chore(typosquatting): improve variable names and comments for clarity

Signed-off-by: Amine <[email protected]>

Author: AmineRaouane

.DS_Store

@@ -367,16 +367,6 @@ def main(argv: list[str] | None = None) -> None:
         help="The directory where Macaron looks for already cloned repositories.",
     )
 
-    main_parser.add_argument(
-        "-pp",
-        "--popular-packages-path",
-        required=False,
-        type=str,
-        default=None,
-        help="The path to the popular packages file used for typosquatting detection.",
-        dest="popular_packages_path",
-    )
-
     # Add sub parsers for each action.
     sub_parser = main_parser.add_subparsers(dest="action", help="Run macaron <action> --help for help")
 
@@ -589,7 +579,6 @@ def main(argv: list[str] | None = None) -> None:
         build_log_path=os.path.join(args.output_dir, "build_log"),
         debug_level=log_level,
         local_repos_path=args.local_repos_path,
-        popular_packages_path=args.popular_packages_path,
         resources_path=os.path.join(macaron.MACARON_PATH, "resources"),
     )
 

src/macaron/__main__.py

@@ -49,9 +49,6 @@ class GlobalConfig:
     #: The path to the local .m2 Maven repository. This attribute is None if there is no available .m2 directory.
     local_maven_repo: str | None = None
 
-    #: The path to the popular packages file.
-    popular_packages_path: str | None = None
-
     def load(
         self,
         macaron_path: str,
@@ -60,7 +57,6 @@ def load(
         debug_level: int,
         local_repos_path: str,
         resources_path: str,
-        popular_packages_path: str,
     ) -> None:
         """Initiate the GlobalConfig object.
 
@@ -85,7 +81,6 @@ def load(
         self.debug_level = debug_level
         self.local_repos_path = local_repos_path
         self.resources_path = resources_path
-        self.popular_packages_path = popular_packages_path
 
     def load_expectation_files(self, exp_path: str) -> None:
         """

src/macaron/config/global_config.py

@@ -66,23 +66,21 @@ def __init__(self) -> None:
             self._load_defaults()
         )
 
-        if global_config.popular_packages_path is not None:
-            self.popular_packages_path = global_config.popular_packages_path
-
     def _load_defaults(self) -> tuple[str, float, float, float, float]:
         """Load default settings from defaults.ini.
 
         Returns
         -------
         tuple[str, float, float, float, float]:
-            The Major threshold, Epoch threshold, and Day published error.
+            The path to the popular packages file, distance ratio threshold,
+            keyboard awareness factor, scaling factor, and cost factor.
         """
         section_name = "heuristic.pypi"
         default_path = os.path.join(global_config.resources_path, "popular_packages.txt")
         if defaults.has_section(section_name):
             section = defaults[section_name]
             path = section.get("popular_packages_path", default_path)
-            # Fall back to default if the path in defaults.ini is empty
+            # Fall back to default if the path in defaults.ini is empty.
             if not path.strip():
                 path = default_path
             return (
@@ -100,35 +98,35 @@ def _load_defaults(self) -> tuple[str, float, float, float, float]:
             1.0,
         )
 
-    def are_neighbors(self, char1: str, char2: str) -> bool:
+    def are_neighbors(self, first_char: str, second_char: str) -> bool:
         """Check if two characters are adjacent on a QWERTY keyboard.
 
         Parameters
         ----------
-        char1 : str
+        first_char : str
             The first character.
-        char2 : str
+        second_char : str
             The second character.
 
         Returns
         -------
         bool
             True if the characters are neighbors, False otherwise.
         """
-        c1 = self.KEYBOARD_LAYOUT.get(char1)
-        c2 = self.KEYBOARD_LAYOUT.get(char2)
-        if not c1 or not c2:
+        coordinates1 = self.KEYBOARD_LAYOUT.get(first_char)
+        coordinates2 = self.KEYBOARD_LAYOUT.get(second_char)
+        if not coordinates1 or not coordinates2:
             return False
-        return (abs(c1[0] - c2[0]) <= 1) and (abs(c1[1] - c2[1]) <= 1)
+        return (abs(coordinates1[0] - coordinates2[0]) <= 1) and (abs(coordinates1[1] - coordinates2[1]) <= 1)
 
-    def substitution_func(self, char1: str, char2: str) -> float:
+    def substitution_func(self, first_char: str, second_char: str) -> float:
         """Calculate the substitution cost between two characters.
 
         Parameters
         ----------
-        char1 : str
+        first_char : str
             The first character.
-        char2 : str
+        second_char : str
             The second character.
 
         Returns
@@ -137,9 +135,9 @@ def substitution_func(self, char1: str, char2: str) -> float:
             0.0 if the characters are the same, `self.keyboard` if they are
             neighbors on a QWERTY keyboard, otherwise `self.cost` .
         """
-        if char1 == char2:
+        if first_char == second_char:
             return 0.0
-        if self.keyboard and self.are_neighbors(char1, char2):
+        if self.keyboard and self.are_neighbors(first_char, second_char):
             return self.keyboard
         return self.cost
 
@@ -161,21 +159,22 @@ def jaro_distance(self, package_name: str, popular_package_name: str) -> float:
         if package_name == popular_package_name:
             return 1.0
 
-        len1, len2 = len(package_name), len(popular_package_name)
-        if len1 == 0 or len2 == 0:
+        package_name_len = len(package_name)
+        popular_package_name_len = len(popular_package_name)
+        if package_name_len == 0 or popular_package_name_len == 0:
             return 0.0
 
-        match_distance = max(len1, len2) // 2 - 1
+        match_distance = max(package_name_len, popular_package_name_len) // 2 - 1
 
-        package_name_matches = [False] * len1
-        popular_package_name_matches = [False] * len2
+        package_name_matches = [False] * package_name_len
+        popular_package_name_matches = [False] * popular_package_name_len
         matches = 0
-        transpositions = 0.0  # Now a float to handle partial costs
+        transpositions = 0.0  # a float to handle partial costs.
 
-        # Count matches
-        for i in range(len1):
+        # Count matches.
+        for i in range(package_name_len):
             start = max(0, i - match_distance)
-            end = min(i + match_distance + 1, len2)
+            end = min(i + match_distance + 1, popular_package_name_len)
             for j in range(start, end):
                 if popular_package_name_matches[j]:
                     continue
@@ -188,19 +187,21 @@ def jaro_distance(self, package_name: str, popular_package_name: str) -> float:
         if matches == 0:
             return 0.0
 
-        # Count transpositions with possible keyboard awareness
+        # Count transpositions with possible keyboard awareness.
         k = 0
-        for i in range(len1):
+        for i in range(package_name_len):
             if package_name_matches[i]:
                 while not popular_package_name_matches[k]:
                     k += 1
                 if package_name[i] != popular_package_name[k]:
                     transpositions += self.substitution_func(package_name[i], popular_package_name[k])
                 k += 1
 
-        transpositions /= 2.0  # Adjust for transpositions being counted twice
+        transpositions /= 2.0  # Adjust for transpositions being counted twice.
 
-        return (matches / len1 + matches / len2 + (matches - transpositions) / matches) / 3.0
+        return (
+            matches / package_name_len + matches / popular_package_name_len + (matches - transpositions) / matches
+        ) / 3.0
 
     def ratio(self, package_name: str, popular_package_name: str) -> float:
         """Calculate the Jaro-Winkler distance ratio.
@@ -243,7 +244,6 @@ def analyze(self, pypi_package_json: PyPIPackageJsonAsset) -> tuple[HeuristicRes
         tuple[HeuristicResult, dict[str, JsonType]]:
             The result and related information collected during the analysis.
         """
-        # If there is a popular packages file, check if the package name is similar to any of them
         if not self.popular_packages_path or not os.path.exists(self.popular_packages_path):
             err_msg = f"Popular packages file not found or path not configured: {self.popular_packages_path}"
             logger.warning("%s. Skipping typosquatting check.", err_msg)
@@ -253,13 +253,19 @@ def analyze(self, pypi_package_json: PyPIPackageJsonAsset) -> tuple[HeuristicRes
         try:
             with open(self.popular_packages_path, encoding="utf-8") as file:
                 popular_packages = file.read().splitlines()
-        except OSError as e:
-            err_msg = f"Could not read popular packages file {self.popular_packages_path}: {e}"
+        except OSError as exception:
+            err_msg = f"Could not read popular packages file {self.popular_packages_path}: {exception}"
             logger.error(err_msg)
             return HeuristicResult.SKIP, {"error": err_msg}
 
+        if not popular_packages:
+            err_msg = f"Popular packages file is empty: {self.popular_packages_path}"
+            logger.warning(err_msg)
+            return HeuristicResult.SKIP, {"error": err_msg}
+
         package_name = pypi_package_json.component_name
         for popular_package in popular_packages:
+            # If there is a popular packages file, check if the package name is similar to any of them.
             if package_name == popular_package:
                 return HeuristicResult.PASS, {"package_name": package_name}
 

src/macaron/malware_analyzer/pypi_heuristics/metadata/.DS_Store

@@ -408,6 +408,7 @@ def run_check(self, ctx: AnalyzeContext) -> CheckResultData:
     {problog_result_access} :- trigger(malware_high_confidence_2).
     {problog_result_access} :- trigger(malware_high_confidence_3).
     {problog_result_access} :- trigger(malware_high_confidence_4).
+    {problog_result_access} :- trigger(malware_high_confidence_5).
     {problog_result_access} :- trigger(malware_medium_confidence_2).
     {problog_result_access} :- trigger(malware_medium_confidence_1).
     query({problog_result_access}).

src/macaron/malware_analyzer/pypi_heuristics/metadata/typosquatting_presence.py

@@ -76,3 +76,16 @@ def test_jaro_distance(s1: str, s2: str, expected: float) -> None:
     """Test the Jaro distance calculation."""
     analyzer = TyposquattingPresenceAnalyzer()
     assert analyzer.jaro_distance(s1, s2) == expected
+
+
+def test_empty_popular_packages_file(tmp_path: Path, pypi_package_json: MagicMock) -> None:
+    """Test the analyzer skips when the popular packages file is empty."""
+    pkg_file = tmp_path / "empty_popular.txt"
+    pkg_file.write_text("")  # Create an empty file
+    analyzer = TyposquattingPresenceAnalyzer()
+    analyzer.popular_packages_path = str(pkg_file)
+    result, info = analyzer.analyze(pypi_package_json)
+    assert result == HeuristicResult.SKIP
+    error_msg = info.get("error")
+    assert isinstance(error_msg, str)
+    assert "Popular packages file is empty" in error_msg