fix(supply-chain): relative edit distance for SC6 typosquat detection#104
Open
yonatangross wants to merge 1 commit into
Open
fix(supply-chain): relative edit distance for SC6 typosquat detection#104yonatangross wants to merge 1 commit into
yonatangross wants to merge 1 commit into
Conversation
…etection Absolute edit-distance <= 2 produces false positives on short, legitimate package names: "task" is a real package and is edit-distance 2 from "flask", yet was flagged as a possible typosquat (one of the cases reported in NVIDIA#103). Add a relative-distance guard (dist/shorter_len <= 1/3) so short names need an all-but-one-character match while longer names may still differ by two characters. Existing behaviour is preserved: - "reqeusts" -> "requests" (len 8, dist 2) still flagged - "expreess" -> "express" (dist 1) still flagged - "task" -> "flask" (len 4, dist 2) no longer flagged Adds a regression test; all existing SC4/SC5/SC6 unit tests still pass and ruff is clean. Refs NVIDIA#103 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Yonatan Gross <yonatan2gross@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Fixes one of the false positives reported in #103: SC6 typosquat detection
uses an absolute edit-distance threshold of 2, which collides on short,
legitimate package names.
taskis a real package and is edit-distance 2from
flask, so it was flagged as a "possible typosquat".Fix
Add a relative-distance guard to
_is_typosquat: a genuine typosquat perturbsonly a small fraction of the name, so require
dist / shorter_len <= 1/3.Short names then need an all-but-one-character match, while longer names may
still differ by two characters.
reqeusts→requestsexpreess→expresstask→flaskTest plan
test_is_typosquat_short_distinct_name_not_flagged)asserting
task/flaskis not flagged whilereqeusts/requestsstill is.pytest tests/unit/test_patterns_new.py— 177 passed (all existingSC4/SC5/SC6 assertions preserved).
package.jsonwithtask+expreessdeps nowreports SC6 for
expreessonly.ruff check src/ tests/clean.Signed off per DCO. Refs #103.