.. _detections: Built-in detections =================== The following list is a comprehensive overview of all built-in detections in the Aura frame, provided output examples are in JSON format as the goal of this documentation page is to ease the analysis of a published dataset. Top level format ---------------- Below is an example of the main JSON format produced by the Aura scan: :: { "detections": [ // Contains the list of detection types ], "imported_modules": [ // Aggregated module imports extracted from the `ModuleImport` detection type ".test_stock_picking_customer_ref", "odoo.api", "odoo.tests.common", ".stock_picking", "odoo.fields", "odoo.models", ".models" ], "tags": [ // Aggregated set of tags collected from detections "url", "test_code" ], "metadata": { "format": [ "json" ], "analyzers": [], "source": "cli", "fork": false, "output_opts": { "verbosity": 2 }, "name": "mirror://odoo10-addon-stock-picking-customer-ref", "uri_scheme": "mirror", "uri_input": { // Metadata associated from the parsed CLI input "package": "odoo10-addon-stock-picking-customer-ref", "package_opts": { "release": "latest" } }, "depth": 0 }, "score": 0, // Total score, sum of scores from the detections "name": "mirror://odoo10-addon-stock-picking-customer-ref" // input as passed on the command line } The `.detections[]` array contains various types of detections triggered by the scan. Please note that some of the detections might not appear in the output unless the verbose (``-v``) or extra verbose mode is used (``-vv``). FunctionCall ^^^^^^^^^^^^ Detection as a result of an AST pattern match on the function call :: { "score": 0, "type": "FunctionCall", "severity": "unknown", "tags": [ "taint_sink", "file_access" ], "extra": { "function": "open" // Fully resolved name of the function including the module if any, for example `flask.Flask.run` }, "line": "self._shellcodeFP = open(self._shellcodeFilePath, \"rb\")", "line_no": 615, "signature": "ast_pattern#open_file/615#/mnt/pypi_mirror/packages/9b/6e/fd9ae6d86fe8da323c9426b6bfc9933b42bc52691ee907521bc075154ca5/sqlmap-1.4.10.tar.gz$sqlmap-1.4.10/sqlmap/lib/takeover/metasploit.py", "message": "Code is accessing files via open", "location": "/mnt/pypi_mirror/packages/9b/6e/fd9ae6d86fe8da323c9426b6bfc9933b42bc52691ee907521bc075154ca5/sqlmap-1.4.10.tar.gz$sqlmap-1.4.10/sqlmap/lib/takeover/metasploit.py" } ModuleImport ^^^^^^^^^^^^ Detection generated for each import statement :: { "score": 0, "type": "ModuleImport", "severity": "unknown", "extra": { "name": "binascii" }, "line": "import binascii", "line_no": 1, "signature": "module_import#binascii#/mnt/pypi_mirror/packages/80/3b/9e2fa0d13c860b0e91c6b40fc98050bf3ecbb02ede66324b9f6a7ee91b5d/shellcodepatterns-0.1.tar.gz$shellcodepatterns-0.1/shellcodepatterns/__init__.py", "message": "Module 'binascii' import in a source code", "location": "/mnt/pypi_mirror/packages/80/3b/9e2fa0d13c860b0e91c6b40fc98050bf3ecbb02ede66324b9f6a7ee91b5d/shellcodepatterns-0.1.tar.gz$shellcodepatterns-0.1/shellcodepatterns/__init__.py" } Base64Blob ^^^^^^^^^^ A string was found in the source code (post-processed AST) that is a valid base64 encoded blob of data :: { "score": 0, "type": "Base64Blob", "severity": "unknown", "tags": [ "base64" ], "extra": { "base64_decoded": "https://www.tiktok.com/api/user/detail/" // decoded payload }, "line": "helper = base64.b64decode(\"aHR0cHM6Ly93d3cudGlrdG9rLmNvbS9hcGkvdXNlci9kZXRhaWwv\").decode()", "line_no": 11, "signature": "data_finder#base64_blob#-119572759001070983#-2548831473978034482", "message": "Base64 data blob found", "location": "/mnt/pypi_mirror/packages/7f/e3/46ed3fa11eb08ca42e88ef7f26567f317778c717ebace5e4c021b1dd1eef/tiky-1.0.6.tar.gz$tiky-1.0.6/tiky.py" } HighEntropyString ^^^^^^^^^^^^^^^^^ Detection of a string inside the source with an entropy exceeding the configured threshold. Useful in detecting potential malware payloads or other hidden payloads. :: { "score": 0, "type": "HighEntropyString", "slug": "highentropystring", "severity": "unknown", "extra": { "type": "high_entropy_string", "entropy": 5.664622269382654, "string": "R0lGODlhIAAgAPYAAAsLC... output stripped" }, "line": "working_encoded = \"\"\"R0lGODlhIAAgAPYAAAsLC... output stripped\"\"\"", "line_no": 1, "signature": "misc#high_entropy#bc7018f3#/home/user/.aura_cache/mirror_tikitiki-0.2.zip$tikitiki-0.2/tikitiki/working_gif.py:1", "message": "A string with high shanon entropy was found", "location": "/home/user/.aura_cache/mirror_tikitiki-0.2.zip$tikitiki-0.2/tikitiki/working_gif.py" } Binwalk ^^^^^^^ .. warning:: Removed in Aura 2.1: https://github.com/SourceCode-AI/aura/issues/11 Detection triggered by binwalk output run on the raw input data :: { "score": 0, "type": "Binwalk", "severity": "unknown", "tags": [ "binwalk", "binwalk_signature" ], "extra": { "offset": 22739851, "module": "Signature" }, "signature": "binwalk#22739851/19b0836a27c4872925e1df6d67b27790#/mnt/pypi_mirror/packages/0a/ae/90b6e7986c913c144793589db885516a42aad19eacba7b4c16e4117bc063/sourced-spark-api-0.0.12.tar.gz$sourced-spark-api-0.0.12/jars/spark-api-uber.jar", "message": "Signature: Zip archive data, at least v2.0 to extract, name: org/eclipse/jgit/transport/ReceiveCommand$1.class", // Message from binwalk "location": "/mnt/pypi_mirror/packages/0a/ae/90b6e7986c913c144793589db885516a42aad19eacba7b4c16e4117bc063/sourced-spark-api-0.0.12.tar.gz$sourced-spark-api-0.0.12/jars/spark-api-uber.jar" } CryptoKeyGeneration ^^^^^^^^^^^^^^^^^^^ Plugin detection that looks for crypto key generations to measure how they are generated :: { "score": 100, "type": "CryptoKeyGeneration", "severity": "critical", "extra": { "function": "Crypto.PublicKey.RSA.generate", "key_type": "rsa", "key_size": 1024 }, "signature": "crypto#gen_key#/mnt/pypi_mirror/packages/33/2f/ff513daa5da0bd81aac42650a377279547deebf79cfbe58868f0da179fe8/chval-0.6.7.tar.gz$chval-0.6.7/chval_core/crypto.py#45", "message": "Generation of cryptography key detected", "location": "/mnt/pypi_mirror/packages/33/2f/ff513daa5da0bd81aac42650a377279547deebf79cfbe58868f0da179fe8/chval-0.6.7.tar.gz$chval-0.6.7/chval_core/crypto.py" } DataProcessing ^^^^^^^^^^^^^^ Detection informing about changes in the data processing pipeline, mostly used for indication of stopping further data processing such as when maximum depth is reached in recursive scans :: { "score": 0, "type": "DataProcessing", "severity": "unknown", "extra": { "reason": "max_depth", "location": "/mnt/pypi_mirror/packages/00/05/f8f48063cce63699734578b99ec4daba1ae6b4367071924d181d68af691f/codingsoho-auth-1.0.2.tar.gz$codingsoho-auth-1.0.2/authwrapper/urls.py:52$blob:53$blob" }, "signature": "data_processing#max_depth#/mnt/pypi_mirror/packages/00/05/f8f48063cce63699734578b99ec4daba1ae6b4367071924d181d68af691f/codingsoho-auth-1.0.2.tar.gz$codingsoho-auth-1.0.2/authwrapper/urls.py:52$blob:53$blob", "message": "Maximum processing depth reached", "location": "/mnt/pypi_mirror/packages/00/05/f8f48063cce63699734578b99ec4daba1ae6b4367071924d181d68af691f/codingsoho-auth-1.0.2.tar.gz$codingsoho-auth-1.0.2/authwrapper/urls.py:52$blob:53$blob" } Detection ^^^^^^^^^ Generic detection for semantic signatures that have not defined their custom name :: { "score": 0, "type": "Detection", "severity": "unknown", "extra": { "type": "high_entropy_string", "entropy": 5.832890014164737, "string": "abcdefghijkmnopqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789" }, "line": "chars = 'abcdefghijkmnopqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789'", "line_no": 10, "signature": "misc#high_entropy#/mnt/pypi_mirror/packages/2f/ee/6ad696ef6e59d46b26def2fe92ef17519047b9f24dc1443a84a9fa8ff85d/django_markdown_messaging-0.1.0-py3-none-any.whl$django_markdown_messaging/models.py#10", "message": "A string with high shanon entropy was found", "location": "/mnt/pypi_mirror/packages/2f/ee/6ad696ef6e59d46b26def2fe92ef17519047b9f24dc1443a84a9fa8ff85d/django_markdown_messaging-0.1.0-py3-none-any.whl$django_markdown_messaging/models.py" } Typosquatting ^^^^^^^^^^^^^ These detections list all packages found on pypi with a similar name (typosquatting) :: { "score": 0, "type": "Typosquatting", "slug": "typosquatting", "severity": "unknown", "tags": [ "typosquatting" ], "extra": { "package_name": "lime" }, "signature": "tile#typosquatting#lime", "message": "Located a PyPI package with a similar name", } InvalidRequirement ^^^^^^^^^^^^^^^^^^ Detection triggered when a line in the requirements file could not be parsed/analyzed by Aura :: { "score": 0, "type": "InvalidRequirement", "severity": "unknown", "tags": [ "cant_parse", "invalid_requirement" ], "extra": { "reason": "cant_parse", "line": "-r install.txt", "line_no": 1, "exc_message": "Parse error at \"'-r insta'\": Expected W:(abcd...)", "exc_type": "InvalidRequirement" }, "signature": "req_invalid#/mnt/pypi_mirror/packages/e0/fc/bacea406af04cfbb6ae49ef9716ee8f696cbf0b4df37443fdf2fabcda15b/wagtailleafletwidget-1.0.1.tar.gz$wagtailleafletwidget-1.0.1/requirements/tests.txt/1", "message": "Could not parse the requirement for analysis", "location": "/mnt/pypi_mirror/packages/e0/fc/bacea406af04cfbb6ae49ef9716ee8f696cbf0b4df37443fdf2fabcda15b/wagtailleafletwidget-1.0.1.tar.gz$wagtailleafletwidget-1.0.1/requirements/tests.txt" } LeakingSecret ^^^^^^^^^^^^^ Automatic detection of potential hardcoded passwords and other secrets such as API tokens, etc... :: { "score": 0, "type": "LeakingSecret", "severity": "critical", "tags": [ "test_code" ], "extra": { "name": "Attribute(Call(Container(name='User', pointer=Import(names={'User': 'registration.ormmanager.tests.samodel.User', 'Group': 'registration.ormmanager.tests.samodel.Group', 'users_table': 'registration.ormmanager.tests.samodel.users_table', 'groups_table': 'registration.ormmanager.tests.samodel.groups_table', 'user_group_table': 'registration.ormmanager.tests.samodel.user_group_table', 'metadata': 'registration.ormmanager.tests.samodel.metadata'})))() . 'password')", "secret": "hammertime", "extra": { "type": "variable" } }, "line": "u2.password='hammertime'", "line_no": 31, "signature": "leaking_secret#/mnt/pypi_mirror/packages/83/6f/c603de0b686d9e89b58b2bfc5875299955a48c5e423b8885c1c51a0b2c46/registration-0.50-py2.5.egg$registration/ormmanager/tests/testsa.py#31", "message": "Possible sensitive leaking secret", "location": "/mnt/pypi_mirror/packages/83/6f/c603de0b686d9e89b58b2bfc5875299955a48c5e423b8885c1c51a0b2c46/registration-0.50-py2.5.egg$registration/ormmanager/tests/testsa.py" } MalformedXML ^^^^^^^^^^^^ Detection for XML files that did not pass strict checks which could cause issues when being parsed by an application or abused such as Billion laughs attack - DoS via resource exhaustion using expanding entities :: { "score": 100, "type": "MalformedXML", "severity": "critical", "tags": [ "test_code", "malformed_xml", "xml_entities" ], "extra": { "type": "entities" }, "signature": "malformed_xml#entities#/mnt/pypi_mirror/packages/ba/45/1211c364a62fc78bc7b20db8059854e9405c54f7648ede28ca30d508479f/diazo-1.4.0-py2.py3-none-any.whl$diazo/tests/entities/rules.xml", "message": "Malformed or malicious XML", "location": "/mnt/pypi_mirror/packages/ba/45/1211c364a62fc78bc7b20db8059854e9405c54f7648ede28ca30d508479f/diazo-1.4.0-py2.py3-none-any.whl$diazo/tests/entities/rules.xml" } ArchiveAnomaly ^^^^^^^^^^^^^^ Triggered during the anomaly scan for supported archive formats. Could indicate in some cases a possible manipulation of archives (manual editing of a python package). There are numerous reason this detection can be fired, such as: - archive is corrupted and can't be successfully opened/extracted for analysis by Aura - archive contains invalid references such as symlinks or absolute paths - archive content is too big to be processed by Aura (zipbomb prevention) :: { "score": 100, "type": "ArchiveAnomaly", "severity": "critical", "extra": { "archive_path": "progressio-0.3.0/progressio/p", "reason": "member_is_link" }, "signature": "archive_anomaly#link#/mnt/pypi_mirror/packages/4d/f5/0140cf9013b15574845120a71160c2684373944144204e2f2a1330d3d84c/progressio-0.3.0.tar.gz#progressio-0.3.0/progressio/p", "message": "Archive contain a member that is a link.", "location": "/mnt/pypi_mirror/packages/4d/f5/0140cf9013b15574845120a71160c2684373944144204e2f2a1330d3d84c/progressio-0.3.0.tar.gz" } SuspiciousArchiveEntry ^^^^^^^^^^^^^^^^^^^^^^ Suspicious archive entry, detection is based on the name/path of the archive member such as the reference to parent directories and entries that do not fall under the `ArchiveAnomaly` because they have a higher severity :: { "score": 50, "type": "SuspiciousArchiveEntry", "severity": "high", "tags": [ "test_code" ], "extra": { "entry_type": "parent_reference", "entry_path": "../../../../../../../../etc/passwd" }, "signature": "suspicious_archive_entry#parent_reference#../../../../../../../../etc/passwd#/tmp/aura_pkg__sandbox0yvm6of9Archive-0.3.tar.gz/Archive-0.3/archive/test/evil.zip", "message": "Archive contains an item with parent reference", "location": "/mnt/pypi_mirror/packages/f7/37/bf86a96c30477011b6a48fa82cfdf0e6a616314ad229a4544b59b70dfd2f/Archive-0.3.tar.gz$Archive-0.3/archive/test/evil.zip" } SuspiciousFile ^^^^^^^^^^^^^^ A suspicious file that is not expected to be inside the python package :: { "score": 5, "type": "SuspiciousFile", "severity": "unknown", "tags": [ "ignore", "hidden_file" ], "extra": { "file_name": ".travis.yml", "file_type": "hidden_file" }, "signature": "suspicious_file#/mnt/pypi_mirror/packages/1a/aa/4220d3089733c00d5edee8626f208b8abab0c995a084f6c04e56b17f0d9b/ib_insync-0.9.62.tar.gz$ib_insync-0.9.62/.travis.yml", "message": "A potentially suspicious file has been found", "location": "/mnt/pypi_mirror/packages/1a/aa/4220d3089733c00d5edee8626f208b8abab0c995a084f6c04e56b17f0d9b/ib_insync-0.9.62.tar.gz$ib_insync-0.9.62/.travis.yml" } OutdatedPackage ^^^^^^^^^^^^^^^ Outdated package dependency in the requirements file :: { "score": 5, "type": "OutdatedPackage", "severity": "medium", "tags": [ "outdated_package" ], "extra": { "package": "certifi", "specs": "==2020.4.5.1", "latest": "2020.6.20" }, "signature": "req_outdated#/mnt/pypi_mirror/packages/7d/3b/b67e6ee05d19c5f20e7da853cf5d4f520e7cae087f03997907280f7472b6/searx-0.17.0.tar.gz$searx-0.17.0/requirements.txt#certifi#==2020.4.5.1#2020.6.20", "message": "Package certifi==2020.4.5.1 is outdated, newest version is 2020.6.20", "location": "/mnt/pypi_mirror/packages/7d/3b/b67e6ee05d19c5f20e7da853cf5d4f520e7cae087f03997907280f7472b6/searx-0.17.0.tar.gz$searx-0.17.0/requirements.txt" } UnpinnedPackage ^^^^^^^^^^^^^^^ Unpinned python package dependency in the requirements file :: { "score": 10, "type": "UnpinnedPackage", "severity": "high", "tags": [ "unpinned_package" ], "extra": { "package": "uuid" }, "signature": "req_unpinned#/mnt/pypi_mirror/packages/b6/45/72372c1021a6e4fecca7487b8fde0f3e446beb311d97072be14c2a62c9b7/rdf2gremlin-0.1.38.tar.gz$rdf2gremlin-0.1.38/requirements.txt#uuid", "message": "Package uuid is unpinned", "location": "/mnt/pypi_mirror/packages/b6/45/72372c1021a6e4fecca7487b8fde0f3e446beb311d97072be14c2a62c9b7/rdf2gremlin-0.1.38.tar.gz$rdf2gremlin-0.1.38/requirements.txt" } SQLInjection ^^^^^^^^^^^^ Potential SQL Injection vulnerability detected via AST patterns of string formatting and manipulation :: { "score": 50, "type": "SQLInjection", "severity": "high", "line": "cursor.execute('INSERT INTO subscribers VALUES (\\'{0}\\')'.format(subscriber))", "line_no": 124, "signature": "vuln#/mnt/pypi_mirror/packages/2f/b9/eaef4815a21e40dec0695497b6863bf6764b44854784dbe73f00ffdd43e4/trelloreporter-1.0.0.tar.gz$trelloreporter-1.0.0/trelloreporter/cmd/trelloreport.py#124", "message": "Possible SQL injection found", "location": "/mnt/pypi_mirror/packages/2f/b9/eaef4815a21e40dec0695497b6863bf6764b44854784dbe73f00ffdd43e4/trelloreporter-1.0.0.tar.gz$trelloreporter-1.0.0/trelloreporter/cmd/trelloreport.py" } TaintAnomaly ^^^^^^^^^^^^ Potential vulnerability detected via taint analysis :: { "score": 10, "type": "TaintAnomaly", "severity": "critical", "extra": { "taint_log": [ { "line_no": 167, "message": "Taint propagated by return/yield statement", "path": "/tmp/aura_pkg__sandboxpp6qf9opdisco-dop-0.5.2.tar.gz/disco-dop-0.5.2/web/treesearch.py", "taint_level": "TAINTED" } ] }, "line": "return Response(stream_template('searchresults.html', **args))", "line_no": 167, "signature": "taint_anomaly#/mnt/pypi_mirror/packages/d5/0f/c7e6849af5f1619e563f0bfd735310bb3b1f07e853774382f34af5cb50bb/disco-dop-0.5.2.tar.gz$disco-dop-0.5.2/web/treesearch.py#167", "message": "Tainted input is passed to the sink", "location": "/mnt/pypi_mirror/packages/d5/0f/c7e6849af5f1619e563f0bfd735310bb3b1f07e853774382f34af5cb50bb/disco-dop-0.5.2.tar.gz$disco-dop-0.5.2/web/treesearch.py" } SensitiveFile ^^^^^^^^^^^^^ Potentially sensitive file leaked inside the scanned input :: { "score": 100, "type": "SensitiveFile", "severity": "critical", "tags": [ "pypirc", "sensitive_file" ], "extra": { "file_name": ".pypirc" }, "signature": "<... censored ...>/.pypirc", "message": "A potentially sensitive file has been found", "location": "/mnt/pypi_mirror/packages/<... censored ...>/.pypirc" } SetupScript ^^^^^^^^^^^ Anomaly found in a setup.py scripts, this is often triggered by doing highly suspicious operations such as eval/exec or network connections inside the setup.py :: { "score": 100, "type": "SetupScript", "severity": "critical", "tags": [ "obfuscation", "taint_sink", "code_execution" ], "line": "exec(open(\"./osmwriter/_version.py\").read())", "line_no": 5, "signature": "setup_analyzer#code_execution#ast_pattern#python_code_execution/5#/mnt/pypi_mirror/packages/2a/bc/4f391615c35e15d8d4906a331215fa00b255c32b07ed2d5a3c7968070f36/openstreetmap-writer-0.2.1.tar.gz$openstreetmap-writer-0.2.1/setup.py", "message": "Code execution capabilities found in a setup.py script", "location": "/mnt/pypi_mirror/packages/2a/bc/4f391615c35e15d8d4906a331215fa00b255c32b07ed2d5a3c7968070f36/openstreetmap-writer-0.2.1.tar.gz$openstreetmap-writer-0.2.1/setup.py" } Wheel ^^^^^ Anomaly found inside the wheel python package, this could in some cases indicate manual editing of a python package or a different suspicious manipulation :: { "score": 100, "type": "Wheel", "severity": "critical", "tags": [ "wheel", "wheel_missing_file", "anomaly" ], "extra": { "record": "ezfnSetup\\__init__.pyc" }, "signature": "wheel#missing_file#ezfnSetup\\__init__.pyc#/tmp/aura_pkg__sandboxwbx3f43cezfnSetup-0.0.5-py3-none-any.whl/ezfnSetup\\__init__.pyc", "message": "Wheel anomaly detected, file listed in RECORDs but not present in wheel", "location": "/mnt/pypi_mirror/packages/01/0a/a209c9c9fb8a45da3e067913dca7d58d6465908295a588ef0d83428741e5/ezfnSetup-0.0.5-py3-none-any.whl$ezfnSetup-0.0.5.dist-info/WHEEL" } StringMatch ^^^^^^^^^^^ Triggered by one of the string patterns in semantic signatures :: { "score": 10, "type": "StringMatch", "severity": "low", "tags": [ "test_code" ], "extra": { "signature_id": "tmp_folder", "string": "/tmp" }, "line": "pw_dir='/tmp',", "line_no": 36, "signature": "string_finder#tmp_folder#d42b9c57d24cf5db3bd8d332dc35437f#/mnt/pypi_mirror/packages/30/1e/918ba8f49475be66b1a15eb92d965e4807c3c925be3840fb6e76bdb51c23/dhcpkit-1.0.7-py3.4.egg$dhcpkit/tests/common/privileges/test_privileges.py/36", "message": "regex match: Hardcoded tmp folder in the source code", "location": "/mnt/pypi_mirror/packages/30/1e/918ba8f49475be66b1a15eb92d965e4807c3c925be3840fb6e76bdb51c23/dhcpkit-1.0.7-py3.4.egg$dhcpkit/tests/common/privileges/test_privileges.py" } File stats ^^^^^^^^^^ Generated for every input scanned by Aura. Can be used to reconstruct the (directory) structure of the input or pair several detections to the same input via generated hashes. :: { "score": 0, "type": "FileStats", "severity": "unknown", "extra": { "mime": "application/x-dosexec", "size": 1785344, "tlsh": "EE853994EBC760F1E9970872958BF76F5A3197028434CDFAEB586E8DFD33A32101A254", "md5": "7ea894b2e4945a75264f67d47340e697", "sha1": "6cb0be4b981dc34c0ea1197a87af09f3d4bcc74d", "sha256": "f7efde37940048fbcf6e4acb61cc9e62263e4b5bd8df291cdcfe1921d1f49579", "sha512": "1899ec854f95c76e7d4dfb51e2fd4f722848db9b76d273d2e9b746ae50dcfb97bd0b1b878ed87e5b3f9c9841b3c4556634a826afe1d2d4862bbc8a7b98c0f9e8" }, "signature": "file_stats#/mnt/pypi_mirror/packages/21/d6/9c823de448276abb8d125bb81f20475eb1d8eb82e4365deb201916a8bcf9/pocsuite3-1.6.5-py2.py3-none-any.whl$pocsuite3/shellcodes/tools/objdump.exe", "message": "Statistics about files scanned by aura", "location": "/mnt/pypi_mirror/packages/21/d6/9c823de448276abb8d125bb81f20475eb1d8eb82e4365deb201916a8bcf9/pocsuite3-1.6.5-py2.py3-none-any.whl$pocsuite3/shellcodes/tools/objdump.exe" } YaraMatch ^^^^^^^^^ Detection triggered by the Yara integration on the RAW input :: { "score": 0, // copied from the Yara rule metadata `score` "type": "YaraMatch", "severity": "unknown", "tags": [ "windows_executable" // copied from the native Yara rule tags ], "extra": { "rule": "WindowsExecutable2", "strings": [ "This program cannot" ], "meta": {} // copy of the Yara rule metadata }, "signature": "yara#/mnt/pypi_mirror/packages/21/d6/9c823de448276abb8d125bb81f20475eb1d8eb82e4365deb201916a8bcf9/pocsuite3-1.6.5-py2.py3-none-any.whl$pocsuite3/shellcodes/tools/ld.exe#WindowsExecutable2#2200139803858809946", "message": "Yara match 'WindowsExecutable2' signature", "location": "/mnt/pypi_mirror/packages/21/d6/9c823de448276abb8d125bb81f20475eb1d8eb82e4365deb201916a8bcf9/pocsuite3-1.6.5-py2.py3-none-any.whl$pocsuite3/shellcodes/tools/ld.exe" } YaraError ^^^^^^^^^ Error triggered by the Yara integration when scanning the RAW input with Yara :: { "score": 0, "type": "YaraError", "severity": "unknown", "tags": [ "yara_error" ], "signature": "yara_error#/mnt/pypi_mirror/packages/a8/04/8dc84a5005912983594883f458621d787345da6583c6143b598800b6909f/radiant-2.4.tar.gz$radiant-2.4/radiant/framework/static/radiant/fonts/mdi/fonts/materialdesignicons-webfont.svg", "message": "internal error: 30", "location": "/mnt/pypi_mirror/packages/a8/04/8dc84a5005912983594883f458621d787345da6583c6143b598800b6909f/radiant-2.4.tar.gz$radiant-2.4/radiant/framework/static/radiant/fonts/mdi/fonts/materialdesignicons-webfont.svg" } ASTAnalysisError ^^^^^^^^^^^^^^^^ Problem encountered during the AST analysis :: { "score": 0, "type": "ASTAnalysisError", "severity": "unknown", "extra": { "iterations": 500 }, "signature": "ast_analysis_error#max_iterations#/mnt/pypi_mirror/packages/94/25/63519ece651e2849b3c9b66d88f2a189c1a75889382015abab1393e4fef1/retki-0.12.1.tar.gz$retki-0.12.1/retki/compiler.py", "message": "Maximum AST tree iterations reached", "location": "/mnt/pypi_mirror/packages/94/25/63519ece651e2849b3c9b66d88f2a189c1a75889382015abab1393e4fef1/retki-0.12.1.tar.gz$retki-0.12.1/retki/compiler.py" } PackageInformation ^^^^^^^^^^^^^^^^^^ Dump of information about the package from pypi. These include: title, urls (homepage, vcs, etc...), specifiers and more. On top of that there is also a package scoring matrix as computed by aura. :: { "score": 0, "type": "PackageInformation", "slug": "packageinformation", "severity": "unknown", "tags": [ "package_info" ], "extra": { "source_url": "https://github.com/tightai/tightai", "homepage_url": "https://github.com/tightai/tightai", "documentation_url": null, "latest_release": "1.0.14", "score": { "total": 7, "entries": [ { "value": 8, "normalized": 1, "label": "PyPI downloads", "explanation": "8 (+1)", "slug": "pypi_downloads" }, { "value": 1, "normalized": 0, "label": "GitHub stars", "explanation": "1 (+0)", "slug": "github_stars" }, { "value": 0, "normalized": 0, "label": "GitHub forks", "explanation": "0 (+0)", "slug": "github_forks" }, ... ] }, "reverse_dependencies": [], "classifiers": [ "Development Status :: 3 - Alpha", "Intended Audience :: Developers", "License :: OSI Approved :: Apache Software License", "Natural Language :: English", "Programming Language :: Python :: 3.6", "Programming Language :: Python :: 3.7", "Programming Language :: Python :: 3.8" ], "version": "1.0.14" }, "signature": "package_enrichment#tightai", "message": "Package information", } ASTParseError ^^^^^^^^^^^^^ A problem encountered when attempting to parse the input as a python source code via AST :: { "score": 0, "type": "ASTParseError", "severity": "unknown", "extra": { "stdout": "", "stderr": "Traceback (most recent call last):\n File \"/home/intense/aura/aura/analyzers/python_src_inspector.py\", line 206, in main\n src_dump = collect(source_code=source_code, encoding=encoding)\n File \"/home/intense/aura/aura/analyzers/python_src_inspector.py\", line 176, in collect\n src = ast.parse(source_code)\n File \"/usr/lib/python2.7/ast.py\", line 37, in parse\n return compile(source, filename, mode, PyCF_ONLY_AST)\n File \"\", line 14\n from ${package}.registration.widgets import (NewUserFields, NewUserSchema, RegTableForm,\n ^\nSyntaxError: invalid syntax\n" }, "signature": "ast_parse_error#/mnt/pypi_mirror/packages/83/6f/c603de0b686d9e89b58b2bfc5875299955a48c5e423b8885c1c51a0b2c46/registration-0.50-py2.5.egg$registration/template/+package+/registration/controllers.py_tmpl", "message": "Unable to parse the source code", "location": "/mnt/pypi_mirror/packages/83/6f/c603de0b686d9e89b58b2bfc5875299955a48c5e423b8885c1c51a0b2c46/registration-0.50-py2.5.egg$registration/template/+package+/registration/controllers.py_tmpl" } ReDoS ^^^^^ Detection of a regex that may be vulnerable to the ReDoS attack :: { "score": 0, "type": "ReDoS", "slug": "redos", "severity": "unknown", "tags": [ "redos" ], "extra": { "type": "redos", "regex": "(.*)MergeTree(\\(([^\\)]*)\\))*(.*)" }, "line": "return re.sub(r\"(.*)MergeTree(\\(([^\\)]*)\\))*(.*)\", _replace, engine.strip())", "line_no": 439, "signature": "misc#redos#9621086d#/home/intense/.aura_cache/mirror_tinybird-cli-1.0.0b32.post2.tar.gz$tinybird-cli-1.0.0b32.post2/tinybird/sql.py:439", "message": "Possible catastrophic ReDoS", "location": "/home/intense/.aura_cache/mirror_tinybird-cli-1.0.0b32.post2.tar.gz$tinybird-cli-1.0.0b32.post2/tinybird/sql.py", } ASTPattern ^^^^^^^^^^ Uncategorized detection of an AST pattern from semantic signatures :: { "score": 20, "type": "ASTPattern", "slug": "astpattern", "severity": "low", "tags": [ "deprecated" ], "line": "hasher = hashlib.sha256() if algo is 'sha256' else hashlib.md5()", "line_no": 117, "signature": "ast_pattern#md5_deprecated/117#/home/intense/.aura_cache/mirror_tinyenv-0.1.0-py2.py3-none-any.whl$tinyenv/utils/fileutil.py", "message": "Usage of MD5 for cryptographic purposes is very dangerous and no longer recommended", "location": "/home/intense/.aura_cache/mirror_tinyenv-0.1.0-py2.py3-none-any.whl$tinyenv/utils/fileutil.py", "package": "tinyenv" } LeakingPyPIrc ^^^^^^^^^^^^^ Detection of an exposed PyPI credentials inside the pypirc file :: { "score": 100, "type": "LeakingPyPIrc", "slug": "leakingpypirc", "severity": "critical", "tags": [ "secrets_leak", "pypirc", "sensitive_file" ], "extra": { "section": "pypi", "username": "...", "password": "..." }, "signature": "pypirc#935b09ce", "message": "Leaking credentials in the `.pypirc` file", "location": "/home/user/.aura_cache/mirror_.../.pypirc", } Misc ^^^^ Various uncategorized detections