Merge pull request #614 from DataDog/s.obregoso/fix_to_release

sobregosodd · web-flow · commit de024fdf369f · 2025-10-01T12:46:23.000-03:00
Misc fixes
diff --git a/guarddog/analyzer/sourcecode/extension_suspicious_passwd_access_linux.yar b/guarddog/analyzer/sourcecode/extension_suspicious_passwd_access_linux.yar
diff --git a/guarddog/analyzer/sourcecode/suspicious_passwd_access_linux.yar b/guarddog/analyzer/sourcecode/suspicious_passwd_access_linux.yar
@@ -1,4 +1,4 @@
-rule DETECT_FILE_powershell_policy_bypass
+rule suspicious_passwd_access_linux
 {
     meta:
         author = "T HAMDOUNI, Datadog"
@@ -9,4 +9,4 @@ rule DETECT_FILE_powershell_policy_bypass
         $read = /(readFile|readFileSync)\(\s*['"]\/etc\/passwd/ nocase
     condition:
         $cli or $read
-}
+}
diff --git a/guarddog/scanners/pypi_project_scanner.py b/guarddog/scanners/pypi_project_scanner.py
@@ -3,7 +3,7 @@
 import re
 from typing import List
 
-import pkg_resources
+from packaging.requirements import Requirement
 import requests
 from packaging.specifiers import Specifier, Version
 
@@ -111,12 +111,11 @@ def safe_parse_requirements(req):
             """
             This helper function yields one valid requirement line at a time
             """
-            parsed = pkg_resources.parse_requirements(req)
-            while True:
+            for req_line in req:
+                if not req_line.strip():
+                    continue
                 try:
-                    yield next(parsed)
-                except StopIteration:
-                    break
+                    yield Requirement(req_line)
                 except Exception as e:
                     log.error(
                         f"Error when parsing requirements, received error {str(e)}. This entry will be "
@@ -130,7 +129,7 @@ def safe_parse_requirements(req):
                     continue
 
                 versions = get_matched_versions(
-                    find_all_versions(requirement.project_name),
+                    find_all_versions(requirement.name),
                     (
                         requirement.url
                         if requirement.url
@@ -140,7 +139,7 @@ def safe_parse_requirements(req):
 
                 if len(versions) == 0:
                     log.error(
-                        f"Package/Version {requirement.project_name} not on PyPI\n"
+                        f"Package/Version {requirement.name} not on PyPI\n"
                     )
                     continue
 
@@ -165,13 +164,13 @@ def safe_parse_requirements(req):
                 # find the dep with the same name or create a new one
                 dep = next(
                     filter(
-                        lambda d: d.name == requirement.project_name,
+                        lambda d: d.name == requirement.name,
                         dependencies,
                     ),
                     None,
                 )
                 if not dep:
-                    dep = Dependency(name=requirement.project_name, versions=set())
+                    dep = Dependency(name=requirement.name, versions=set())
                     dependencies.append(dep)
 
                 dep.versions.update(dep_versions)
diff --git a/tests/analyzer/sourcecode/api-obfuscation.py b/tests/analyzer/sourcecode/api-obfuscation.py
@@ -15,19 +15,45 @@ def send():
             open(filename, 'wb').write(rq.content)
             
             # os.system('start '+filename)
+            # ruleid: api-obfuscation
             os.__dict__['startfile']('start '+filename)
+
+            # ruleid: api-obfuscation
             os.__dict__['startfile'].__call__('start '+filename)
+            # ruleid: api-obfuscation
             os.__getattribute__('startfile')('start '+filename)
+
+            # ruleid: api-obfuscation
             os.__getattribute__('startfile').__call__('start '+filename)
+
+            # ruleid: api-obfuscation
             getattr(os, 'startfile')('start '+filename)
+
+            # ruleid: api-obfuscation
             getattr(os, 'startfile').__call__('start '+filename)
+
+            # ruleid: api-obfuscation
             __import__('os').startfile('start '+filename)
+
+            # ruleid: api-obfuscation
             __import__('os').startfile.__call__('start '+filename)
+
+            # ruleid: api-obfuscation
             __import__('os').__dict__['startfile']('start '+filename)
+
+            # ruleid: api-obfuscation
             __import__('os').__dict__['startfile'].__call__('start '+filename)
+
+            # ruleid: api-obfuscation
             __import__('os').__getattribute__('startfile')('start '+filename)
+
+            # ruleid: api-obfuscation
             __import__('os').__getattribute__('startfile').__call__('start '+filename)
+
+            # ruleid: api-obfuscation
             getattr(__import__('os'), 'startfile')('start '+filename)
+
+            # ruleid: api-obfuscation
             getattr(__import__('os'), 'startfile').__call__('start '+filename)
     except:
         pass    
diff --git a/tests/analyzer/sourcecode/suspicious_passwd_access_linux.test b/tests/analyzer/sourcecode/suspicious_passwd_access_linux.test
@@ -0,0 +1 @@
+cat /etc/passwd
diff --git a/tests/analyzer/sourcecode/test_eval_call.js b/tests/analyzer/sourcecode/test_eval_call.js
diff --git a/tests/analyzer/sourcecode/test_sourcecode_yara.py b/tests/analyzer/sourcecode/test_sourcecode_yara.py
@@ -49,6 +49,6 @@ def test_source_codde_analyzer_yara_exec(rule_name: str):
             if not f.startswith(f"{rule_name}."):
                 continue
 
-            # testing file against against rule
+            # testing file against rule
             print(f"Testing YARA rule: {rule_name}")
             assert test_scan_rule.match(os.path.join(root, f))
