Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
False positive: Typosquatting
See original GitHub issueHi there, first off all: awesome tools you guys made! 🎉
Second, I encountered the following output when scanning a requirements.txt file:
Found 2 potentially malicious indicators in ruamel-yaml version 0.17.21
typosquatting: This package closely ressembles the following package names, and might be a typosquatting attempt: ruamel-yaml, ruamel-yaml
code-execution: found 1 source code matches
* setup.py file executing code at ruamel.yaml-0.17.21/setup.py:955
subprocess.check_output(cmd)
I do get why the second indicator is found, but the first one confuses me:
The package name (also installed on my machine) is ruamel.yaml. There is no package named ruamel-yaml in either my requirements nor on PyPi. Did something went from with the dots in the package name? Or is it because this package is listed in your typosquatting list as ruamel-yaml?
Thanks!
Issue Analytics
- State:
- Created 10 months ago
- Comments:9 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Hi! I don’t think that should be an issue since PEP 503 states:
Additionally:
You’ll notice PyPi does redirect all of these to the same site:
But more importantly, PIP does not rely on this redirection and gets the normalized URL thanks to
pip._internal.utils.packaging. These utilities can be reused by importingpackagingand normalizing the name before running the typosquat algorithm.Great job @QuinceyJames , thanks for the detailed information!