feature: Malicious packages scanner [TAROT-3600]

.circleci/config.yml

@@ -13,6 +13,13 @@ references:
       mkdir cache
       ./trivy --cache-dir ./cache image --download-db-only
 
+  build_openssf_malicious_package_index: &build_openssf_malicious_package_index
+    persist_to_workspace: true
+    cmd: |
+      mkdir openssf-malicious-packages
+      curl -sfL https://api.github.com/repos/ossf/malicious-packages/tarball/main | tar -xz --strip-components=1 -C openssf-malicious-packages
+      python3 scripts/build_openssf_index.py
+
   build_and_publish_docker: &build_and_publish_docker
     persist_to_workspace: true
     cmd: |
@@ -36,11 +43,16 @@ workflows:
           name: install_trivy_and_download_dbs
           requires:
             - generate_and_test
+      - codacy/shell:
+          <<: *build_openssf_malicious_package_index
+          name: build_openssf_malicious_package_index
+          requires:
+            - install_trivy_and_download_dbs
       - codacy/shell:
           <<: *build_and_publish_docker
           name: publish_docker_local
           requires:
-            - install_trivy_and_download_dbs
+            - build_openssf_malicious_package_index
       - codacy_plugins_test/run:
           name: plugins_test
           run_multiple_tests: true
@@ -84,11 +96,16 @@ workflows:
           name: install_trivy_and_download_dbs
           requires:
             - generate_and_test
+      - codacy/shell:
+          <<: *build_openssf_malicious_package_index
+          name: build_openssf_malicious_package_index
+          requires:
+            - install_trivy_and_download_dbs
       - codacy/shell:
           <<: *build_and_publish_docker
           name: publish_docker_local
           requires:
-            - install_trivy_and_download_dbs
+            - build_openssf_malicious_package_index
       - codacy/publish_docker:
           name: publish_dockerhub
           context: CodacyDocker

.gitignore

@@ -11,13 +11,21 @@ project
 target
 bin
 cache
+openssf-malicious-packages
 *.gen.go
 .codacyrc
 trivy
 
 
-#Ignore vscode AI rules
+# Ignore vscode AI rules
 .github/copilot-instructions.md
 
-#Ignore cursor AI rules
-.cursor/rules/codacy.mdc   
+# Ignore cursor AI rules
+.cursor/rules/codacy.mdc
+
+# Ignore codacy stuff
+.codacy/cli.sh
+.codacy/codacy.yaml
+
+# Ignore patterns.json
+docs/patterns.json

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.25-alpine as builder
+FROM golang:1.25-alpine AS builder
 
 ARG TRIVY_VERSION=dev
 ENV TRIVY_VERSION=$TRIVY_VERSION
@@ -31,5 +31,6 @@ RUN adduser -u 2004 -D docker
 COPY --from=builder --chown=docker:docker /src/bin /dist/bin
 COPY --from=builder --chown=docker:docker /src/docs /docs 
 COPY --chown=docker:docker cache/ /dist/cache/codacy-trivy
+COPY --chown=docker:docker openssf-malicious-packages/openssf-malicious-packages-index.json.gz /dist/cache/codacy-trivy/openssf-malicious-packages-index.json.gz
 
 CMD [ "/dist/bin/codacy-trivy" ]

cmd/tool/main.go

@@ -5,11 +5,17 @@ import (
 
 	codacy "github.com/codacy/codacy-engine-golang-seed/v6"
 	"github.com/codacy/codacy-trivy/internal/tool"
+	"github.com/sirupsen/logrus"
 )
 
 func main() {
-	codacyTrivy := tool.New()
-	retCode := codacy.StartTool(&codacyTrivy)
+	codacyTrivy, err := tool.New(tool.MaliciousPackagesIndexPath)
+	if err != nil {
+		logrus.Errorf("Failed to create tool execution: %s", err.Error())
+		os.Exit(-1)
+	}
+
+	retCode := codacy.StartTool(codacyTrivy)
 
 	os.Exit(retCode)
 }

docs/description/malicious_packages.md

@@ -0,0 +1,2 @@
+## Malicious packages detection
+Detects malicious packages identified in the OpenSSF Malicious Packages database, including typosquatting attacks, dependency confusion, and packages with malicious payloads.

docs/multiple-tests/all-patterns/patterns.xml

@@ -5,4 +5,5 @@
     <module name="vulnerability_high" />
     <module name="vulnerability_medium" />
     <module name="vulnerability_minor" />
+    <module name="malicious_packages" />
 </module>

docs/multiple-tests/all-patterns/results.xml

@@ -40,4 +40,12 @@
             severity="warning"
         />
     </file>
-</checkstyle>
+    <file name="javascript/package-lock.json">
+        <error
+            source="malicious_packages"
+            line="11"
+            message="Malicious code in sdge-it-tdg-dynamicloadprofiles (npm) - [email protected]"
+            severity="error"
+        />
+    </file>
+</checkstyle>

docs/multiple-tests/all-patterns/src/gradle/gradle.lockfile

@@ -1,4 +1,5 @@
 org.apache.logging.log4j:log4j-core:2.17.0
 org.apache.dolphinscheduler:dolphinscheduler-task-api:3.2.1
 org.apache.seatunnel:seatunnel:1.0.0
-org.apache.cxf:cxf-rt-transports-http:4.0.0
+org.apache.cxf:cxf-rt-transports-http:4.0.0
+npm:commitlint-pm2-proxima-dotenv-safe:1.0.0

docs/multiple-tests/pattern-malicious-packages/patterns.xml

@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<module name="root">
+    <module name="malicious_packages" />
+</module>

docs/multiple-tests/pattern-malicious-packages/results.xml

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="utf-8"?>
+<checkstyle version="1.5">
+    <file name="javascript/package-lock.json">
+        <error
+            source="malicious_packages"
+            line="11"
+            message="Malicious code in sdge-it-tdg-dynamicloadprofiles (npm) - [email protected]"
+            severity="error"
+        />
+    </file>
+</checkstyle>

docs/multiple-tests/pattern-vulnerability-critical/patterns.xml

@@ -2,3 +2,4 @@
 <module name="root">
     <module name="vulnerability_critical" />
 </module>
+

docs/multiple-tests/pattern-vulnerability-high/results.xml

@@ -94,12 +94,6 @@
             message="Insecure dependency golang/[email protected] (CVE-2025-58187: Due to the design of the name constraint checking algorithm, the proce ...) (update to 1.24.9)"
             severity="high"
         />
-        <error
-            source="vulnerability_high"
-            line="5"
-            message="Insecure dependency golang/[email protected] (CVE-2025-58188: Validating certificate chains which contain DSA public keys can cause  ...) (update to 1.24.8)"
-            severity="high"
-        />
         <error
             source="vulnerability_high"
             line="5"

docs/multiple-tests/pattern-vulnerability-medium/results.xml

@@ -164,6 +164,12 @@
             message="Insecure dependency golang/[email protected] (CVE-2025-61724: net/textproto: Excessive CPU consumption in Reader.ReadResponse in net/textproto) (update to 1.24.8)"
             severity="warning"
         />
+        <error
+            source="vulnerability_medium"
+            line="3"
+            message="Insecure dependency golang/[email protected] (CVE-2025-58188: crypto/x509: golang: Panic when validating certificates with DSA public keys in crypto/x509) (update to 1.24.8)"
+            severity="warning"
+        />
     </file>
 
     <file name="gradle/gradle.lockfile">

go.mod

@@ -10,6 +10,7 @@ require (
 	github.com/google/go-cmp v0.7.0
 	github.com/package-url/packageurl-go v0.1.3
 	github.com/samber/lo v1.52.0
+	github.com/sirupsen/logrus v1.9.3 // Logrus is the logging library used in codacy-engine-golang-seed
 	github.com/stretchr/testify v1.11.1
 	go.uber.org/mock v0.6.0
 	golang.org/x/mod v0.30.0
@@ -316,7 +317,6 @@ require (
 	github.com/sigstore/rekor v1.4.2 // indirect
 	github.com/sigstore/sigstore v1.9.5 // indirect
 	github.com/sigstore/timestamp-authority v1.2.2 // indirect
-	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/skeema/knownhosts v1.3.1 // indirect
 	github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 // indirect
 	github.com/spdx/tools-golang v0.5.5 // indirect

internal/docgen/rule.go

@@ -105,5 +105,15 @@ func trivyRules() Rules {
 			ScanType:    "SCA",
 			Enabled:     true,
 		},
+		{
+			ID:          "malicious_packages",
+			Title:       "Malicious packages detection",
+			Description: "Detects malicious packages identified in the OpenSSF Malicious Packages database, including typosquatting attacks, dependency confusion, and packages with malicious payloads.",
+			Level:       "Error",
+			Category:    "Security",
+			SubCategory: "InsecureModulesLibraries",
+			ScanType:    "SCA",
+			Enabled:     true,
+		},
 	}
 }

internal/tool/doc.go

@@ -1,2 +1,2 @@
-// The tool package has the implementation of `codacy-trivy`.
+// Package tool implements the Codacy Trivy tool.
 package tool