chore: remove path from check id; fixup comments and typing flags

Signed-off-by: Ben Selwyn-Smith <[email protected]>

Author: benmss

src/macaron/malware_analyzer/pypi_heuristics/sourcecode/pypi_sourcecode_analyzer.py

@@ -11,7 +11,7 @@
 import json
 import logging
 import os
-import subprocess  # nosec
+import subprocess  # nosec B404
 import tempfile
 
 import yaml
@@ -120,7 +120,7 @@ def _load_defaults(self, resources_path: str) -> tuple[str, str | None, set[str]
 
             semgrep_commands: list[str] = ["semgrep", "scan", "--validate", "--oss-only", "--config", custom_rule_path]
             try:
-                process = subprocess.run(semgrep_commands, check=True, capture_output=True)  # nosec
+                process = subprocess.run(semgrep_commands, check=True, capture_output=True)  # nosec B603
             except (subprocess.CalledProcessError, subprocess.TimeoutExpired) as semgrep_error:
                 error_msg = (
                     f"Unable to run semgrep validation on {custom_rule_path} with arguments "
@@ -185,8 +185,8 @@ def _extract_rule_ids(self, path: str, target_files: set[str]) -> set[str]:
             If any Semgrep rule file could not be safely loaded, or if their format was not in the expected Semgrep
             format, or if there were any files in 'target_files' not found when searching in 'path'.
         """
-        # We keep a record of any file paths we coulnd't find to provide a more useful error message, rather than raising
-        # an error on the first missing file we see.
+        # We keep a record of any file paths we couldn't find to provide a more useful error message, rather than
+        # raising an error on the first missing file we see.
         missing_files: list[str] = []
         target_file_paths: list[str] = []
         rule_ids: set[str] = set()
@@ -211,7 +211,7 @@ def _extract_rule_ids(self, path: str, target_files: set[str]) -> set[str]:
                 logger.debug(error_msg)
                 raise ConfigurationError(error_msg) from yaml_error
 
-            # should be a top-level key "rules", and then a list of rules (dictionaries) with "id" entries
+            # Should be a top-level key "rules", and then a list of rules (dictionaries) with "id" entries.
             try:
                 for semgrep_rule in semgrep_ruleset["rules"]:
                     rule_ids.add(semgrep_rule["id"])
@@ -243,11 +243,11 @@ def analyze(self, pypi_package_json: PyPIPackageJsonAsset) -> tuple[HeuristicRes
             if there is no source code available.
         """
         analysis_result: dict = {}
-        # since we have to run them anyway, return disabled rule findings for debug information
+        # Since we have to run them anyway, return disabled rule findings for debug information.
         disabled_results: dict = {}
         # Here, we disable 'nosemgrep' ignoring so that this is not an evasion method of our scan (i.e. malware includes
         # 'nosemgrep' comments to prevent our scan detecting those code lines). Read more about the 'nosemgrep' feature
-        # here: https://semgrep.dev/docs/ignoring-files-folders-code
+        # here: https://semgrep.dev/docs/ignoring-files-folders-code.
         semgrep_commands: list[str] = ["semgrep", "scan", "--oss-only", "--disable-nosem"]
         result: HeuristicResult = HeuristicResult.PASS
 
@@ -266,7 +266,7 @@ def analyze(self, pypi_package_json: PyPIPackageJsonAsset) -> tuple[HeuristicRes
             semgrep_commands.append(f"--json-output={output_json_file.name}")
             logger.debug("executing: %s.", semgrep_commands)
             try:
-                process = subprocess.run(semgrep_commands, check=True, capture_output=True)  # nosec
+                process = subprocess.run(semgrep_commands, check=True, capture_output=True)  # nosec B603
             except (subprocess.CalledProcessError, subprocess.TimeoutExpired) as semgrep_error:
                 error_msg = (
                     f"Unable to run semgrep on {source_code_path} with arguments {semgrep_commands}: {semgrep_error}"
@@ -298,6 +298,7 @@ def analyze(self, pypi_package_json: PyPIPackageJsonAsset) -> tuple[HeuristicRes
             file = json_extract(finding, ["path"], str)
             if not rule_id or not file:
                 continue
+            rule_id = rule_id.split(".")[-1]
 
             file = os.path.relpath(file, os.path.dirname(source_code_path))
             start = json_extract(finding, ["start", "line"], int)
@@ -310,7 +311,7 @@ def analyze(self, pypi_package_json: PyPIPackageJsonAsset) -> tuple[HeuristicRes
             # final element in that path, so we use that to match our rule IDs.
             # e.g. rule_id = src.macaron.resources.pypi_malware_rules.obfuscation_decode-and-execute, which comes from
             # the rule ID 'obfuscation_decode-and-execute' inside 'obfuscation.yaml'.
-            if rule_id.split(".")[-1] in self.disabled_rule_ids:
+            if rule_id in self.disabled_rule_ids:
                 if rule_id not in disabled_results:
                     disabled_results[rule_id] = {"message": message, "detections": []}
                 disabled_results[rule_id]["detections"].append({"file": file, "start": start, "end": end})
@@ -320,7 +321,7 @@ def analyze(self, pypi_package_json: PyPIPackageJsonAsset) -> tuple[HeuristicRes
                     analysis_result[rule_id] = {"message": message, "detections": []}
                 analysis_result[rule_id]["detections"].append({"file": file, "start": start, "end": end})
 
-        # some semgrep rules were triggered, even after removing disabled ones
+        # Some semgrep rules were triggered, even after removing disabled ones.
         if analysis_result:
             result = HeuristicResult.FAIL
 

src/macaron/parsers/pomparser.py

@@ -1,9 +1,9 @@
-# Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 """This module contains the parser for POM files."""
 import logging
-from xml.etree.ElementTree import Element  # nosec
+from xml.etree.ElementTree import Element  # nosec B405
 
 import defusedxml.ElementTree
 from defusedxml.ElementTree import fromstring

src/macaron/repo_finder/repo_finder_java.py

@@ -5,7 +5,7 @@
 import logging
 import re
 import urllib.parse
-from xml.etree.ElementTree import Element  # nosec
+from xml.etree.ElementTree import Element  # nosec B405
 
 from packageurl import PackageURL
 

tests/malware_analyzer/pypi/resources/sourcecode_samples/exfiltration/expected_results.json

@@ -1,6 +1,6 @@
 {
     "enabled_sourcecode_rule_findings": {
-        "src.macaron.resources.pypi_malware_rules.exfiltration_remote-exfiltration": {
+        "exfiltration_remote-exfiltration": {
             "message": "Detected exfiltration of sensitive data to a remote endpoint",
             "detections": [
                 {

tests/malware_analyzer/pypi/resources/sourcecode_samples/obfuscation/expected_results.json

@@ -1,6 +1,6 @@
 {
     "enabled_sourcecode_rule_findings": {
-        "src.macaron.resources.pypi_malware_rules.obfuscation_decode-and-execute": {
+        "obfuscation_decode-and-execute": {
             "message": "Detected the flow of a decoded primitive value to a remote endpoint, process, code evaluation, or file write",
             "detections": [
                 {
@@ -35,7 +35,7 @@
                 }
             ]
         },
-        "src.macaron.resources.pypi_malware_rules.obfuscation_inline-imports": {
+        "obfuscation_inline-imports": {
             "message": "Found an instance of a suspicious API in a hardcoded inline import",
             "detections": [
                 {
@@ -105,7 +105,7 @@
                 }
             ]
         },
-        "src.macaron.resources.pypi_malware_rules.obfuscation_obfuscation-tools": {
+        "obfuscation_obfuscation-tools": {
             "message": "Found an indicator of the use of a python code obfuscation tool",
             "detections": [
                 {