Skip to content

fix: fix incorrect skip result evaluation causing false positives in PyPI malware reporting" #1031

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Merged
merged 10 commits into from
Apr 9, 2025
Merged

fix: fix incorrect skip result evaluation causing false positives in PyPI malware reporting" #1031

merged 10 commits into from
Apr 9, 2025

Conversation

art1f1c3R
Copy link
Member

Addressing issue identified in #1027, where skips were being evaluated as false. This PR introduces wrappers passed() and failed() into the ProbLog model that use try_call() statements. Skipped heuristics are no longer defined in the ProbLog model, which is why this try_call() statement is used. This means that evaluating failed(heuristic) will be false if the heuristic passed, or if it was not defined (i.e. was skipped). Similarly, for evaluating passed(), this will be false if the heuristic failed, or if it was not defined. This should handle situations where skips should not cause rules they are part of to trigger. This method was the easiest way to keep as much of the ProbLog model in a static string as possible, without having to perform extensive string operations.

Rule IDs have also been added for debugging purposes, and a method to extract them, so that it is evident what rule was triggered.

@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Mar 27, 2025
@art1f1c3R art1f1c3R closed this Mar 27, 2025
@art1f1c3R art1f1c3R reopened this Mar 27, 2025
@art1f1c3R art1f1c3R force-pushed the art1f1c3R/malware-bug-1027 branch from 8af93d3 to 97bb593 Compare March 27, 2025 05:33
@art1f1c3R art1f1c3R marked this pull request as ready for review March 27, 2025 05:41
@art1f1c3R art1f1c3R linked an issue Mar 27, 2025 that may be closed by this pull request
pypi malware reporting false positives due to incorrect skip result evaluation #1027
Closed
behnazh-w
behnazh-w reviewed Mar 27, 2025
View reviewed changes
@art1f1c3R art1f1c3R force-pushed the art1f1c3R/malware-bug-1027 branch 3 times, most recently from 362d0b4 to d46f7ed Compare April 3, 2025 06:13
@behnazh-w behnazh-w changed the title fix: pypi malware reporting false positives due to incorrect skip result evaluation fix: fix incorrect skip result evaluation causing false positives in PyPI malware reporting" Apr 3, 2025
@art1f1c3R art1f1c3R changed the base branch from staging to main April 8, 2025 23:41
art1f1c3R added 7 commits April 9, 2025 09:43
@art1f1c3R
fix: resolve skipped heuristic handling in pypi malware checker
5608de7 
Signed-off-by: Carl Flottmann <carl.flottmann@oracle.com>
@art1f1c3R
docs: updated README for contributing to the problog model appropriately
b79e9df 
Signed-off-by: Carl Flottmann <carl.flottmann@oracle.com>
@art1f1c3R
chore: improved rule ID names
de5a63e 
Signed-off-by: Carl Flottmann <carl.flottmann@oracle.com>
@art1f1c3R
fix: confidence is now accumulated appropriately, such that several r…
3118f38 
…ules triggers increase the confidence

Signed-off-by: Carl Flottmann <carl.flottmann@oracle.com>
@art1f1c3R
chore: added comment example for confidence calculation
69c6f1c 
Signed-off-by: Carl Flottmann <carl.flottmann@oracle.com>
@art1f1c3R
fix: problog performs more accurate aggregation. Wrappers explanation…
fe30379 
… improved.

Signed-off-by: Carl Flottmann <carl.flottmann@oracle.com>
@art1f1c3R
docs: updated readme for contributing to problog model.
6d50aaa 
Signed-off-by: Carl Flottmann <carl.flottmann@oracle.com>
@art1f1c3R art1f1c3R force-pushed the art1f1c3R/malware-bug-1027 branch from d46f7ed to 6d50aaa Compare April 8, 2025 23:45
@art1f1c3R
fix: removed explicit pass on malware_medium_confidence_w to make the…
f1b6b4e 
… rule ignorant of wheel absence result

Signed-off-by: Carl Flottmann <carl.flottmann@oracle.com>
behnazh-w
behnazh-w previously approved these changes Apr 9, 2025
View reviewed changes
tromai
tromai reviewed Apr 9, 2025
View reviewed changes
@art1f1c3R
chore: updated docstring for evaluate heuristic results return type
03035cf 
Signed-off-by: Carl Flottmann <carl.flottmann@oracle.com>
tromai
tromai reviewed Apr 9, 2025
View reviewed changes
@art1f1c3R
test: updated test to check the explainability also
8d01aa8 
Signed-off-by: Carl Flottmann <carl.flottmann@oracle.com>
@art1f1c3R
Copy link
Member Author

I ran the unit test on the old ProbLog model to ensure the unit test is solving the problem, and this is confirmed by the old ProbLog model failing the unit test, with a high confidence rule being triggered: AssertionError: assert 1.0 == 0.

tromai
tromai approved these changes Apr 9, 2025
View reviewed changes
Copy link
Member

@tromai tromai left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks for the fix.

@art1f1c3R art1f1c3R merged commit 199809e into main Apr 9, 2025
10 checks passed
@art1f1c3R art1f1c3R deleted the art1f1c3R/malware-bug-1027 branch April 9, 2025 06:27
@art1f1c3R art1f1c3R mentioned this pull request May 15, 2025
Open
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@behnazh-w behnazh-w behnazh-w approved these changes

@tromai tromai tromai approved these changes

Assignees
No one assigned
Labels
OCA Verified All contributors have signed the Oracle Contributor Agreement.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

pypi malware reporting false positives due to incorrect skip result evaluation
3 participants
@art1f1c3R @behnazh-w @tromai