Skip to content

feat(security): add package name typosquatting detection#1059

Merged
behnazh-w merged 10 commits intooracle:mainfrom
AmineRaouane:main
Jun 3, 2025
Merged

feat(security): add package name typosquatting detection#1059
behnazh-w merged 10 commits intooracle:mainfrom
AmineRaouane:main

Conversation

@AmineRaouane
Copy link
Copy Markdown
Member

@AmineRaouane AmineRaouane commented Apr 21, 2025

Implement typosquatting detection for package names during analysis. Compares package names against a list of popular packages using the Jaro-Winkler similarity algorithm. Packages exceeding a defined threshold of similarity to a popular package are flagged.

Summary

Adds typosquatting detection for package names during analysis using Jaro-Winkler similarity.

Description of changes

This PR introduces a new security analysis feature to detect potential typosquatting in package names. The implementation compares the name of a package being analyzed against a list of popular package names. By default, it uses a predefined list stored in a dedicated file, but it also offers an option to use a custom list provided via a configuration path.

The comparison utilizes the Jaro-Winkler similarity algorithm to calculate a similarity score between the package name and each name in the popular packages list. If the calculated similarity score exceeds a configurable threshold, the package is flagged as a potential typosquat.

This feature helps identify malicious packages attempting to mimic legitimate, popular ones through slight variations in spelling, thus enhancing the security posture of the project by warning users about such risks.

The changes include:

  • Integration of the Jaro-Winkler similarity algorithm.
  • Inclusion of a default file containing a list of popular package names for comparison.
  • Addition of a configuration option to provide a custom file path for the popular packages list, overriding the default.
  • Implementation of the comparison logic and threshold-based flagging.

Related issues

Checklist

  • I have reviewed the contribution guide.
  • My PR title and commits follow the Conventional Commits convention.
  • My commits include the "Signed-off-by" line.
  • I have signed my commits following the instructions provided by GitHub. Note that we run GitHub's commit verification tool to check the commit signatures. A green verified label should appear next to all of your commits on GitHub.
  • I have tested my changes and verified they work as expected.

@oracle-contributor-agreement
Copy link
Copy Markdown

oracle-contributor-agreement bot commented Apr 21, 2025

Thank you for your pull request and welcome to our community! To contribute, please sign the Oracle Contributor Agreement (OCA).
The following contributors of this PR have not signed the OCA:

To sign the OCA, please create an Oracle account and sign the OCA in Oracle's Contributor Agreement Application.

When signing the OCA, please provide your GitHub username. After signing the OCA and getting an OCA approval from Oracle, this PR will be automatically updated.

If you are an Oracle employee, please make sure that you are a member of the main Oracle GitHub organization, and your membership in this organization is public.

@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Required At least one contributor does not have an approved Oracle Contributor Agreement. label Apr 21, 2025
@behnazh-w behnazh-w requested review from art1f1c3R and benmss April 24, 2025 01:58
@behnazh-w
Copy link
Copy Markdown
Member

behnazh-w commented Apr 24, 2025

@AmineRaouane Please add unit tests following the instructions here.

Take a look at the unit tests for other malware heuristics at tests/malware_analyzer/pypi/ and add a similar one for this new heuristic.

For small and standalone functions, you can add test cases to the docstring itself. You can find an example here.

@art1f1c3R
Copy link
Copy Markdown
Member

art1f1c3R commented Apr 28, 2025

Would it be possible to make the path to the custom file list of packages configurable through defaults.ini? Our configurations for heuristic analyzers live under the [heuristic.pypi] section in the file. Check out some of the heuristics that use it to get an idea (anomalous_version.py, high_release_frequency.py), I do something similar with paths in the semgrep PR.

benmss
benmss reviewed Apr 29, 2025
View reviewed changes
Comment thread src/macaron/malware_analyzer/pypi_heuristics/metadata/typosquatting_presence.py Outdated
benmss
benmss reviewed Apr 29, 2025
View reviewed changes
Comment thread src/macaron/malware_analyzer/pypi_heuristics/metadata/typosquatting_presence.py Outdated
benmss
benmss reviewed Apr 29, 2025
View reviewed changes
Comment thread src/macaron/malware_analyzer/pypi_heuristics/metadata/typosquatting_presence.py Outdated
benmss
benmss reviewed Apr 29, 2025
View reviewed changes
Comment thread src/macaron/malware_analyzer/pypi_heuristics/metadata/typosquatting_presence.py Outdated
art1f1c3R
art1f1c3R reviewed May 1, 2025
View reviewed changes
Comment thread src/macaron/malware_analyzer/pypi_heuristics/metadata/typosquatting_presence.py Outdated
tromai
tromai reviewed May 14, 2025
View reviewed changes
Comment thread tests/parsers/.DS_Store Outdated
art1f1c3R
art1f1c3R reviewed May 15, 2025
View reviewed changes
Comment thread src/macaron/slsa_analyzer/checks/detect_malicious_metadata_check.py Outdated
art1f1c3R
art1f1c3R reviewed May 15, 2025
View reviewed changes
Comment thread src/macaron/slsa_analyzer/checks/detect_malicious_metadata_check.py Outdated
art1f1c3R
art1f1c3R reviewed May 15, 2025
View reviewed changes
Comment thread src/macaron/malware_analyzer/pypi_heuristics/metadata/typosquatting_presence.py Outdated
art1f1c3R
art1f1c3R reviewed May 15, 2025
View reviewed changes
Comment thread src/macaron/malware_analyzer/pypi_heuristics/metadata/typosquatting_presence.py Outdated
art1f1c3R
art1f1c3R reviewed May 15, 2025
View reviewed changes
Comment thread src/macaron/malware_analyzer/pypi_heuristics/metadata/typosquatting_presence.py Outdated
@AmineRaouane AmineRaouane force-pushed the main branch 2 times, most recently from 0a8ddbf to 80afd9e Compare May 17, 2025 22:30
benmss
benmss reviewed May 20, 2025
View reviewed changes
Comment thread src/macaron/malware_analyzer/pypi_heuristics/metadata/typosquatting_presence.py Outdated
benmss
benmss reviewed May 20, 2025
View reviewed changes
Comment thread .gitignore
benmss
benmss reviewed May 20, 2025
View reviewed changes
Comment thread tests/malware_analyzer/pypi/test_typosquatting_presence.py Outdated
benmss
benmss reviewed May 20, 2025
View reviewed changes
Comment thread tests/malware_analyzer/pypi/test_typosquatting_presence.py Outdated
benmss
benmss reviewed May 20, 2025
View reviewed changes
Comment thread tests/malware_analyzer/pypi/test_typosquatting_presence.py Outdated
benmss
benmss reviewed May 20, 2025
View reviewed changes
Comment thread tests/malware_analyzer/pypi/test_typosquatting_presence.py Outdated
benmss
benmss reviewed May 20, 2025
View reviewed changes
Comment thread tests/malware_analyzer/pypi/test_typosquatting_presence.py Outdated
benmss
benmss reviewed May 20, 2025
View reviewed changes
Comment thread tests/slsa_analyzer/checks/test_detect_malicious_metadata_check.py Outdated
@AmineRaouane AmineRaouane force-pushed the main branch 2 times, most recently from 8868bde to 8d37e9b Compare May 21, 2025 10:47
@oracle-contributor-agreement oracle-contributor-agreement bot added OCA Verified All contributors have signed the Oracle Contributor Agreement. and removed OCA Required At least one contributor does not have an approved Oracle Contributor Agreement. labels May 21, 2025
@benmss
Copy link
Copy Markdown
Member

benmss commented May 27, 2025

@AmineRaouane As a general comment: Please wait for reviewers to mark the issues they have raised as resolved. This way we can more easily ensure that an appropriate resolution has been reached.

benmss
benmss reviewed May 30, 2025
View reviewed changes
Comment thread src/macaron/malware_analyzer/pypi_heuristics/metadata/typosquatting_presence.py Outdated
art1f1c3R
art1f1c3R approved these changes Jun 2, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@art1f1c3R art1f1c3R left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

Amine Raouane added 10 commits June 2, 2025 10:51
feat: implement typosquatting detection for package names
5a8b9c0 
Adds a new security analysis feature to detect potential typosquatting in package names. Compares the package name against a list of popular packages using the Jaro-Winkler similarity algorithm. Packages exceeding a configurable threshold are flagged. Includes a default popular package list and an option for a custom list via configuration.

Signed-off-by: Amine <amine.raouane@enim.ac.ma>
feat: implement typosquatting detection for package names
6003166 
Adds a new security analysis feature to detect potential typosquatting in package names. Compares the package name against a list of popular packages using the Jaro-Winkler similarity algorithm. Packages exceeding a configurable threshold are flagged. Includes a default popular package list and an option for a custom list via configuration.

Signed-off-by: Amine <amine.raouane@enim.ac.ma>
feat: implement typosquatting detection for package names
b49f92b 
Adds a new security analysis feature to detect potential typosquatting in package names. Compares the package name against a list of popular packages using the Jaro-Winkler similarity algorithm. Packages exceeding a configurable threshold are flagged. Includes a default popular package list and an option for a custom list via configuration.

Signed-off-by: Amine <amine.raouane@enim.ac.ma>
feat(typosquatting): add tests and move analyzer config to defaults.ini
b9f5b64 
Added unit tests for typosquatting detection. Analyzer variables, including the file path, are now loaded from defaults.ini. Raised heuristic confidence level from medium to high.

BREAKING CHANGE: Analyzer config must now be defined in defaults.ini.

Signed-off-by: Amine <amine.raouane@enim.ac.ma>
chore(typosquatting): improve variable names and comments for clarity
220c4df 
Signed-off-by: Amine <amine.raouane@enim.ac.ma>
refactor(core): improve logic, error handling, and apply minor fixes
78e78a4 
Signed-off-by: Amine <amine.raouane@enim.ac.ma>
refactor(core): improve logic, error handling, and apply minor fixes
2b85609 
Signed-off-by: Amine <amine.raouane@enim.ac.ma>
chore(typosquatting): improve variable names and comments for clarity
b85a03a 
Signed-off-by: Amine <amine.raouane@enim.ac.ma>
docs: update docs and refine existing test
39d7289 
Signed-off-by: Amine <amine.raouane@enim.ac.ma>
refactor: adjust code to pass failing test and improve variable handling
2073903 
Signed-off-by: Amine <amine.raouane@enim.ac.ma>
@behnazh-w behnazh-w changed the title feat(security): Add package name typosquatting detection feat(security): add package name typosquatting detection Jun 3, 2025
@behnazh-w behnazh-w merged commit 1c65d5f into oracle:main Jun 3, 2025
11 of 12 checks passed
AmineRaouane pushed a commit to AmineRaouane/macaron that referenced this pull request Jun 17, 2025
feat(security): add package name typosquatting detection (oracle#1059)
8dad2ae 
Signed-off-by: Amine <amine.raouane@enim.ac.ma>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@benmss benmss benmss approved these changes

@behnazh-w behnazh-w behnazh-w approved these changes

@art1f1c3R art1f1c3R art1f1c3R approved these changes

+1 more reviewer

@tromai tromai tromai left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

OCA Verified All contributors have signed the Oracle Contributor Agreement.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@AmineRaouane @behnazh-w @art1f1c3R @benmss @tromai