Guarddog integration #2499
Guarddog integration #2499
Conversation
| # interval between http request polling (in secs) | ||
| poll_distance: int = 30 |
There was a problem hiding this comment.
This is the polling between this script in the main docker container and the malware docker container. The problem about this number is that if the analyzers finishes its computation in the middle of those 30 seconds, the client would get the results a lot later than intended. Because of this, this value can usually reduced to a lower number.
How much time does this analyzer require to be completely executed in your experience?
| "name": "GuarddogObservable_go", | ||
| "description": "GuardDog is a tool that allows to identify malicious PyPI and npm packages or Go modules. It runs a set of heuristics on the package source code (through Semgrep rules) and on the package metadata.\r\n\r\ngo modules observable. Just give the name of the package", |
There was a problem hiding this comment.
It's enough a single migration for all the 3 cases (npm,pypi, org) and you can call it GuarddogObservable generically
There was a problem hiding this comment.
you can remove the other 2 and the merge migration
| "name": "GuarddogFile_go", | ||
| "description": "GuardDog is a tool that allows to identify malicious PyPI and npm packages or Go modules. It runs a set of heuristics on the package source code (through Semgrep rules) and on the package metadata.\r\n\r\nSubmit the go packed file to analize", |
There was a problem hiding this comment.
same for the "File" type of migrations, 1 python file is enough
| # Add user for guarddog | ||
| #RUN addgroup --system --gid 1000 guarddog \ | ||
| # && adduser --system --shell /bin/bash --uid 1000 --ingroup guarddog guarddog | ||
|
|
There was a problem hiding this comment.
is this necessary or is it a leftover?
| # Install Guarddog | ||
| # Not working with virutalenv | ||
| WORKDIR ${PROJECT_PATH}/guarddog | ||
|
|
||
| RUN pip3 install --no-cache-dir --upgrade pip \ | ||
| && pip3 install --no-cache-dir guarddog | ||
|
|
||
|
|
There was a problem hiding this comment.
the ideal thing would be to use its own python virtual environment like we did for all of the other integrations in this image to avoid conflicts. You can copy how we did that for the others
There was a problem hiding this comment.
(you can add a new file in the requirements folder with that guardog dependency and pinning a version for reproducibility)
|
|
||
| shell2http.register_command( | ||
| endpoint="guarddog", | ||
| command_name="/usr/local/bin/guarddog", |
There was a problem hiding this comment.
when adding a virtual env, this path would change. See other tools
adding GuardDog CI closes #2483
Description
GuardDog tool was added to the Docker of malware_tools_analyzers, because the requirement of python 3.10, libraries for thug were also updated. The decision to use docker instead of directly integration is because is the only way to support Windows.
[Guarddog] (https://github.com/DataDog/guarddog/tree/main) scans for libraries in the ecosystem to detect suspicious or malicious content
It supports pypi, npm and go modules. It can scan a binary file with the package or from the name retrieve from the repository and perform the scan. In total six new scanners were added.
Type of change
Please delete options that are not relevant.
Checklist
developdumpplugincommand and added it in the project as a data migration. ("How to share a plugin with the community")test_files.zipand you added the default tests for that mimetype in test_classes.py.FREE_TO_USE_ANALYZERSplaybook by following this guide.urlthat contains this information. This is required for Health Checks._monkeypatch()was used in its class to apply the necessary decorators.MockUpResponseof the_monkeypatch()method. This serves us to provide a valid sample for testing.Black,Flake,Isort) gave 0 errors. If you have correctly installed pre-commit, it does these checks and adjustments on your behalf.testsfolder). All the tests (new and old ones) gave 0 errors.DeepSource,Django Doctorsor other third-party linters have triggered any alerts during the CI checks, I have solved those alerts.Important Rules
Results:
report:"Found 0 potentially malicious indicators scanning flask Some rules failed to run while scanning flask: * rules-all: failed to run rule: An error occurred when running Semgrep. command: semgrep --config /opt/deploy/guarddog/venv/lib/python3.10/site-packages/guarddog/analyzer/sourcecode/shady-links.yml --config /opt/deploy/guarddog/venv/lib/python3.10/site-packages/guarddog/analyzer/sourcecode/cmd-overwrite.yml --config /opt/deploy/guarddog/venv/lib/python3.10/site-packages/guarddog/analyzer/sourcecode/obfuscation.yml --config /opt/deploy/guarddog/venv/lib/python3.10/site-packages/guarddog/analyzer/sourcecode/steganography.yml --config /opt/deploy/guarddog/venv/lib/python3.10/site-packages/guarddog/analyzer/sourcecode/silent-process-execution.yml --config /opt/deploy/guarddog/venv/lib/python3.10/site-packages/guarddog/analyzer/sourcecode/bidirectional-characters.yml --config /opt/deploy/guarddog/venv/lib/python3.10/site-packages/guarddog/analyzer/sourcecode/clipboard-access.yml --config /opt/deploy/guarddog/venv/lib/python3.10/site-packages/guarddog/analyzer/sourcecode/code-execution.yml --config /opt/deploy/guarddog/venv/lib/python3.10/site-packages/guarddog/analyzer/sourcecode/exfiltrate-sensitive-data.yml --config /opt/deploy/guarddog/venv/lib/python3.10/site-packages/guarddog/analyzer/sourcecode/download-executable.yml --config /opt/deploy/guarddog/venv/lib/python3.10/site-packages/guarddog/analyzer/sourcecode/exec-base64.yml --config /opt/deploy/guarddog/venv/lib/python3.10/site-packages/guarddog/analyzer/sourcecode/dll-hijacking.yml --exclude='helm' --exclude='.idea' --exclude='venv' --exclude='test' --exclude='tests' --exclude='.env' --exclude='dist' --exclude='build' --exclude='semgrep' --exclude='migrations' --exclude='.github' --exclude='.semgrep_logs' --no-git-ignore --json --quiet --max-target-bytes=10000000 /tmp/tmpum2n0sfa/flask status code: 1 output: "
errors:
scan_type:"pypi"