macaron.malware_analyzer.pypi_heuristics package

Subpackages

• macaron.malware_analyzer.pypi_heuristics.metadata package
• macaron.malware_analyzer.pypi_heuristics.sourcecode package

Submodules

macaron.malware_analyzer.pypi_heuristics.base_analyzer module

Define and initialize the base analyzer.

class macaron.malware_analyzer.pypi_heuristics.base_analyzer.BaseHeuristicAnalyzer(name, heuristic, depends_on)

Bases: ABC

The base analyzer initialization.

__init__(name, heuristic, depends_on)

abstract analyze(pypi_package_json)

Implement the base analyze method for seven analyzers.

Parameters:

pypi_package_json (PyPIPackageJsonAsset) – The PyPI package JSON asset object.

Returns:

The result and related information collected during the analysis.

Return type:

tuple[HeuristicResult, dict[str, JsonType]]

macaron.malware_analyzer.pypi_heuristics.heuristics module

Define the heuristic enum.

class macaron.malware_analyzer.pypi_heuristics.heuristics.Heuristics(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: str, Enum

Seven heuristics for detecting suspicious pypi package.

EMPTY_PROJECT_LINK = 'empty_project_link'

Indicates that the package does not contain any project links (such as documentation or Git repository pages).

UNREACHABLE_PROJECT_LINKS = 'unreachable_project_links'

Indicates that the package contains project links, but all of them are unreachable.

ONE_RELEASE = 'one_release'

Indicates that the package contains only one release.

HIGH_RELEASE_FREQUENCY = 'high_release_frequency'

The package has a high release frequency. The average release time (calculated as the sum of all release gaps divided by the number of gaps) is below a set threshold.

UNCHANGED_RELEASE = 'unchanged_release'

Indicates that all releases contain the same content (with identical digests).

CLOSER_RELEASE_JOIN_DATE = 'closer_release_join_date'

Indicates that the maintainer has registered their account close to the latest release date.

SUSPICIOUS_SETUP = 'suspicious_setup'

Indicates that the setup.py file contains suspicious imports, such as base64 and requests.

class macaron.malware_analyzer.pypi_heuristics.heuristics.HeuristicResult(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: str, Enum

Result type indicating the outcome of a heuristic.

PASS = 'PASS'

Indicates that no suspicious activity was detected.

FAIL = 'FAIL'

Indicates that suspicious activity was detected.

SKIP = 'SKIP'

Indicates that the heuristic check could not be performed due to missing metadata. The SKIP result occurs when the necessary metadata is not available. This often happens when fetching data through the PyPI API and the relevant data, such as the maintainer’s join date or release information, is missing or unavailable.