Skip to content

test: resolve bugs in sourcecode analyzer to allow unit tests to run offline #1136

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

test: resolve bugs in sourcecode analyzer to allow unit tests to run offline #1136

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4eb9bc6
fix: disable metrics and version checking so scan does not make netwo…
art1f1c3R Jun 18, 2025
ed3c030
test: replaced Config error with a warning, and catch it analyze so o…
art1f1c3R Aug 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 28 additions & 10 deletions src/macaron/malware_analyzer/pypi_heuristics/sourcecode/pypi_sourcecode_analyzer.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,21 +118,31 @@ def _load_defaults(self, resources_path: str) -> tuple[str, str | None, set[str]
logger.debug(error_msg)
raise ConfigurationError(error_msg)

semgrep_commands: list[str] = ["semgrep", "scan", "--validate", "--oss-only", "--config", custom_rule_path]
semgrep_commands: list[str] = [
"semgrep",
"scan",
"--metrics",
"off",
"--disable-version-check",
"--validate",
"--oss-only",
"--config",
custom_rule_path,
]
try:
process = subprocess.run(semgrep_commands, check=True, capture_output=True) # nosec B603
if process.returncode != 0:
warning_msg = (
f"Error running semgrep validation on {custom_rule_path} with arguments" f" {process.args}."
)
logger.warning(warning_msg)

except (subprocess.CalledProcessError, subprocess.TimeoutExpired) as semgrep_error:
error_msg = (
warning_msg = (
f"Unable to run semgrep validation on {custom_rule_path} with arguments "
f"{semgrep_commands}: {semgrep_error}."
)
logger.debug(error_msg)
raise ConfigurationError(error_msg) from semgrep_error

if process.returncode != 0:
error_msg = f"Error running semgrep validation on {custom_rule_path} with arguments" f" {process.args}."
logger.debug(error_msg)
raise ConfigurationError(error_msg)
logger.warning(warning_msg)

logger.debug("Including custom ruleset from %s.", custom_rule_path)

Expand Down Expand Up @@ -248,7 +258,15 @@ def analyze(self, pypi_package_json: PyPIPackageJsonAsset) -> tuple[HeuristicRes
# Here, we disable 'nosemgrep' ignoring so that this is not an evasion method of our scan (i.e. malware includes
# 'nosemgrep' comments to prevent our scan detecting those code lines). Read more about the 'nosemgrep' feature
# here: https://semgrep.dev/docs/ignoring-files-folders-code
semgrep_commands: list[str] = ["semgrep", "scan", "--oss-only", "--disable-nosem"]
semgrep_commands: list[str] = [
"semgrep",
"scan",
"--metrics",
"off",
"--disable-version-check",
"--oss-only",
"--disable-nosem",
]
result: HeuristicResult = HeuristicResult.PASS

source_code_path = pypi_package_json.package_sourcecode_path
Expand Down
12 changes: 9 additions & 3 deletions tests/malware_analyzer/pypi/test_pypi_sourcecode_analyzer.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ def test_nonexistent_rule_path(mock_defaults: MagicMock) -> None:


@patch("macaron.malware_analyzer.pypi_heuristics.sourcecode.pypi_sourcecode_analyzer.defaults")
def test_invalid_custom_rules(mock_defaults: MagicMock) -> None:
def test_invalid_custom_rules(mock_defaults: MagicMock, pypi_package_json: MagicMock) -> None:
"""Test for when the provided file is not a valid semgrep rule, so error,"""
# Use this file as an invalid semgrep rule as it is most definitely not a semgrep rule, and does exist.
defaults = {
Expand All @@ -103,8 +103,14 @@ def test_invalid_custom_rules(mock_defaults: MagicMock) -> None:
mock_defaults.has_section.side_effect = lambda section: section == "heuristic.pypi"
mock_defaults.__getitem__.side_effect = lambda section: sub_section if section == "heuristic.pypi" else None

with pytest.raises(ConfigurationError):
_ = PyPISourcecodeAnalyzer(resources_path=RESOURCES_PATH)
analyzer = PyPISourcecodeAnalyzer(resources_path=RESOURCES_PATH)
pypi_package_json.package_sourcecode_path = os.path.join(
os.path.dirname(os.path.abspath(__file__)), "resources", "sourcecode_samples"
)

# Semgrep should fail to run when we launch analysis
with pytest.raises(HeuristicAnalyzerValueError):
_ = analyzer.analyze(pypi_package_json)


@patch("macaron.malware_analyzer.pypi_heuristics.sourcecode.pypi_sourcecode_analyzer.defaults")
Expand Down
Loading