package-analysis

module

v0.0.0-...-892e02c Latest Latest Go to latest Published: Feb 29, 2024 License: Apache-2.0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/khulnasoft-lab/package-analysis

README ¶

Package Analysis

The Package Analysis project analyses the capabilities of packages available on open source repositories. The project looks for behaviors that indicate malicious software:

What files do they access?
What addresses do they connect to?
What commands do they run?

The project also tracks changes in how packages behave over time, to identify when previously safe software begins acting suspiciously.

This effort is meant to improve the security of open source software by detecting malicious behavior, informing consumers selecting packages, and providing researchers with data about the ecosystem.

This code is designed to work with the Package Feeds project, and originally started there.

For examples of what this project has detected, check out the case studies.

How it works

The project's components are:

A scheduler - creates jobs for the analysis worker from Package Feeds.
Analysis (one-shot analyze and worker) - collects package behavior data through static and dynamic analysis of each package.
A loader - pushes the analysis results into BigQuery.

The goal is for all of these components to work together and provide extensible, community-run infrastructure to study behavior of open source packages and to look for malicious software. We also hope that the components can be used independently, to provide package feeds or runtime behavior data for anyone interested.

The Package Analysis project currently consists of the following pipeline:

Package repositories are monitored for new packages.
Each new package is scheduled to be analyzed by a pool of workers.
A worker performs dynamic analysis of the package inside a sandbox.
Results are stored and imported into BigQuery for inspection.

Sandboxing via gVisor containers ensures the packages are isolated. Detonating a package inside the sandbox allows us to capture strace and packet data that can indicate malicious interactions with the system as well as network connections that can be used to leak sensitive data or allow remote access.

Directories ¶

Path	Synopsis
cmd
analyze
downloader
scheduler
scheduler/proxy
worker
worker/pubsubextender
internal
analysis
dnsanalyzer
dynamicanalysis
featureflags
log Package log wraps Uber's Zap logging library to make it easy to use across the project.	Package log wraps Uber's Zap logging library to make it easy to use across the project.
notification
packetcapture
pkgmanager
resultstore
sandbox
staticanalysis
staticanalysis/externalcmd
staticanalysis/linelengths
staticanalysis/obfuscation
staticanalysis/obfuscation/detections
staticanalysis/obfuscation/stats
staticanalysis/obfuscation/stringentropy
staticanalysis/parsing
staticanalysis/token
strace
utils
utils/valuecounts
worker
pkg
api/analysisrun
api/notification
api/pkgecosystem Package pkgecosystem defines the open source ecosystems supported by Package Analysis.	Package pkgecosystem defines the open source ecosystems supported by Package Analysis.
sandboxes
staticanalysis

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL