Robin5605
commented
1 year ago With regard to package yangke - task_kill has a weight of 3 (see here) and exec_eval_calls has a weight of 2 (see here) for a total weight of 5. Doing a database query seems to confirm this:
dragonfly=> select * from scans where name='yangke';
-[ RECORD 1 ]-+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
scan_id | 27c5effa-2918-4dd4-bf2a-5bdc1cddb893
name | yangke
status | FINISHED
score | 5
version | 1.15.6
queued_at | 2023-07-11 11:01:09.760196
pending_at | 2023-07-11 11:02:20.074793
finished_at | 2023-07-11 11:02:30.730323
reported_at |
inspector_url | https://inspector.pypi.io/project/yangke/1.15.6/packages/8f/08/92ff8fc9b9149ea5d5457884d320d93dcc2162731e13997fb552a75bf5f9/yangke-1.15.6.tar.gz/yangke-1.15.6/yangke/base.py
reported_by |
queued_by | auth0|648e655d6ee6f0aa8794b3a3
pending_by | auth0|648902f56dec6871414f2ca2
finished_by | auth0|648902f56dec6871414f2ca2
commit_hash | 80b620a5237b6f9059ce1f0c7cf1b08dec8dc324
fail_reason |And if we look at the logic in bot for what flags as "malicious" here:
if result.score > DragonflyConfig.threshold:
...We can see it only scores for packages greater than the threshold (5 by default), this should probably be greater than or equal to (>=). Since 5 > 5 is False, this package didn't flag as malicious. I believe this should be fixed in https://github.com/vipyrsec/bot/pull/121
import-pandas-as-numpy
Didn't scan on new platform:
Didn't scan on old platform:
@Robin5605 @jonathan-d-zhang Can we get some eyes on this to see uh-- why, I guess? I'll do one of these each morning until the new infra is done and we roll out the product, and hopefully it serves as decent QA during staging.