guarddog icon indicating copy to clipboard operation
guarddog copied to clipboard
verified publisher icon DataDog

bug: "Error details: instance.runs[0].results[0].locations[0].physicalLocation.region.startLine must be greater than or equal to 1"

Open juju4 opened this issue 8 months ago • 4 comments

Thanks for sharing your work. I'm testing guarddog (2.5.0) on a python module and it returns some results but

  1. not valid SARIF: "Error details: instance.runs[0].results[0].locations[0].physicalLocation.region.startLine must be greater than or equal to 1"
  2. it would be great if results could indicate file+line along detection rule and package https://github.com/juju4/python-openobserve/actions/runs/14296980116/job/40065391269#step:8:404 "On package: typing-extensions version: 4.13.1\nThis package is using a common obfuscation method often used by malware" Checking https://github.com/DataDog/guarddog/blob/main/guarddog/analyzer/sourcecode/obfuscation.yml but it does not seem there is a relevant eval there https://github.com/search?q=repo%3Apython%2Ftyping_extensions+eval%28&type=code not many join either https://github.com/search?q=repo%3Apython%2Ftyping_extensions+join%28&type=code

Also "On package: wrapt version: 1.17.2\nThis package is using a common obfuscation method often used by malware" "On package: pytest version: 8.3.5\nThis package is using a common obfuscation method often used by malware" "On package: pure-eval version: 0.2.3\nThis package is using a common obfuscation method often used by malware" Any public list of known false-positives? No easy way to ignore/exclude aka only rule exclude right? have checked "Error details: instance.runs[0].results[0].locations[0].physicalLocation.region.startLine must be greater than or equal to 1"

juju4 avatar Apr 13 '25 20:04 juju4

Hello @juju4 , Thanks for reporting this one, I agree we should add the the location of the finding. The region entry is used to point to the exact position of the dependency in the requirements file, probably it makes more sense to add the finding location in there. Let me consider the best approach for that

"Error details: instance.runs[0].results[0].locations[0].physicalLocation.region.startLine must be greater than or equal to 1"

I will also look into that, but might be solved by my previous comment approach

Any public list of known false-positives? No we don't have that, i think the best move is to create a whitelist file like

package1==version1
package2==version2

And then pip freeze | grep -v -e whitelist.txt | tee requirements.txt

sobregosodd avatar Apr 15 '25 11:04 sobregosodd

Thanks @sobregosodd

note that startLine, endLine at 0 happened in my github workflow. ran manually on client (but larger pip list), values are correctly above 1.

On the obfuscation method and typing-extensions, do you agree this is a false-positive?

juju4 avatar Apr 21 '25 01:04 juju4

On the obfuscation method and typing-extensions, do you agree this is a false-positive?

I ran guarddog directly against the typing-extensions and got

guarddog pypi scan typing-extensions
Found 2 potentially malicious indicators in typing-extensions

single_python_file: This package has 1 or fewer Python source files

obfuscation: found 1 source code matches
  * This package is using a common obfuscation method often used by malware at typing_extensions.py/typing_extensions.py:4371
        return getattr(builtins, arg)

This detection about accessing the builtin functions is weird enough to be considered suspicious, but in this case the package seems not to be malicious.

sobregosodd avatar Apr 25 '25 15:04 sobregosodd

Thanks a lot for the confirmation @sobregosodd ! Great to see clearer message too.

juju4 avatar Apr 27 '25 21:04 juju4