CAPEv2 icon indicating copy to clipboard operation
CAPEv2 copied to clipboard

Published 20 hours ago verified publisher icon kevoreilly

feat(scoring): Implement dedicated scoring logic for URL analysis

Open AxelSecurity opened this issue 5 months ago • 2 comments

Type of change

  • [x] Bug fix (non-breaking change which fixes an issue)
  • [x] New feature (non-breaking change which adds functionality)

Motivation and Context

Currently, the calc_scoring function in lib/cuckoo/common/scoring.py has a detailed, category-based logic for executable files. However, analyses for URLs (category: "url") fall into a generic else block.

This leads to two main issues:

  1. The score calculation is basic and does not differentiate URL-specific threats.
  2. More importantly, the status variable is never assigned for non-executable analyses, resulting in a None status in the final report, which is unhelpful for users and integrations.

This PR aims to fix this by implementing a dedicated and complete scoring logic for URL analyses.

Description of the Change

This pull request introduces a dedicated logic path for URL analyses at the beginning of the calc_scoring function.

  1. It first checks the analysis target's category via results.get("target", {}).get("category").
  2. If the category is "url", it enters a new block that performs the following actions:
    • Calculates finalMalscore based on the matched signatures' weight, severity, and confidence.
    • Adds support for the maximum attribute in signatures, allowing a single high-impact signature to set the score directly.
    • Crucially, it assigns a status (Malicious, Suspicious, Clean, or Undetected) based on the final score.
    • It then returns the score and status immediately, preventing the analysis from falling through to the file-specific logic.

This ensures that URL analyses now produce a meaningful score and a clear, human-readable status, significantly improving the quality of the analysis report. The existing logic for executable files remains untouched.

How to test

  1. Submit a URL for analysis (e.g., a known phishing site or a benign site).
  2. Ensure the analysis triggers some signatures (e.g., network or phishing related signatures).
  3. Check the final report. Verify that the analysis now shows:
    • A calculated score (e.g., > 4.0).
    • A corresponding status (e.g., Suspicious or Malicious) instead of None.

Checklist

  • [x] My code follows the style guidelines of this project.
  • [x] I have performed a self-review of my own code.
  • [x] I have commented my code, particularly in hard-to-understand areas.
  • [x] I have made corresponding changes to the documentation. (N/A for this change)
  • [x] My changes generate no new warnings.

AxelSecurity avatar Jun 23 '25 09:06 AxelSecurity

All feedback has been addressed. The code has been refactored and cleaned up. Thanks for the review!

AxelSecurity avatar Jun 24 '25 07:06 AxelSecurity

Happy days! Thanks a lot for this contribution. I'll wait for doomed to double check when he's back from vacation, but all looks good to me 👍

kevoreilly avatar Jun 24 '25 07:06 kevoreilly