Add extensions ecosystem support for Guarddog #589
Conversation
tesnim5hamdouni
force-pushed
the
tham/vsc_ecosystem
branch
from
d43ead2 to
4bce5bd
Compare
There was a problem hiding this comment.
Looks good! I had 2-3 questions and a handful of nits but no major changes requested.
Let's make sure @sobregosodd gets a chance to look at it, as well.
guarddog/analyzer/analyzer.py
Outdated
| output = { | ||
| "issues": issues, | ||
| "errors": errors, | ||
| "results": results, | ||
| "path": path} | ||
| # Including extension info - pending discussion | ||
| # if info is not None: | ||
| # output["package_info"] = info | ||
|
|
||
| return output | ||
|
|
||
| def analyze_metadata( | ||
| self, | ||
| path: str, | ||
| info, | ||
| rules=None, | ||
| name: Optional[str] = None, | ||
| version: Optional[str] = None) -> dict: |
There was a problem hiding this comment.
- this entire block changed nothing, let's keep the new
analyze_metadataformated one
guarddog/analyzer/analyzer.py
Outdated
|
|
||
| # Define verbose rules that should only show "file-level" triggers | ||
| verbose_rules = { | ||
| "DETECT_FILE_obfuscator_dot_io", |
There was a problem hiding this comment.
- this should not be hardcoded, let's find another way
| 'rm -rf', | ||
| 'del /s', | ||
| 'format', | ||
| 'shutdown', | ||
| 'curl', | ||
| 'wget', | ||
| 'powershell'] |
There was a problem hiding this comment.
not a good idea to hardcode these here. let's talk alternatives
|
|
||
| # Default to EXTENSION for general YARA rules (can be adjusted as when | ||
| # other ecosystems are supported) | ||
| rule_ecosystem = ECOSYSTEM.EXTENSION |
There was a problem hiding this comment.
- this is not right, all ecosystems are currently supported. you might need to parse the metadata here
…fix formatting :)
There was a problem hiding this comment.
LGTM, a couple optional suggestions.
Let's make sure to also get approval from @sobregosodd before merging.
| # Determine ecosystem based on filename prefix | ||
| rule_ecosystem: Optional[ECOSYSTEM] | ||
| if file_name.startswith("extension_"): | ||
| rule_ecosystem = ECOSYSTEM.EXTENSION | ||
| else: | ||
| # If no specific ecosystem prefix, apply to any ecosystem | ||
| rule_ecosystem = None |
There was a problem hiding this comment.
rule_ecosystem = None
if file_name.startswith("extension_"):
rule_ecosystem = ECOSYSTEM.EXTENSIONThere was a problem hiding this comment.
You may also want to move the "extension_" piece to a constant.
There was a problem hiding this comment.
You could even do rule_ecosystem = ECOSYSTEM.EXTENSION if file_name.startswith("extension_") else None
There was a problem hiding this comment.
I'll wait for Sebastian's review and apply this change
There was a problem hiding this comment.
mmh... actually, we don't use the name's prefix to do this, we use the metadata of the rule.
similar to description_regex up there.
in some ideal future world, we should remove the prefixes of the rules (there are problems if we try to do this now)
Adding Extension ecosystem support to GD.
The changes include: