Skip to content

feat(malware-check): add whitespace check to detect excessive spacing and invisible characters #1086

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 15 commits into
base: main
Choose a base branch
from
Open

feat(malware-check): add whitespace check to detect excessive spacing and invisible characters #1086

wants to merge 15 commits into from
+51 −1

Conversation

AmineRaouane
Copy link
Member

@AmineRaouane AmineRaouane commented May 19, 2025
edited
Loading

Summary

This PR adds a new heuristic that analyzes code to detect suspicious use of excessive spaces and invisible characters. It checks whether the amount of spacing and invisible Unicode characters exceeds a defined threshold.

Description of changes

  • Implemented the WhiteSpaces heuristic in a new Python module.
  • Registered the new heuristic inside the main heuristics.py file.
  • Created unit tests to verify the behavior of the WhiteSpacesAnalyzer heuristic.
  • Updated detect_malicious_metadata_check.py to integrate and execute the new heuristic logic during analysis.
  • The heuristic scans the codebase for abnormal invisible characters and spaces in the code.
  • This heuristic is combined with ForceSetup to justify high confidence in detection, as the presence of extra spaces alone could be due to poor formatting rather than malicious intent.

Related issues

None

Checklist

  • I have reviewed the contribution guide.
  • My PR title and commits follow the Conventional Commits convention.
  • My commits include the "Signed-off-by" line.
  • I have signed my commits following the instructions provided by GitHub. Note that we run GitHub's commit verification tool to check the commit signatures. A green verified label should appear next to all of your commits on GitHub.
  • I have updated the relevant documentation, if applicable.
  • I have tested my changes and verified they work as expected.

@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label May 19, 2025
@behnazh-w behnazh-w changed the title feat(heuristics): add Whitespace Check to detect excessive spacing and invisible characters. feat(malware-check): add whitespace Check to detect excessive spacing and invisible characters. May 20, 2025
@behnazh-w behnazh-w changed the title feat(malware-check): add whitespace Check to detect excessive spacing and invisible characters. feat(malware-check): add whitespace check to detect excessive spacing and invisible characters. May 20, 2025
@behnazh-w behnazh-w changed the title feat(malware-check): add whitespace check to detect excessive spacing and invisible characters. feat(malware-check): add whitespace check to detect excessive spacing and invisible characters May 20, 2025
@behnazh-w behnazh-w requested a review from art1f1c3R May 26, 2025 05:15
@AmineRaouane AmineRaouane force-pushed the white-spaces-heuristic branch from db0e35c to 6978bd7 Compare May 26, 2025 10:58
art1f1c3R
art1f1c3R reviewed Jun 2, 2025
View reviewed changes
art1f1c3R
art1f1c3R reviewed Jun 2, 2025
View reviewed changes
benmss and others added 12 commits June 17, 2025 15:45
@benmss @AmineRaouane
chore: store provenance asset info (oracle#975)
76bc6dc 
Signed-off-by: Ben Selwyn-Smith <[email protected]>
@AmineRaouane
feat(security): add package name typosquatting detection (oracle#1059)
8dad2ae 
Signed-off-by: Amine <[email protected]>
@art1f1c3R @AmineRaouane
refactor: improve experimental source code pattern analysis of pypi p…
a470123 
…ackages (oracle#965)

Include support for using Semgrep for analysis of source code to detect malicious code patterns, specified using Semgrep's YAML files.

Signed-off-by: Carl Flottmann <[email protected]>
@benmss @AmineRaouane
feat: add GitHub attestation discovery (oracle#1020)
d6134ad 
This PR allows Macaron to discover GitHub attestation. To retrieve these attestations, the SHA256 hash of the related artefact is required. Hashes are computed from local artefact files if available, or from downloaded ones otherwise.

Signed-off-by: Ben Selwyn-Smith <[email protected]>
@behnazh-w @AmineRaouane
build: replace shared library with standalone cuevalidator binary (or…
279a001 
…acle#1096)

This PR replaces the Go shared library previously used via C-bindings in Python with a standalone binary for the cuevalidator component. The binary can now be invoked as a subprocess, simplifying integration and improving portability.

Signed-off-by: behnazh-w <[email protected]>
@art1f1c3R @AmineRaouane
fix: include inspector links with information on if they are reachabl…
540cf2d 
…e. (oracle#1102)

The detail info containing inspector links now contains links as keys regardless of whether they are reachable, and includes a boolean value for reachability.

Signed-off-by: Carl Flottmann <[email protected]>
@art1f1c3R @AmineRaouane
docs: include source code analysis subsection in malicious package tu…
d943e7b 
…torial (oracle#1101)

Signed-off-by: Carl Flottmann <[email protected]>
@AmineRaouane
fix(pypi): update get_maintainers_of_package to avoid request blocking (
f28a8cd 
oracle#1097)

Signed-off-by: Amine <[email protected]>
@AmineRaouane
feat(heuristics): add Whitespace Check to detect excessive spacing an…
c2b016a 
…d invisible characters

Signed-off-by: Amine <[email protected]>
@AmineRaouane
chore: add config variable to defaults.ini and minor cleanup
2cbfd7b 
Signed-off-by: Amine <[email protected]>
@AmineRaouane
Merge upstream/main into white-spaces-heuristic
d2b5af5 
Signed-off-by: Amine <[email protected]>
@AmineRaouane
feat(heuristics): add Whitespace Check to Semgrep
697106a 
Signed-off-by: Amine <[email protected]>
art1f1c3R
art1f1c3R reviewed Jun 19, 2025
View reviewed changes
src/macaron/resources/pypi_malware_rules/obfuscation.yaml Outdated
languages:
- python
severity: WARNING
pattern-regex: ' {50,}[^ ]+'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So with the previous iteration of this where this was written as a heuristic, there was a list of "invisible" characters that was used to match whitespace. This regex appears to use " " as the whitespace matcher. Would this miss some of those other invisible characters, or does it capture all whitespace in general? I know that /s in regex matches whitespace, how does it differ from this?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

when I tried to extend it to also include Unicode invisibles (like \u200B, \uFEFF, \u00A0, etc.), it didn’t behave reliably when passed through the expected_results.json.
To solve this, I propose a preprocessing step:

  • Replace all known invisible characters with a regular space before running the regex check.

art1f1c3R
art1f1c3R reviewed Jun 19, 2025
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@art1f1c3R art1f1c3R art1f1c3R left review comments

@behnazh-w behnazh-w Awaiting requested review from behnazh-w behnazh-w is a code owner

@tromai tromai Awaiting requested review from tromai tromai is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
OCA Verified All contributors have signed the Oracle Contributor Agreement.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@AmineRaouane @art1f1c3R @benmss @behnazh-w