feat(typosquatting): add tests and move analyzer config to defaults.ini

Added unit tests for typosquatting detection. Analyzer variables, including the file path, are now loaded from defaults.ini. Raised heuristic confidence level from medium to high.

BREAKING CHANGE: Analyzer config must now be defined in defaults.ini.

Signed-off-by: Amine <[email protected]>

Author: AmineRaouane

src/macaron/config/defaults.ini

@@ -600,3 +600,14 @@ major_threshold = 20
 epoch_threshold = 3
 # The number of days +/- the day of publish the calendar versioning day may be.
 day_publish_error = 4
+
+# The threshold ratio for two packages to be considered similar.
+distance_ratio_threshold = 0.95
+# The Keyboard cost for two characters that are close to each other on the keyboard.
+keyboard = 0.8
+# The scaling factor for the jaro winkler distance.
+scaling = 0.15
+# The cost for two characters that are not close to each other on the keyboard.
+cost = 1.0
+# The path to the file that contains the list of popular packages.
+popular_packages_path =

src/macaron/malware_analyzer/pypi_heuristics/metadata/typosquatting_presence.py

@@ -5,6 +5,7 @@
 import logging
 import os
 
+from macaron.config.defaults import defaults
 from macaron.config.global_config import global_config
 from macaron.json_tools import JsonType
 from macaron.malware_analyzer.pypi_heuristics.base_analyzer import BaseHeuristicAnalyzer
@@ -17,58 +18,88 @@
 class TyposquattingPresenceAnalyzer(BaseHeuristicAnalyzer):
     """Check whether the PyPI package has typosquatting presence."""
 
+    KEYBOARD_LAYOUT = {
+        "1": (0, 0),
+        "2": (0, 1),
+        "3": (0, 2),
+        "4": (0, 3),
+        "5": (0, 4),
+        "6": (0, 5),
+        "7": (0, 6),
+        "8": (0, 7),
+        "9": (0, 8),
+        "0": (0, 9),
+        "-": (0, 10),
+        "q": (1, 0),
+        "w": (1, 1),
+        "e": (1, 2),
+        "r": (1, 3),
+        "t": (1, 4),
+        "y": (1, 5),
+        "u": (1, 6),
+        "i": (1, 7),
+        "o": (1, 8),
+        "p": (1, 9),
+        "a": (2, 0),
+        "s": (2, 1),
+        "d": (2, 2),
+        "f": (2, 3),
+        "g": (2, 4),
+        "h": (2, 5),
+        "j": (2, 6),
+        "k": (2, 7),
+        "l": (2, 8),
+        "z": (3, 0),
+        "x": (3, 1),
+        "c": (3, 2),
+        "v": (3, 3),
+        "b": (3, 4),
+        "n": (3, 5),
+        "m": (3, 6),
+    }
+
     def __init__(self) -> None:
         super().__init__(
             name="typosquatting_presence_analyzer", heuristic=Heuristics.TYPOSQUATTING_PRESENCE, depends_on=None
         )
-        self.popular_packages_path = os.path.join(global_config.resources_path, "popular_packages.txt")
-        self.distance_ratio_threshold = 0.95
-        self.cost = 1
-        self.scaling = 0.15
-        self.keyboard = 0.8
-        self.keyboard_layout = {
-            "1": (0, 0),
-            "2": (0, 1),
-            "3": (0, 2),
-            "4": (0, 3),
-            "5": (0, 4),
-            "6": (0, 5),
-            "7": (0, 6),
-            "8": (0, 7),
-            "9": (0, 8),
-            "0": (0, 9),
-            "-": (0, 10),
-            "q": (1, 0),
-            "w": (1, 1),
-            "e": (1, 2),
-            "r": (1, 3),
-            "t": (1, 4),
-            "y": (1, 5),
-            "u": (1, 6),
-            "i": (1, 7),
-            "o": (1, 8),
-            "p": (1, 9),
-            "a": (2, 0),
-            "s": (2, 1),
-            "d": (2, 2),
-            "f": (2, 3),
-            "g": (2, 4),
-            "h": (2, 5),
-            "j": (2, 6),
-            "k": (2, 7),
-            "l": (2, 8),
-            "z": (3, 0),
-            "x": (3, 1),
-            "c": (3, 2),
-            "v": (3, 3),
-            "b": (3, 4),
-            "n": (3, 5),
-            "m": (3, 6),
-        }
+        self.popular_packages_path, self.distance_ratio_threshold, self.keyboard, self.scaling, self.cost = (
+            self._load_defaults()
+        )
 
         if global_config.popular_packages_path is not None:
             self.popular_packages_path = global_config.popular_packages_path
 
+    def _load_defaults(self) -> tuple[str, float, float, float, float]:
+        """Load default settings from defaults.ini.
+
+        Returns
+        -------
+        tuple[str, float, float, float, float]:
+            The Major threshold, Epoch threshold, and Day published error.
+        """
+        section_name = "heuristic.pypi"
+        default_path = os.path.join(global_config.resources_path, "popular_packages.txt")
+        if defaults.has_section(section_name):
+            section = defaults[section_name]
+            path = section.get("popular_packages_path", default_path)
+            # Fall back to default if the path in defaults.ini is empty
+            if not path.strip():
+                path = default_path
+            return (
+                path,
+                section.getfloat("distance_ratio_threshold", 0.95),
+                section.getfloat("keyboard", 0.8),
+                section.getfloat("scaling", 0.15),
+                section.getfloat("cost", 1.0),
+            )
+        return (
+            default_path,
+            0.95,
+            0.8,
+            0.15,
+            1.0,
+        )
+
     def are_neighbors(self, char1: str, char2: str) -> bool:
         """Check if two characters are adjacent on a QWERTY keyboard.
 
@@ -84,8 +115,8 @@ def are_neighbors(self, char1: str, char2: str) -> bool:
         bool
             True if the characters are neighbors, False otherwise.
         """
-        c1 = self.keyboard_layout.get(char1)
-        c2 = self.keyboard_layout.get(char2)
+        c1 = self.KEYBOARD_LAYOUT.get(char1)
+        c2 = self.KEYBOARD_LAYOUT.get(char2)
         if not c1 or not c2:
             return False
         return (abs(c1[0] - c2[0]) <= 1) and (abs(c1[1] - c2[1]) <= 1)
@@ -213,7 +244,6 @@ def analyze(self, pypi_package_json: PyPIPackageJsonAsset) -> tuple[HeuristicRes
             The result and related information collected during the analysis.
         """
         # If there is a popular packages file, check if the package name is similar to any of them
-        package_name = pypi_package_json.component_name
         if not self.popular_packages_path or not os.path.exists(self.popular_packages_path):
             err_msg = f"Popular packages file not found or path not configured: {self.popular_packages_path}"
             logger.warning("%s. Skipping typosquatting check.", err_msg)
@@ -228,6 +258,7 @@ def analyze(self, pypi_package_json: PyPIPackageJsonAsset) -> tuple[HeuristicRes
             logger.error(err_msg)
             return HeuristicResult.SKIP, {"error": err_msg}
 
+        package_name = pypi_package_json.component_name
         for popular_package in popular_packages:
             if package_name == popular_package:
                 return HeuristicResult.PASS, {"package_name": package_name}

src/macaron/slsa_analyzer/checks/detect_malicious_metadata_check.py

@@ -398,17 +398,16 @@ def run_check(self, ctx: AnalyzeContext) -> CheckResultData:
         failed({Heuristics.ANOMALOUS_VERSION.value}).
 
     % Package released with a name similar to a popular package.
-    {Confidence.MEDIUM.value}::trigger(malware_medium_confidence_3) :-
-        quickUndetailed,
-        failed({Heuristics.TYPOSQUATTING_PRESENCE.value}).
+    {Confidence.HIGH.value}::trigger(malware_high_confidence_4) :-
+        quickUndetailed, forceSetup, failed({Heuristics.TYPOSQUATTING_PRESENCE.value}).
 
     % ----- Evaluation -----
 
     % Aggregate result
     {problog_result_access} :- trigger(malware_high_confidence_1).
     {problog_result_access} :- trigger(malware_high_confidence_2).
     {problog_result_access} :- trigger(malware_high_confidence_3).
-    {problog_result_access} :- trigger(malware_medium_confidence_3).
+    {problog_result_access} :- trigger(malware_high_confidence_4).
     {problog_result_access} :- trigger(malware_medium_confidence_2).
     {problog_result_access} :- trigger(malware_medium_confidence_1).
     query({problog_result_access}).

tests/malware_analyzer/pypi/test_typosquatting_presence.py

@@ -0,0 +1,78 @@
+# Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
+
+"""Tests for the TyposquattingPresenceAnalyzer heuristic."""
+# pylint: disable=redefined-outer-name
+
+
+from pathlib import Path
+from unittest.mock import MagicMock
+
+import pytest
+
+from macaron.malware_analyzer.pypi_heuristics.heuristics import HeuristicResult
+from macaron.malware_analyzer.pypi_heuristics.metadata.typosquatting_presence import TyposquattingPresenceAnalyzer
+
+
+@pytest.fixture()
+def analyzer(tmp_path: Path) -> TyposquattingPresenceAnalyzer:
+    """Pytest fixture to create a TyposquattingPresenceAnalyzer instance with a dummy popular packages file."""
+    # create a dummy popular packages file
+    pkg_file = tmp_path / "popular.txt"
+    pkg_file.write_text("\n".join(["requests", "flask", "pytest"]))
+    analyzer_instance = TyposquattingPresenceAnalyzer()
+    analyzer_instance.popular_packages_path = str(pkg_file)
+    return analyzer_instance
+
+
+def test_analyze_exact_match_pass(analyzer: TyposquattingPresenceAnalyzer, pypi_package_json: MagicMock) -> None:
+    """Test the analyzer passes when the package name is an exact match to a popular package."""
+    pypi_package_json.component_name = "requests"
+    result, info = analyzer.analyze(pypi_package_json)
+    assert result == HeuristicResult.PASS
+    assert info == {"package_name": "requests"}
+
+
+def test_analyze_similar_name_fail(analyzer: TyposquattingPresenceAnalyzer, pypi_package_json: MagicMock) -> None:
+    """Test the analyzer fails when the package name is suspiciously similar to a popular package."""
+    pypi_package_json.component_name = "reqursts"
+    result, info = analyzer.analyze(pypi_package_json)
+    assert result == HeuristicResult.FAIL
+    assert info["package_name"] == "reqursts"
+    assert info["popular_package"] == "requests"
+    # ratio should match or exceed threshold 0.95
+    assert isinstance(info["similarity_ratio"], (int, float))
+    assert info["similarity_ratio"] >= analyzer.distance_ratio_threshold
+
+
+def test_analyze_unrelated_name_pass(analyzer: TyposquattingPresenceAnalyzer, pypi_package_json: MagicMock) -> None:
+    """Test the analyzer passes when the package name is not similar to any popular package."""
+    pypi_package_json.component_name = "launchable"
+    result, info = analyzer.analyze(pypi_package_json)
+    assert result == HeuristicResult.PASS
+    assert info == {"package_name": "launchable"}
+
+
+def test_analyze_nonexistent_file_skip(pypi_package_json: MagicMock) -> None:
+    """Test the analyzer skips if the popular packages file does not exist."""
+    analyzer = TyposquattingPresenceAnalyzer()
+    analyzer.popular_packages_path = "/path/does/not/exist.txt"
+    result, info = analyzer.analyze(pypi_package_json)
+    assert result == HeuristicResult.SKIP
+    error_msg = info.get("error")
+    assert isinstance(error_msg, str)
+    assert "Popular packages file not found" in error_msg
+
+
+@pytest.mark.parametrize(
+    ("s1", "s2", "expected"),
+    [
+        ("requests", "requests", 1.0),
+        ("reqursts", "requests", 11 / 12),
+        ("abcd", "wxyz", 0.0),
+    ],
+)
+def test_jaro_distance(s1: str, s2: str, expected: float) -> None:
+    """Test the Jaro distance calculation."""
+    analyzer = TyposquattingPresenceAnalyzer()
+    assert analyzer.jaro_distance(s1, s2) == expected