¶ Aura Security
https://github.com/SourceCode-AI/aura
Aura is a static analysis framework developed as a response to the ever-increasing threat of malicious packages and vulnerable code published on PyPI.
¶ Specification
While there are other tools with functionality that overlaps with Aura such as Bandit, dlint, semgrep etc. the focus of these alternatives is different which impacts the functionality and how they are being used. These alternatives are mainly intended to be used in a similar way to linters, integrated into IDEs, frequently run during the development which makes it important to minimize false positives and reporting with clear actionable explanations in ideal cases.
Aura on the other hand reports on ** behavior of the code**, anomalies, and vulnerabilities with as much information as possible at the cost of false positive. There are a lot of things reported by aura that are not necessarily actionable by a user but they tell you a lot about the behavior of the code such as doing network communication, accessing sensitive files, or using mechanisms associated with obfuscation indicating a possible malicious code. By collecting this kind of data and aggregating it together, Aura can be compared in functionality to other security systems such as antivirus, IDS, or firewalls that are essentially doing the same analysis but on a different kind of data (network communication, running processes, etc).
¶ Project goals
- provide an automated monitoring system over uploaded packages to PyPI, alert on anomalies that can either indicate an ongoing attack or vulnerabilities in the code.
- enable an organization to conduct automated security audits of the source code and implement secure coding practices with a focus on auditing 3rd party code such as python package dependencies.
- allow researches to scan code repositories on a large scale, create datasets and perform analysis to further advance research in the area of vulnerable and malicious code dependencies.
¶ Feature list
- Suitable for analyzing malware with a guarantee of a zero-code execution
- Advanced deobfuscation mechanisms by rewriting the AST tree - constant propagations, code unrolling, and other dirty tricks
- Recursive scanning automatically unpacks archives such as zips, wheels, etc.. and scans the content
- Support scanning also non-python files - plugins can work in a “raw-file” mode such as the built-in Yara integration
- Scan for hardcoded secrets, passwords, and other sensitive information
- Custom diff engine - you can compare changes between different data sources such as typosquatting PyPI packages to what changes were made
- Works for both Python 2.x and Python 3.x source code
- High performance, designed to scan the whole PyPI repository
- Output in numerous formats such as pretty plain text, JSON, SQLite, SARIF, etc…
- Tested on over 4TB of compressed python source code
- Aura is able to report on code behavior such as network communication, file access, or system command execution
- Compute the “Aura score” telling you how trustworthy the source code/input data is
¶ Aura scan
Aura uses a so-called URIs to identify the protocol and location to scan, if no protocol is used, the scan argument is treated as a path to the file or directory on a local system.
¶ Aura diff packages
¶ LICENSE
Aura framework is licensed under the GPL-3.0. Datasets produced from global scans using Aura are released under the CC BY-NC 4.0 license. Use the following citation when using Aura or data produced by Aura in research:
AUTHOR = "CARNOGURSKY, Martin",
TITLE = "Attacks on package managers [online]",
YEAR = "2019 [cit. 2020-11-02]",
TYPE = "Bachelor Thesis",
SCHOOL = "Masaryk University, Faculty of Informatics, Brno",
SUPERVISOR = "Vit Bukac",
URL = "Available at WWW <https://is.muni.cz/th/y41ft/>",
}```