Skip to content

Commit a653bc5

Browse files
art1f1c3Rart1f1c3R
committed
docs: included tutorial section explaining source code analysis
Signed-off-by: Carl Flottmann <carl.flottmann@oracle.com>
1 parent 06fd636 commit a653bc5

File tree

1 file changed

+15
-0
lines changed

1 file changed

+15
-0
lines changed

docs/source/pages/tutorials/detect_malicious_package.rst

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -232,6 +232,21 @@ Macaron also provides a confidence score for each check result, represented as a
232232
is_component(component_id, purl),
233233
match("pkg:pypi/django@.*", purl).
234234
235+
''''''''''''''''''''
236+
Source Code Analysis
237+
''''''''''''''''''''
238+
239+
Macaron supports static code analysis as a malware analysis heuristic. This can be enabled by supplying the command line argument ``--analyze-source``. Macaron uses the open-source static code analysis tool Semgrep to analyse the source code of a python package, looking for malicious code patterns defined in Macaron's own Semgrep rules. Currently supported are detection of attempts to obfuscate the source code, and detection of code that exfiltrates sensitive data to a remote connection.
240+
241+
By default, the source code analyzer is run in conjunction with the other metadata heuristics. The source code heuristic is optimised such that it is not always required to be run to ensure a package is benign, so it will not always be run as part of the heuristic analysis, even when enabled. To force it to run regardless of the result of other heuristics, the command line argument ``--force-analyze-source`` must be supplied. To analyze ``django@5.0.6`` with source code analysis enabled and enforced, the following command may be run:
242+
243+
.. code-block:: shell
244+
245+
./run_macaron.sh analyze -purl pkg:pypi/django@5.0.6 --python-venv "/tmp/.django_venv" --analyze-source --force-analyze-source
246+
247+
If any suspicious patterns are triggered, this will be identified in the ``mcn_detect_malicious_metadata_1`` result for the heuristic named ``suspicious_patterns``. The output database ``output/macaron.db`` can be used to get the specific results of the analysis by querying the :class:`detect_malicious_metadata_check.result field <macaron.database>`. This will provide detailed JSON information about all data collected by the ``mcn_detect_malicious_metadata_1`` check, including, for source code analysis, any malicious code patterns detected, what Semgrep rule detected it, the file in which it was detected, and the line number for the detection.
248+
249+
235250
***********
236251
Future Work
237252
***********

0 commit comments

Comments
 (0)