feat: added in support for different date representations

art1f1c3R · art1f1c3R · commit ba54226c0a3d · 2024-12-20T16:14:44.000+10:00
diff --git a/src/macaron/malware_analyzer/pypi_heuristics/metadata/anomalistic_version.py b/src/macaron/malware_analyzer/pypi_heuristics/metadata/anomalistic_version.py
@@ -36,7 +36,6 @@ class AnomalisticVersionAnalyzer(BaseHeuristicAnalyzer):
     All other versionings are detected as semantic versioning.
     """
 
-    CALENDAR_YEAR_LENGTHS: list[int] = [2, 4]
     DETAIL_INFO_KEY: str = "versioning"
 
     def __init__(self) -> None:
@@ -111,44 +110,59 @@ def analyze(self, pypi_package_json: PyPIPackageJsonAsset) -> tuple[HeuristicRes
         except InvalidVersion:
             return HeuristicResult.SKIP, {self.DETAIL_INFO_KEY: Versioning.INVALID.value}
 
+        years = []
+        months = []
+        publish_days = []
+
+        for distribution in release_metadata:
+            upload_time = json_extract(distribution, ["upload_time"], str)
+            if upload_time is None:
+                error_msg = "Missing upload time from release information"
+                logger.debug(error_msg)
+                raise HeuristicAnalyzerValueError(error_msg)
+
+            parsed_time = parse_datetime(upload_time)
+            if parsed_time is None:
+                error_msg = "Upload time is not of the expected PyPI format"
+                logger.debug(error_msg)
+                raise HeuristicAnalyzerValueError(error_msg)
+
+            years.append(parsed_time.year)
+            years.append(parsed_time.year % 100)  # last 2 digits
+            months.append(parsed_time.month)
+            publish_days.append(parsed_time.day)
+
+        days = list(range(min(publish_days) - self.day_publish_error, max(publish_days) + self.day_publish_error + 1))
+
+        calendar = False
         calendar_semantic = False
 
-        if len(str(version.major)) in self.CALENDAR_YEAR_LENGTHS:
-            # possible this version number refers to a date
-
-            for distribution in release_metadata:
-                upload_time = json_extract(distribution, ["upload_time"], str)
-                if upload_time is None:
-                    error_msg = "Missing upload time from release information"
-                    logger.debug(error_msg)
-                    raise HeuristicAnalyzerValueError(error_msg)
-
-                parsed_time = parse_datetime(upload_time)
-                if parsed_time is None:
-                    error_msg = "Upload time is not of the expected PyPI format"
-                    logger.debug(error_msg)
-                    raise HeuristicAnalyzerValueError(error_msg)
-
-                if version.major in (parsed_time.year, parsed_time.year % 100):
-                    # the major of the version refers to the year published
-                    if (
-                        parsed_time.month == version.minor
-                        and parsed_time.day + self.day_publish_error
-                        >= version.micro
-                        >= parsed_time.day - self.day_publish_error
-                    ):
-                        # In the format of full_year.month.day or year.month.day, with a buffer for the day
-                        detail_info: dict[str, JsonType] = {self.DETAIL_INFO_KEY: Versioning.CALENDAR.value}
-                        if version.epoch > self.epoch_threshold:
-                            return HeuristicResult.FAIL, detail_info
-
-                        return HeuristicResult.PASS, detail_info
-
-                    calendar_semantic = True
-
-        if calendar_semantic:
+        # check for year YY[YY]...
+        if version.major in years:
+            # calendar versioning: YY[YY].(M[M].D[D])(D[D].M[M])...
+            if (version.minor in months and version.micro in days) or (
+                version.minor in days and version.micro in months
+            ):
+                calendar = True
+            else:
+                calendar_semantic = True
+        # check for calendar versioning: M[M].D[D].YY[YY]... or D[D].M[M].YY[YY]...
+        elif (
+            (version.major in months and version.minor in days) or (version.major in days and version.minor in months)
+        ) and version.micro in years:
+            # must include day and year for this to be calendar
+            calendar = True
+
+        if calendar:  # just check epoch
+            detail_info: dict[str, JsonType] = {self.DETAIL_INFO_KEY: Versioning.CALENDAR.value}
+            if version.epoch > self.epoch_threshold:
+                return HeuristicResult.FAIL, detail_info
+
+            return HeuristicResult.PASS, detail_info
+
+        if calendar_semantic:  # check minor (as major) and epoch
             detail_info = {self.DETAIL_INFO_KEY: Versioning.CALENDAR_SEMANTIC.value}
-            # analyze starting from the minor instead
+
             if version.epoch > self.epoch_threshold:
                 return HeuristicResult.FAIL, detail_info
             if version.minor > self.major_threshold:
diff --git a/tests/malware_analyzer/pypi/test_anomalistic_version.py b/tests/malware_analyzer/pypi/test_anomalistic_version.py
@@ -8,7 +8,7 @@
 
 from macaron.errors import HeuristicAnalyzerValueError
 from macaron.malware_analyzer.pypi_heuristics.heuristics import HeuristicResult
-from macaron.malware_analyzer.pypi_heuristics.metadata.anomalistic_version import AnomalisticVersionAnalyzer
+from macaron.malware_analyzer.pypi_heuristics.metadata.anomalistic_version import AnomalisticVersionAnalyzer, Versioning
 
 
 def test_analyze_no_information(pypi_package_json: MagicMock) -> None:
@@ -24,34 +24,99 @@ def test_analyze_no_information(pypi_package_json: MagicMock) -> None:
 @pytest.mark.parametrize(
     ("version", "upload_date", "result", "versioning"),
     [
-        pytest.param("2016-10-13", "2016-10-13", HeuristicResult.SKIP, "invalid", id="test_invalid_version"),
-        pytest.param("2016.10.12.7.3.5", "2016-10-13", HeuristicResult.PASS, "calendar", id="test_calendar_pass"),
-        pytest.param("2!16.10.14.2.5.3", "2016-10-13", HeuristicResult.PASS, "calendar", id="test_calendar_epoch_pass"),
-        pytest.param("100!2016.10.14", "2016-10-13", HeuristicResult.FAIL, "calendar", id="test_calendar_epoch_fail"),
         pytest.param(
-            "2016.7.2", "2016-10-13", HeuristicResult.PASS, "calendar_semantic", id="test_calendar_semantic_pass"
+            "2016-10-13", "2016-10-13", HeuristicResult.SKIP, Versioning.INVALID.value, id="test_invalid_version"
         ),
         pytest.param(
-            "2016.100.0", "2016-10-13", HeuristicResult.FAIL, "calendar_semantic", id="test_calendar_semantic_fail"
+            "2016.10.11",
+            "2016-10-13",
+            HeuristicResult.PASS,
+            Versioning.CALENDAR.value,
+            id="test_calendar_YYYY.MM.DD_pass",
+        ),
+        pytest.param(
+            "2016.12.10",
+            "2016-10-13",
+            HeuristicResult.PASS,
+            Versioning.CALENDAR.value,
+            id="test_calendar_YYYY.DD.MM_pass",
+        ),
+        pytest.param(
+            "16.10.13", "2016-10-13", HeuristicResult.PASS, Versioning.CALENDAR.value, id="test_calendar_YY.DD.MM_pass"
+        ),
+        pytest.param(
+            "16.14.10", "2016-10-13", HeuristicResult.PASS, Versioning.CALENDAR.value, id="test_calendar_YY.MM.DD_pass"
+        ),
+        pytest.param(
+            "10.10.2016",
+            "2016-10-13",
+            HeuristicResult.PASS,
+            Versioning.CALENDAR.value,
+            id="test_calendar_MM.DD.YYYY_pass",
+        ),
+        pytest.param(
+            "9.10.2016",
+            "2016-10-13",
+            HeuristicResult.PASS,
+            Versioning.CALENDAR.value,
+            id="test_calendar_DD.MM.YYYY_pass",
+        ),
+        pytest.param(
+            "10.15.16", "2016-10-13", HeuristicResult.PASS, Versioning.CALENDAR.value, id="test_calendar_DD.MM.YY_pass"
+        ),
+        pytest.param(
+            "16.10.16", "2016-10-13", HeuristicResult.PASS, Versioning.CALENDAR.value, id="test_calendar_MM.DD.YY_pass"
+        ),
+        pytest.param(
+            "2!16.10.17.2.5.3",
+            "2016-10-13",
+            HeuristicResult.PASS,
+            Versioning.CALENDAR.value,
+            id="test_calendar_epoch_pass",
+        ),
+        pytest.param(
+            "100!2016.10.14",
+            "2016-10-13",
+            HeuristicResult.FAIL,
+            Versioning.CALENDAR.value,
+            id="test_calendar_epoch_fail",
+        ),
+        pytest.param(
+            "2016.7.2",
+            "2016-10-13",
+            HeuristicResult.PASS,
+            Versioning.CALENDAR_SEMANTIC.value,
+            id="test_calendar_semantic_pass",
+        ),
+        pytest.param(
+            "2016.100.0",
+            "2016-10-13",
+            HeuristicResult.FAIL,
+            Versioning.CALENDAR_SEMANTIC.value,
+            id="test_calendar_semantic_fail",
         ),
         pytest.param(
             "2!2016.1.5.6",
             "2016-10-13",
             HeuristicResult.PASS,
-            "calendar_semantic",
+            Versioning.CALENDAR_SEMANTIC.value,
             id="test_calendar_semantic_epoch_pass",
         ),
         pytest.param(
             "100!2016.1",
             "2016-10-13",
             HeuristicResult.FAIL,
-            "calendar_semantic",
+            Versioning.CALENDAR_SEMANTIC.value,
             id="test_calendar_semantic_epoch_fail",
         ),
-        pytest.param("3.1", "2016-10-13", HeuristicResult.PASS, "semantic", id="test_semantic_pass"),
-        pytest.param("999", "2016-10-13", HeuristicResult.FAIL, "semantic", id="test_semantic_fail"),
-        pytest.param("3!0.1.9999", "2016-10-13", HeuristicResult.PASS, "semantic", id="test_semantic_epoch_pass"),
-        pytest.param("999!0.0.0", "2016-10-13", HeuristicResult.FAIL, "semantic", id="test_semantic_epoch_fail"),
+        pytest.param("3.1", "2016-10-13", HeuristicResult.PASS, Versioning.SEMANTIC.value, id="test_semantic_pass"),
+        pytest.param("999", "2016-10-13", HeuristicResult.FAIL, Versioning.SEMANTIC.value, id="test_semantic_fail"),
+        pytest.param(
+            "3!0.1.9999", "2016-10-13", HeuristicResult.PASS, Versioning.SEMANTIC.value, id="test_semantic_epoch_pass"
+        ),
+        pytest.param(
+            "999!0.0.0", "2016-10-13", HeuristicResult.FAIL, Versioning.SEMANTIC.value, id="test_semantic_epoch_fail"
+        ),
     ],
 )
 def test_analyze(
@@ -101,7 +166,7 @@ def test_analyze(
 
     pypi_package_json.get_releases.return_value = release
     pypi_package_json.get_latest_version.return_value = version
-    expected_result: tuple[HeuristicResult, dict] = (result, {"versioning": versioning})
+    expected_result: tuple[HeuristicResult, dict] = (result, {AnomalisticVersionAnalyzer.DETAIL_INFO_KEY: versioning})
 
     actual_result = analyzer.analyze(pypi_package_json)
 
