ossf/package-analysis ossf/package-analysis

  • Stars
    star
    708
  • Rank 62,459 (Top 2 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created over 3 years ago
  • Updated 2 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
ossf/package-analysis
github

ossf

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Open Source Package Analysis

OpenSSF Scorecard

Package Analysis

The Package Analysis project analyses the capabilities of packages available on open source repositories. The project looks for behaviors that indicate malicious software:

  • What files do they access?
  • What addresses do they connect to?
  • What commands do they run?

The project also tracks changes in how packages behave over time, to identify when previously safe software begins acting suspiciously.

This effort is meant to improve the security of open source software by detecting malicious behavior, informing consumers selecting packages, and providing researchers with data about the ecosystem.

This code is designed to work with the Package Feeds project, and originally started there.

For examples of what this project has detected, check out the case studies.

How it works

The project's components are:

  • A scheduler - creates jobs for the analysis worker from Package Feeds.
  • Analysis (one-shot analyze and worker) - collects package behavior data through static and dynamic analysis of each package.
  • A loader - pushes the analysis results into BigQuery.

The goal is for all of these components to work together and provide extensible, community-run infrastructure to study behavior of open source packages and to look for malicious software. We also hope that the components can be used independently, to provide package feeds or runtime behavior data for anyone interested.

The Package Analysis project currently consists of the following pipeline:

image

  1. Package repositories are monitored for new packages.
  2. Each new package is scheduled to be analyzed by a pool of workers.
  3. A worker performs dynamic analysis of the package inside a sandbox.
  4. Results are stored and imported into BigQuery for inspection.

Sandboxing via gVisor containers ensures the packages are isolated. Detonating a package inside the sandbox allows us to capture strace and packet data that can indicate malicious interactions with the system as well as network connections that can be used to leak sensitive data or allow remote access.

Public Data

This data is available in the public BigQuery dataset.

Configuration

Configuration for these subprojects consist of a collection of environment variables for the various endpoints. These endpoints are configured using goclouddev compatible URL strings. In these cases, documentation will be linked to and DRIVER-Constructor sections should be ignored in favour of DRIVER sections as these are appropriate to the configurations in place throughout these subprojects. Note that not all drivers will be supported but they can be added quite simply with a minor patch to the repository. See the addition of kafka for scheduler in one line.

An example of these variables can be found in the e2e example docker-compose.

Analysis

OSSMALWARE_WORKER_SUBSCRIPTION - Can be used to set the subscription URL for the data coming out of scheduler. Values should follow goclouddev subscriptions.

OSSF_MALWARE_ANALYSIS_RESULTS - OPTIONAL: Can be used to set the bucket URL to publish results to. Values should follow goclouddev buckets.

OSSF_MALWARE_ANALYSIS_PACKAGES - OPTIONAL: Can be used to set the bucket URL to get custom uploaded packages from. Values should follow goclouddev buckets.

OSSF_MALWARE_NOTIFICATION_TOPIC - OPTIONAL: Can be used to set the topic URL to publish messages for consumption after a new package analysis is complete. Values should follow goclouddev publishing.

Scheduler

OSSMALWARE_WORKER_TOPIC - Can be used to set the topic URL to publish data for consumption by Analysis workers. Values should follow goclouddev publishing.

OSSMALWARE_SUBSCRIPTION_URL - Can be used to set the subscription URL for the data coming out of package-feeds. Values should follow goclouddev subscriptions.

Local Analysis

To run the analysis code locally, the easiest way is to use the Docker image gcr.io/ossf-malware-analysis/analysis. This can be built with make build_analysis_image, or the public images can be used instead.

This container uses podman to run a nested, sandboxed (gVisor) container for analysis.

The commands below will dump the JSON results to /tmp/results and full logs to /tmp/dockertmp.

Live package

To run this on a live package (e.g. the latest version of the "Django" package on pypi.org)

$ scripts/run_analysis.sh -ecosystem pypi -package Django

Or with a specific version

$ scripts/run_analysis.sh -ecosystem pypi -package Django -version 4.1.3

Local package

To run analysis on a local PyPi package named 'test', located in local archive /path/to/test.whl

$ scripts/run_analysis.sh -ecosystem pypi -package test -local /path/to/test.whl

Docker notes

(Note: these options are handled by the scripts/run_analysis.sh script).

--privileged and a compatible filesystem are required to properly run nested containers. -v /var/lib/containers:/var/lib/containers is also used as it allows caching the sandbox images and supports local developement.

Development

Required Dependencies

  • Go v1.19
  • Docker

Contributing

If you want to get involved or have ideas you'd like to chat about, we discuss this project in the OSSF Securing Critical Projects Working Group meetings.

See the Community Calendar for the schedule and meeting invitations.

More Repositories

1

scorecard

OpenSSF Scorecard - Security health metrics for Open Source
Go
4,171
star
2

criticality_score

Gives criticality score for an open source project
Go
1,287
star
3

allstar

GitHub App to set and enforce security policies
Go
1,199
star
4

wg-best-practices-os-developers

The Best Practices for OSS Developers working group is dedicated to raising awareness and education of secure code best practices for open source developers.
JavaScript
654
star
5

fuzz-introspector

Fuzz Introspector -- introspect, extend and optimise fuzzers
Python
348
star
6

wg-securing-critical-projects

Helping allocate resources to secure the critical open source projects we all depend on.
315
star
7

wg-security-tooling

OpenSSF Security Tooling Working Group
291
star
8

scorecard-action

Official GitHub Action for OpenSSF Scorecard.
Go
228
star
9

wg-metrics-and-metadata

The purpose of the Metrics & Metadata (formerly Identifying Security Threats) working group is to enable stakeholders to have informed confidence in the security of open source projects. We do this by collecting, curating, and communicating relevant metrics and metadata from open source projects and the ecosystems of which they are a part.
221
star
10

malicious-packages

A repository of reports of malicious packages identified in Open Source package repositories, consumable via the Open Source Vulnerability (OSV) format.
Go
202
star
11

wg-supply-chain-integrity

Our objective is to enable open source maintainers, contributors and end-users to understand and make decisions on the provenance of the code they maintain, produce and use.
173
star
12

osv-schema

Open Source Vulnerability schema.
Python
170
star
13

wg-vulnerability-disclosures

The OpenSSF Vulnerability Disclosures Working Group seeks to help improve the overall security of the open source software ecosystem by helping mature and advocate well-managed vulnerability reporting and communication.
168
star
14

secure-sw-dev-fundamentals

Secure Software Development Fundamentals courses (from the OpenSSF Best Practices WG)
CSS
158
star
15

s2c2f

The S2C2F Project is a group working within the OpenSSF's Supply Chain Integrity Working Group formed to further develop and continuously improve the S2C2F guide which outlines and defines how to securely consume Open Source Software (OSS) dependencies into the developerโ€™s workflow.
156
star
16

package-manager-best-practices

Collection of security best practices for package managers.
156
star
17

tac

Technical Advisory Council
103
star
18

security-reviews

A community collection of security reviews of open source software components.
Python
86
star
19

wg-securing-software-repos

OpenSSF Working Group on Securing Software Repositories
80
star
20

package-feeds

Feed parsing for language package manager updates
Go
70
star
21

alpha-omega

Our mission is to catalyze sustainable improvements to critical open source software projects and ecosystems.
Open Policy Agent
68
star
22

foundation

OpenSSF Governance and Legal Docs
68
star
23

Project-Security-Metrics

Collect, curate, and communicate relevant security metrics for open source projects.
Python
61
star
24

sbom-everywhere

Improve Software Bill of Materials (SBOM) tooling and training to encourage adoption
Vue
56
star
25

great-mfa-project

The Great Multi-Factor Authentication (MFA) Distribution Project of the Open Source Security Foundation (OpenSSF). We work to distribute hardware MFA tokens to critical open source software (OSS) projects.
52
star
26

security-insights-spec

OPENSSF SECURITY INSIGHTS: Repository for development of the draft standard, where requests for modification should be made via Github Issues.
44
star
27

ai-ml-security

Potential WG on Artificial Intelligence and Machine Learning (AI/ML)
31
star
28

scorecard-monitor

Simplify OpenSSF Scorecard tracking in your organization with automated markdown and JSON reports, plus optional GitHub issue alerts
JavaScript
28
star
29

wg-endusers

OpenSSF Endusers Working Group
27
star
30

ossf-landscape

26
star
31

scorecard-webapp

Website and API for OpenSSF Scorecard
HTML
21
star
32

DevRel-community

Evangelizing the mission and work of the OpenSSF and building strong community outreach around end-users, open-source maintainers, and contributors.
17
star
33

education

OpenSSF Education SIG
16
star
34

toolbelt

16
star
35

project-template

OpenSSF Project Template
16
star
36

omega-triage-portal

Python
13
star
37

Memory-Safety

12
star
38

scorecard-visualizer

Tool for visualizing the Open SSF Scorecard Api data in a human friendly way
TypeScript
10
star
39

Diagrammers-Society

OpenSSF Diagrammers Society
9
star
40

OpenVEX

Vuln Disclosure WG's new SIG
8
star
41

artwork

OpenSSF Artwork
7
star
42

SIRT

The OSS-SIRT SIG (Open Source Software Security Incident Response Team Special Interest Group) is a group working within the OSSF's Vulnerability Disclosure Working Group that is focused on creating secure vulnerability management capabilities within the open source ecosystem to ensure effective coordinated vulnerability disclosure practices (CVD)
7
star
43

community

6
star
44

gb-planning-committee

The Governing Board Planning Committee guides OpenSSF vision and planning including mission, roadmap, milestones and key metrics for success of the overall organization.
6
star
45

oss-compromises

Archive of various open source security compromises
5
star
46

github-org-access-scraper

GitHub lacks an API for listing an org's repos' access for non-team-based individuals, so, scrape it.
5
star
47

vulnerability-disclosures-whitepaper

4
star
48

Governance-Committee

Governance Committee
3
star
49

oss-researcher-vulnerability-guide

3
star
50

S2C2F-attestation-schema-and-tool

Secure Supply Chain Consumption Framework (S2C2F) OSCAL Catalog and tool
Python
3
star
51

security-metrics-dashboard

3
star
52

disclosure-check

disclosure-check
Python
2
star
53

homebrew-tap

2
star
54

omega-moderne-client

Python
2
star
55

outreach

A place to connect about event and conference engagements
1
star
56

action-web-defn-check

GitHub action for checking a Web Application Definition file
1
star
57

wg-dei

The Diversity, Equity, and Inclusion Working Group was formed in December 2023 to help increase representation and strengthen the overall effectiveness of the cybersecurity workforce.
1
star
58

si-tooling

Python
1
star
59

.github

Github configuration
1
star
60

open-auto-vuln-disclose

open-auto-vuln-disclose
Python
1
star
61

oss-analysis-census2-prototype

Prototype of Census 2 of open source software (NOT MAINTAINED)
Python
1
star
62

scorecard-dependencyanalysis

Scorecard action for checking when new dependencies are added to the repository.
Go
1
star