VM-Packages icon indicating copy to clipboard operation
VM-Packages copied to clipboard
verified publisher icon mandiant

malware-jail.vm fails although the tool is installed

Open Ana06 opened this issue 1 year ago • 3 comments

Details

Both locally and in daily CI, I see the following error in the log:

2024/09/03 09:29:54 [installer.vm] chocolateyinstall.ps1 [+] ERROR : Failed to install: magika.vm
2024/09/03 09:29:54 [installer.vm] chocolateyinstall.ps1 [+] ERROR : Failed to install: malware-jail.vm

It seems to be caused by:

ERROR: ERROR: pip's dependency resolver does not currently take into account all the packages that are installed. This behaviour is the source of the following dependency conflicts.

The tools appear to be installed correctly. So this is very confusing and should investigate how to fix it.

Ana06 avatar Sep 03 '24 09:09 Ana06

NOTE: This is actually 2 separate issues. One for magika and separate issue affecting malware-jail.

This specific pip issue is mostly due to our installation of Python tools being installed separately and thus, Python's dependency resolver is unable to properly satisfy any dependency issues, which is what is displaying the error.

The primary underlying issue is that magika version 0.5.1 had an error in their code that was recently fixed in 0.6.0rc1 (currently unreleased on pypi) which is what made numpy version >=1.26 be required even for Python version <3.12 when it should have only needed >=1.24: https://github.com/google/magika/commit/ebac72a3798de2608ef518edc1e21e71f2a2d0ab

And because we have other python tools installed via libraries.python3.vm, their dependencies are not checked against this and thus more specifically we run into an issue because StringSifter requires numpy==1.24.4: https://github.com/mandiant/stringsifter/blob/33c0cd5538bf4dc499505b63f89bc045b191a0df/requirements.txt#L110 So when numpy is updated to 1.26 because of magika, we get an error:

ERROR: pip's dependency resolver does not currently take into account all the packages that are installed. This behaviour is the source of the following dependency conflicts.
stringsifter 3.20230711 requires numpy==1.24.4, but you have numpy 1.26.4 which is incompatible.

image

This can be resolved immediately by just using magika version 0.5.0, and should hopefully be resolved when version 0.6.0 is officially released.

The second issue is that malware-jail has not been updated in a long time, and thus many packages it uses are deprecated, which in turn raises WARN issues within npm, causing the package to seem to "fail": image

emtuls avatar Nov 08 '24 02:11 emtuls

Thanks for the research @emtuls!

@emtuls what about updating (via PR to malware-jail or requesting an update sending an issue linking this issue) the packages inmalware-jail? Can you take care of this?

I think using a fixed version of magika is also a good idea. Could you update our package @emtuls ?

Ana06 avatar Nov 22 '24 17:11 Ana06

Magika is fixed, but we still have the malware-jail issue. Are you planing to send an issue/PR to malware-jail @emtuls?

Ana06 avatar Dec 13 '24 18:12 Ana06

This issue is fixed.

Ana06 avatar May 07 '25 11:05 Ana06