Closed import-pandas-as-numpy closed 1 year ago
With regard to package yangke
- task_kill
has a weight of 3
(see here) and exec_eval_calls
has a weight of 2
(see here) for a total weight of 5
. Doing a database query seems to confirm this:
dragonfly=> select * from scans where name='yangke';
-[ RECORD 1 ]-+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
scan_id | 27c5effa-2918-4dd4-bf2a-5bdc1cddb893
name | yangke
status | FINISHED
score | 5
version | 1.15.6
queued_at | 2023-07-11 11:01:09.760196
pending_at | 2023-07-11 11:02:20.074793
finished_at | 2023-07-11 11:02:30.730323
reported_at |
inspector_url | https://inspector.pypi.io/project/yangke/1.15.6/packages/8f/08/92ff8fc9b9149ea5d5457884d320d93dcc2162731e13997fb552a75bf5f9/yangke-1.15.6.tar.gz/yangke-1.15.6/yangke/base.py
reported_by |
queued_by | auth0|648e655d6ee6f0aa8794b3a3
pending_by | auth0|648902f56dec6871414f2ca2
finished_by | auth0|648902f56dec6871414f2ca2
commit_hash | 80b620a5237b6f9059ce1f0c7cf1b08dec8dc324
fail_reason |
And if we look at the logic in bot for what flags as "malicious" here:
if result.score > DragonflyConfig.threshold:
...
We can see it only scores for packages greater than the threshold (5 by default), this should probably be greater than or equal to (>=
). Since 5 > 5
is False
, this package didn't flag as malicious. I believe this should be fixed in https://github.com/vipyrsec/bot/pull/121
With regard to package edwh
- I suspect you're right that the package was simply too big. The new system has flagged that successfully, which is expected.
With regard to package phanos
- all versions were scanned successfully with a score of 5
. I reckon this is the same issue as with package yangke
which I described above. Should be fixed in https://github.com/vipyrsec/bot/pull/121 as well.
Good work. All LGTM. Also an entertaining problem. I'll close this now.
Didn't scan on new platform:
Didn't scan on old platform:
@Robin5605 @jonathan-d-zhang Can we get some eyes on this to see uh-- why, I guess? I'll do one of these each morning until the new infra is done and we roll out the product, and hopefully it serves as decent QA during staging.