristics.HIGH_RELEASE_FREQUENCY.value}),
447+
failed({Heuristics.FAKE_EMAIL.value}).
442448
% ----- Evaluation -----
443449
444450
% Aggregate result
445451
{problog_result_access} :- trigger(malware_high_confidence_1).
446452
{problog_result_access} :- trigger(malware_high_confidence_2).
447453
{problog_result_access} :- trigger(malware_high_confidence_3).
448454
{problog_result_access} :- trigger(malware_high_confidence_4).
449-
{problog_result_access} :- trigger(malware_medium_confidence_3).
450-
{problog_result_access} :- trigger(malware_medium_confidence_2).
451455
{problog_result_access} :- trigger(malware_medium_confidence_1).
456+
{problog_result_access} :- trigger(malware_medium_confidence_2).
457+
{problog_result_access} :- trigger(malware_medium_confidence_3).
458+
{problog_result_access} :- trigger(malware_medium_confidence_4).
452459
query({problog_result_access}).
453460
454461
% Explainability

0 commit comments

Comments
 (0)