GuardDog Only Scans "setup.py" For Code Execution #312
Labels
Comments
Closed
|
Hello! if possible I think this limitation should be removed or given a way to bypass it. Or perhaps non-setup.py hits should be shown as warnings. To properly review a package I don't think it's enough to just look at setup.py, as evidenced by malicious packages that aren't being flagged by GuardDog. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
guarddog/guarddog/analyzer/sourcecode/code-execution.yml
Line 1 in e49bf32
guarddog/guarddog/analyzer/sourcecode/code-execution.yml
Lines 113 to 116 in e49bf32
This causes a lot of malicious packages not to be detected because they perform code execution in other files.
It's true that reporting every single code execution would result in a lot of noise though.
We should at least make this limitation clear, because a lot of people are surprised that GuardDog does not report some malicious packages. See:
The text was updated successfully, but these errors were encountered: