Skip to content

chore: add CLOSER_RELEASE_JOIN_DATE heuristic as a dependency of SUSPICIOUS_SETUP #810

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 31, 2024
Merged

chore: add CLOSER_RELEASE_JOIN_DATE heuristic as a dependency of SUSPICIOUS_SETUP #810

merged 1 commit into from
Jul 31, 2024

Conversation

behnazh-w
Copy link
Member

Right now the CLOSER_RELEASE_JOIN_DATE heuristic in the mcn_detect_malicious_metadata_1 check does not depend on any other heuristic results. However, all the heuristic combinations require the CLOSER_RELEASE_JOIN_DATE heuristic to fail. This PR adds the CLOSER_RELEASE_JOIN_DATE heuristic as a dependency of SUSPICIOUS_SETUP to avoid running SUSPICIOUS_SETUP analyzer unnecessarily and improve performance.

@behnazh-w behnazh-w requested a review from tromai as a code owner July 31, 2024 06:25
@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Jul 31, 2024
@tromai
Copy link
Member

tromai commented Jul 31, 2024

For this Heuristic -

macaron/src/macaron/slsa_analyzer/checks/detect_malicious_metadata_check.py

Lines 116 to 126 in 5c2dbec

): Confidence.HIGH,
(
HeuristicResult.FAIL, # Empty Project
HeuristicResult.SKIP, # Unreachable Project Links
HeuristicResult.PASS, # One Release
HeuristicResult.FAIL, # High Release Frequency
HeuristicResult.FAIL, # Unchanged Release
HeuristicResult.FAIL, # Closer Release Join Date
HeuristicResult.PASS, # Suspicious Setup
# No project link, frequent releases of multiple versions without modifying the content,
# and the maintainer released it shortly after account registration.

If SUSPICIOUS_SETUP passes, it would mean that CLOSER_RELEASE_JOIN_DATE will be SKIPPED. This means that we will miss this heuristic combination.

@behnazh-w
Copy link
Member Author

behnazh-w commented Jul 31, 2024
edited
Loading

For this Heuristic -

macaron/src/macaron/slsa_analyzer/checks/detect_malicious_metadata_check.py

Lines 116 to 126 in 5c2dbec

): Confidence.HIGH,
(
HeuristicResult.FAIL, # Empty Project
HeuristicResult.SKIP, # Unreachable Project Links
HeuristicResult.PASS, # One Release
HeuristicResult.FAIL, # High Release Frequency
HeuristicResult.FAIL, # Unchanged Release
HeuristicResult.FAIL, # Closer Release Join Date
HeuristicResult.PASS, # Suspicious Setup
# No project link, frequent releases of multiple versions without modifying the content,
# and the maintainer released it shortly after account registration.

If SUSPICIOUS_SETUP passes, it would mean that CLOSER_RELEASE_JOIN_DATE will be SKIPPED. This means that we will miss this heuristic combination.

That's not how the heuristics work and this scenario should not be possible. If heuristic A depends on heuristic B with result R, A will only run if B runs and returns R. With the change in this PR, SUSPICIOUS_SETUP will depend on CLOSER_RELEASE_JOIN_DATE. So, only if CLOSER_RELEASE_JOIN_DATE fails, SUSPICIOUS_SETUP will run, and will be skipped otherwise.

@tromai
Copy link
Member

tromai commented Jul 31, 2024
edited
Loading

Ah I see. Thanks for the clarification, I looked at the PR description

This PR adds the CLOSER_RELEASE_JOIN_DATE heuristic as a dependency of SUSPICIOUS_SETUP to avoid running SUSPICIOUS_SETUP analyzer unnecessarily and improve performance.

And I thought that we are planning to make CLOSER_RELEASE_JOIN_DATE a children of SUSPICIOUS_SETUP.

@behnazh-w behnazh-w merged commit 02acfe4 into staging Jul 31, 2024
9 checks passed
@Yao-Wen-Chang Yao-Wen-Chang mentioned this pull request Sep 5, 2024
Merged
4 tasks
@behnazh-w behnazh-w deleted the behnazh/change-setup-analyzer-dependson branch September 23, 2024 03:57
art1f1c3R pushed a commit that referenced this pull request Nov 29, 2024
@behnazh-w
chore: add CLOSER_RELEASE_JOIN_DATE heuristic as a dependency of SUSP…
ac7ff68 
…ICIOUS_SETUP (#810)

This PR adds the CLOSER_RELEASE_JOIN_DATE heuristic as a dependency of SUSPICIOUS_SETUP to avoid running SUSPICIOUS_SETUP analyzer unnecessarily and improve performance.

Signed-off-by: behnazh-w <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tromai tromai tromai approved these changes

Assignees
No one assigned
Labels
OCA Verified All contributors have signed the Oracle Contributor Agreement.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@behnazh-w @tromai