feature: Malicious packages scanner [TAROT-3600] (#175)

kendrickcurtis · afsmeira · web-flow · commit dcdf34095ff4 · 2025-11-28T16:14:59.000Z
* openssf malicious packages integration

* updated test to match new live CVE

* revised malicious package detection to prebuild an index nightly so as to accelerate scanning.

* fixed build - tool wasn't scanning for package.json -- added test for package-lock.json also

* merged main, added Dockerfile

* resolved codacy warnings

* fixed codacy cyclo issue

* fixed AI nonsense

* fixed CICD -- necessary file wasn't being copied

* fixed another CICD issue

* bugfix in tool.go to live with nil PURLs and fixed absent line number reporting in openssf scanner

* stopped copying unnecessary files

* fixed test data

* test fixes

* ignored codacy config

* review comments tackled

* fixed stupid ai shit - npm ref in gradle file

* fixed missing vuln

* Delete .codacy/cli.sh

* Delete .codacy/codacy.yaml

* clean: Assorted cleanup after rebase

* clean: Improve build process for OpenSSF malicious packages index

* clean: Simplify and correct malicious packages scanner implementation

* clean: Ensure proper dependency injection for testable code

* clean: Address codacy comments

* tests: Add unit tests and fix faulty implementations

* ci: Serialize steps to avoid problems when saving to workspace

* tests: Fix integration tests

* clean: Log when failing to open file when building index

* clean: Address AI review comments

* feat: Support the `last_affected` field in range events

---------

Co-authored-by: André Meira &lt;andre.meira@codacy.com&gt;
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -13,6 +13,13 @@ references:
       mkdir cache
       ./trivy --cache-dir ./cache image --download-db-only
 
+  build_openssf_malicious_package_index: &build_openssf_malicious_package_index
+    persist_to_workspace: true
+    cmd: |
+      mkdir openssf-malicious-packages
+      curl -sfL https://api.github.com/repos/ossf/malicious-packages/tarball/main | tar -xz --strip-components=1 -C openssf-malicious-packages
+      python3 scripts/build_openssf_index.py
+
   build_and_publish_docker: &build_and_publish_docker
     persist_to_workspace: true
     cmd: |
@@ -36,11 +43,16 @@ workflows:
           name: install_trivy_and_download_dbs
           requires:
             - generate_and_test
+      - codacy/shell:
+          <<: *build_openssf_malicious_package_index
+          name: build_openssf_malicious_package_index
+          requires:
+            - install_trivy_and_download_dbs
       - codacy/shell:
           <<: *build_and_publish_docker
           name: publish_docker_local
           requires:
-            - install_trivy_and_download_dbs
+            - build_openssf_malicious_package_index
       - codacy_plugins_test/run:
           name: plugins_test
           run_multiple_tests: true
@@ -84,11 +96,16 @@ workflows:
           name: install_trivy_and_download_dbs
           requires:
             - generate_and_test
+      - codacy/shell:
+          <<: *build_openssf_malicious_package_index
+          name: build_openssf_malicious_package_index
+          requires:
+            - install_trivy_and_download_dbs
       - codacy/shell:
           <<: *build_and_publish_docker
           name: publish_docker_local
           requires:
-            - install_trivy_and_download_dbs
+            - build_openssf_malicious_package_index
       - codacy/publish_docker:
           name: publish_dockerhub
           context: CodacyDocker
diff --git a/.gitignore b/.gitignore
@@ -11,13 +11,21 @@ project
 target
 bin
 cache
+openssf-malicious-packages
 *.gen.go
 .codacyrc
 trivy
 
 
-#Ignore vscode AI rules
+# Ignore vscode AI rules
 .github/copilot-instructions.md
 
-#Ignore cursor AI rules
-.cursor/rules/codacy.mdc   
+# Ignore cursor AI rules
+.cursor/rules/codacy.mdc
+
+# Ignore codacy stuff
+.codacy/cli.sh
+.codacy/codacy.yaml
+
+# Ignore patterns.json
+docs/patterns.json
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.25-alpine as builder
+FROM golang:1.25-alpine AS builder
 
 ARG TRIVY_VERSION=dev
 ENV TRIVY_VERSION=$TRIVY_VERSION
@@ -31,5 +31,6 @@ RUN adduser -u 2004 -D docker
 COPY --from=builder --chown=docker:docker /src/bin /dist/bin
 COPY --from=builder --chown=docker:docker /src/docs /docs 
 COPY --chown=docker:docker cache/ /dist/cache/codacy-trivy
+COPY --chown=docker:docker openssf-malicious-packages/openssf-malicious-packages-index.json.gz /dist/cache/codacy-trivy/openssf-malicious-packages-index.json.gz
 
 CMD [ "/dist/bin/codacy-trivy" ]
diff --git a/cmd/tool/main.go b/cmd/tool/main.go
@@ -5,11 +5,17 @@ import (
 
 	codacy "github.com/codacy/codacy-engine-golang-seed/v6"
 	"github.com/codacy/codacy-trivy/internal/tool"
+	"github.com/sirupsen/logrus"
 )
 
 func main() {
-	codacyTrivy := tool.New()
-	retCode := codacy.StartTool(&codacyTrivy)
+	codacyTrivy, err := tool.New(tool.MaliciousPackagesIndexPath)
+	if err != nil {
+		logrus.Errorf("Failed to create tool execution: %s", err.Error())
+		os.Exit(-1)
+	}
+
+	retCode := codacy.StartTool(codacyTrivy)
 
 	os.Exit(retCode)
 }
diff --git a/docs/description/malicious_packages.md b/docs/description/malicious_packages.md
@@ -0,0 +1,2 @@
+## Malicious packages detection
+Detects malicious packages identified in the OpenSSF Malicious Packages database, including typosquatting attacks, dependency confusion, and packages with malicious payloads.
diff --git a/docs/multiple-tests/all-patterns/patterns.xml b/docs/multiple-tests/all-patterns/patterns.xml
@@ -5,4 +5,5 @@
     <module name="vulnerability_high" />
     <module name="vulnerability_medium" />
     <module name="vulnerability_minor" />
+    <module name="malicious_packages" />
 </module>
diff --git a/docs/multiple-tests/all-patterns/results.xml b/docs/multiple-tests/all-patterns/results.xml
@@ -40,4 +40,12 @@
             severity="warning"
         />
     </file>
-</checkstyle>
+    <file name="javascript/package-lock.json">
+        <error
+            source="malicious_packages"
+            line="11"
+            message="Malicious code in sdge-it-tdg-dynamicloadprofiles (npm) - sdge-it-tdg-dynamicloadprofiles@1.0.1"
+            severity="error"
+        />
+    </file>
+</checkstyle>
diff --git a/docs/multiple-tests/all-patterns/src/gradle/gradle.lockfile b/docs/multiple-tests/all-patterns/src/gradle/gradle.lockfile
@@ -1,4 +1,5 @@
 org.apache.logging.log4j:log4j-core:2.17.0
 org.apache.dolphinscheduler:dolphinscheduler-task-api:3.2.1
 org.apache.seatunnel:seatunnel:1.0.0
-org.apache.cxf:cxf-rt-transports-http:4.0.0
+org.apache.cxf:cxf-rt-transports-http:4.0.0
+npm:commitlint-pm2-proxima-dotenv-safe:1.0.0
diff --git a/docs/multiple-tests/all-patterns/src/javascript/package-lock.json b/docs/multiple-tests/all-patterns/src/javascript/package-lock.json
diff --git a/docs/multiple-tests/pattern-malicious-packages/patterns.xml b/docs/multiple-tests/pattern-malicious-packages/patterns.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<module name="root">
+    <module name="malicious_packages" />
+</module>
diff --git a/docs/multiple-tests/pattern-malicious-packages/results.xml b/docs/multiple-tests/pattern-malicious-packages/results.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="utf-8"?>
+<checkstyle version="1.5">
+    <file name="javascript/package-lock.json">
+        <error
+            source="malicious_packages"
+            line="11"
+            message="Malicious code in sdge-it-tdg-dynamicloadprofiles (npm) - sdge-it-tdg-dynamicloadprofiles@1.0.1"
+            severity="error"
+        />
+    </file>
+</checkstyle>
diff --git a/docs/multiple-tests/pattern-malicious-packages/src/javascript/package-lock.json b/docs/multiple-tests/pattern-malicious-packages/src/javascript/package-lock.json
diff --git a/docs/multiple-tests/pattern-vulnerability-critical/patterns.xml b/docs/multiple-tests/pattern-vulnerability-critical/patterns.xml
@@ -2,3 +2,4 @@
 <module name="root">
     <module name="vulnerability_critical" />
 </module>
+
diff --git a/docs/multiple-tests/pattern-vulnerability-high/results.xml b/docs/multiple-tests/pattern-vulnerability-high/results.xml
@@ -94,12 +94,6 @@
             message="Insecure dependency golang/stdlib@v1.21.4 (CVE-2025-58187: Due to the design of the name constraint checking algorithm, the proce ...) (update to 1.24.9)"
             severity="high"
         />
-        <error
-            source="vulnerability_high"
-            line="5"
-            message="Insecure dependency golang/stdlib@v1.21.4 (CVE-2025-58188: Validating certificate chains which contain DSA public keys can cause  ...) (update to 1.24.8)"
-            severity="high"
-        />
         <error
             source="vulnerability_high"
             line="5"
diff --git a/docs/multiple-tests/pattern-vulnerability-medium/results.xml b/docs/multiple-tests/pattern-vulnerability-medium/results.xml
@@ -164,6 +164,12 @@
             message="Insecure dependency golang/stdlib@v1.21.4 (CVE-2025-61724: net/textproto: Excessive CPU consumption in Reader.ReadResponse in net/textproto) (update to 1.24.8)"
             severity="warning"
         />
+        <error
+            source="vulnerability_medium"
+            line="3"
+            message="Insecure dependency golang/stdlib@v1.21.4 (CVE-2025-58188: crypto/x509: golang: Panic when validating certificates with DSA public keys in crypto/x509) (update to 1.24.8)"
+            severity="warning"
+        />
     </file>
 
     <file name="gradle/gradle.lockfile">
diff --git a/go.mod b/go.mod
@@ -10,6 +10,7 @@ require (
 	github.com/google/go-cmp v0.7.0
 	github.com/package-url/packageurl-go v0.1.3
 	github.com/samber/lo v1.52.0
+	github.com/sirupsen/logrus v1.9.3 // Logrus is the logging library used in codacy-engine-golang-seed
 	github.com/stretchr/testify v1.11.1
 	go.uber.org/mock v0.6.0
 	golang.org/x/mod v0.30.0
@@ -316,7 +317,6 @@ require (
 	github.com/sigstore/rekor v1.4.2 // indirect
 	github.com/sigstore/sigstore v1.9.5 // indirect
 	github.com/sigstore/timestamp-authority v1.2.2 // indirect
-	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/skeema/knownhosts v1.3.1 // indirect
 	github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 // indirect
 	github.com/spdx/tools-golang v0.5.5 // indirect
diff --git a/internal/docgen/rule.go b/internal/docgen/rule.go
@@ -105,5 +105,15 @@ func trivyRules() Rules {
 			ScanType:    "SCA",
 			Enabled:     true,
 		},
+		{
+			ID:          "malicious_packages",
+			Title:       "Malicious packages detection",
+			Description: "Detects malicious packages identified in the OpenSSF Malicious Packages database, including typosquatting attacks, dependency confusion, and packages with malicious payloads.",
+			Level:       "Error",
+			Category:    "Security",
+			SubCategory: "InsecureModulesLibraries",
+			ScanType:    "SCA",
+			Enabled:     true,
+		},
 	}
 }
diff --git a/internal/tool/doc.go b/internal/tool/doc.go
@@ -1,2 +1,2 @@
-// The tool package has the implementation of `codacy-trivy`.
+// Package tool implements the Codacy Trivy tool.
 package tool
diff --git a/internal/tool/malicious_packages_scanner.go b/internal/tool/malicious_packages_scanner.go
diff --git a/internal/tool/malicious_packages_scanner_test.go b/internal/tool/malicious_packages_scanner_test.go
diff --git a/internal/tool/tool.go b/internal/tool/tool.go
diff --git a/internal/tool/tool_test.go b/internal/tool/tool_test.go
diff --git a/scripts/build_openssf_index.py b/scripts/build_openssf_index.py

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+## Malicious packages detection`
	`2`	`+Detects malicious packages identified in the OpenSSF Malicious Packages database, including typosquatting attacks, dependency confusion, and packages with malicious payloads.`