Conversation
Signed-off-by: Claude <noreply@anthropic.com>
🔴 Security Risk Increased (+117 points)New Files with Security Findings📄
|
| File | Status | Risk Change | Behaviors |
|---|---|---|---|
2024.ultralytics/v8.3.40/utils/downloads.py |
Added | +31 | 22 |
2024.ultralytics/v8.3.40/utils/checks.py |
Added | +24 | 16 |
2024.ultralytics/v8.3.41/nn/autobackend.py |
Added | +17 | 12 |
2024.ultralytics/v8.3.41/models/yolo/model.py |
Added | +12 | 6 |
2024.ultralytics/v8.3.40/cfg/__init__.py |
Added | +12 | 9 |
2024.ultralytics/v8.3.41/engine/predictor.py |
Added | +9 | 7 |
2024.ultralytics/v8.3.41/utils/triton.py |
Added | +4 | 4 |
2024.ultralytics/v8.3.41/trackers/utils/matching.py |
Added | +3 | 3 |
2024.ultralytics/v8.3.40/utils/ops.py |
Added | +2 | 2 |
2024.ultralytics/v8.3.40/solutions/heatmap.py |
Added | +1 | 1 |
2024.ultralytics/v8.3.41/solutions/queue_management.py |
Added | +1 | 1 |
2024.ultralytics/v8.3.40/models/sam/predict.py |
Added | +1 | 1 |
🔍 Raw JSON Report
{
"Diff": {
"Added": {
"/head/2024.ultralytics/v8.3.41/engine/predictor.py": {
"Path": "/head/2024.ultralytics/v8.3.41/engine/predictor.py",
"SHA256": "9ceea5cf11bbe465f242c50d12298b93930b7dc33097c0244406a860c3f042e8",
"Size": 17687,
"Syscalls": [
"select"
],
"Pledge": [
"inet",
"stdio",
"wpath"
],
"Behaviors": [
{
"Description": "references multiple operating systems",
"MatchStrings": [
"https://",
"windows",
"macOS",
"Linux"
],
"RiskScore": 2,
"RiskLevel": "MEDIUM",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref",
"ID": "c2/tool_transfer/os",
"RuleName": "multiple_os_ref"
},
{
"Description": "system platform identification",
"MatchStrings": [
"platform.system()"
],
"RiskScore": 2,
"RiskLevel": "MEDIUM",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#python_platform",
"ReferenceURL": "https://docs.python.org/3/library/platform.html",
"ID": "discover/system/platform",
"RuleName": "python_platform"
},
{
"Description": "imports python modules",
"MatchStrings": [
"from ultralytics.nn.autobackend import AutoBackend",
"from ultralytics.data.augment import LetterBox",
"from ultralytics.utils.files import increment",
"from ultralytics.utils.checks import check",
"from ultralytics.utils import DEFAULT",
"from ultralytics.data import load",
"from ultralytics.cfg import get",
"from pathlib import Path",
"import threading",
"import platform",
"import select",
"import numpy",
"import torch",
"import cv2",
"import re"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/imports/python.yara#has_import",
"ID": "exec/imports/python",
"RuleName": "has_import"
},
{
"Description": "creates directories",
"MatchStrings": [
"mkdir"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir",
"ReferenceURL": "https://man7.org/linux/man-pages/man2/mkdir.2.html",
"ID": "fs/directory/create",
"RuleName": "mkdir"
},
{
"Description": "Uses the HTTP protocol",
"MatchStrings": [
"HTTP"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http.yara#http",
"ID": "net/http",
"RuleName": "http"
},
{
"Description": "contains embedded HTTPS URLs",
"MatchStrings": [
"https://docs.ultralytics.com/modes/predict/",
"https://youtu.be/LNwODJXcvt4"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url",
"ID": "net/url/embedded",
"RuleName": "https_url"
},
{
"Description": "monitor multiple file descriptors",
"MatchStrings": [
"select"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/multiplex.yara#select",
"ReferenceURL": "https://man7.org/linux/man-pages/man2/select.2.html",
"ID": "os/fd/multiplex",
"RuleName": "select"
}
],
"RiskScore": 2,
"RiskLevel": "MEDIUM"
},
"/head/2024.ultralytics/v8.3.40/solutions/heatmap.py": {
"Path": "/head/2024.ultralytics/v8.3.40/solutions/heatmap.py",
"SHA256": "fb556d3022519a91e72ea8276b48b61ce06cc4da2a15eae7ce92909c80a78143",
"Size": 5449,
"Behaviors": [
{
"Description": "imports python modules",
"MatchStrings": [
"from ultralytics.utils.plotting import Annotator",
"from ultralytics.solutions import Heatmap",
"import numpy",
"import cv2"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/imports/python.yara#has_import",
"ID": "exec/imports/python",
"RuleName": "has_import"
}
],
"RiskScore": 1,
"RiskLevel": "LOW"
},
"/head/2024.ultralytics/v8.3.40/utils/checks.py": {
"Path": "/head/2024.ultralytics/v8.3.40/utils/checks.py",
"SHA256": "29741279aba1cde732f6d4a3c83572f285db4c390749207d94e4d8aea456a689",
"Size": 29582,
"Syscalls": [
"execve"
],
"Pledge": [
"exec",
"inet"
],
"Behaviors": [
{
"Description": "uses bitwise math",
"MatchStrings": [
"1 << 30"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/bitwise.yara#bitwise_math",
"ID": "anti-static/obfuscation/bitwise",
"RuleName": "bitwise_math"
},
{
"Description": "contains hardcoded endpoint with a question mark",
"MatchStrings": [
"https://url.com/file.txt?auth",
"requests.get",
"import",
".get("
],
"RiskScore": 2,
"RiskLevel": "MEDIUM",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#http_url_with_question",
"ID": "c2/addr/url",
"RuleName": "http_url_with_question"
},
{
"Description": "downloads files",
"MatchStrings": [
"download file"
],
"RiskScore": 2,
"RiskLevel": "MEDIUM",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/refs.yara#download_ref",
"ID": "c2/refs",
"RuleName": "download_ref"
},
{
"Description": "references multiple operating systems",
"MatchStrings": [
"https://",
"http://",
"Windows",
"darwin",
"linux",
"macos"
],
"RiskScore": 2,
"RiskLevel": "MEDIUM",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref",
"ID": "c2/tool_transfer/os",
"RuleName": "multiple_os_ref"
},
{
"Description": "system platform identification",
"MatchStrings": [
"platform.platform()"
],
"RiskScore": 2,
"RiskLevel": "MEDIUM",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#python_platform",
"ReferenceURL": "https://docs.python.org/3/library/platform.html",
"ID": "discover/system/platform",
"RuleName": "python_platform"
},
{
"Description": "Looks up the USER name of the current user",
"MatchStrings": [
"environ",
"getenv",
"USER"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/user/USER.yara#USER",
"ReferenceURL": "https://man.openbsd.org/login.1#ENVIRONMENT",
"ID": "discover/user/USER",
"RuleName": "USER"
},
{
"Description": "imports python modules",
"MatchStrings": [
"from ultralytics.utils.checks import parse",
"from ultralytics.utils.checks import check",
"from ultralytics.utils import ENVIRONMENT",
"from importlib import metadata",
"from ultralytics import YOLO",
"from typing import Optional",
"from IPython import display",
"from matplotlib import font",
"from pathlib import Path",
"import subprocess",
"import platform",
"import requests",
"import autocast",
"import inspect",
"import select",
"import psutil",
"import shutil",
"import numpy",
"import torch",
"import glob",
"import time",
"import math",
"import cv2",
"import get",
"import os"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/imports/python.yara#has_import",
"ID": "exec/imports/python",
"RuleName": "has_import"
},
{
"Description": "Installs software using pip from python",
"MatchStrings": [
"pip install --no-cache-dir",
"pip install torchvision",
"pip install command",
"pip install -U"
],
"RiskScore": 2,
"RiskLevel": "MEDIUM",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/install_additional/pip_install.yara#pip_installer",
"ID": "exec/install_additional/pip_install",
"RuleName": "pip_installer"
},
{
"Description": "execute external program",
"MatchStrings": [
"subprocess.check_output(f\"git -C {path} describe --tags --long --always\", shell=True).decode()[:-1]",
"subprocess.check_output(f\"pip install --no-cache-dir {packages} {commands}\", shell=True).decode()",
"subprocess.CalledProcessError, FileNotFoundError, ValueError):"
],
"RiskScore": 2,
"RiskLevel": "MEDIUM",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#py_subprocess",
"ReferenceURL": "https://man7.org/linux/man-pages/man2/execve.2.html",
"ID": "exec/program",
"RuleName": "py_subprocess"
},
{
"Description": "download files",
"MatchStrings": [
"font locally or download to user",
"elif download and file",
"download YAML file",
"stem in downloads",
"safe_download",
"download file",
"if downloads",
"download_dir"
],
"RiskScore": 2,
"RiskLevel": "MEDIUM",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/download.yara#download",
"ID": "net/download",
"RuleName": "download"
},
{
"Description": "Uses the HTTP protocol",
"MatchStrings": [
"http"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http.yara#http",
"ID": "net/http",
"RuleName": "http"
},
{
"Description": "Uses the gRPC Remote Procedure Call framework",
"MatchStrings": [
"gRPC"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/grpc.yara#grpc",
"ID": "net/tcp/grpc",
"RuleName": "grpc"
},
{
"Description": "contains embedded HTTPS URLs",
"MatchStrings": [
"https://github.com/ultralytics/assets/releases/download/v0.0.0/",
"https://github.com/ultralytics/ultralytics",
"https://github.com/ultralytics/yolov5.",
"https://git-scm.com/docs/git-describe.",
"https://pypi.org/project/ultralytics/",
"https://github.com/pytorch/vision",
"https://url.com/file.txt?auth",
"https://pypi.org/pypi/",
"https://org/repo.git"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url",
"ID": "net/url/embedded",
"RuleName": "https_url"
},
{
"Description": "Handles URL strings",
"MatchStrings": [
"urllib"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/parse.yara#url_handle",
"ID": "net/url/parse",
"RuleName": "url_handle"
},
{
"Description": "requests resources via URL",
"MatchStrings": [
"import requests",
"requests.get(f"
],
"RiskScore": 2,
"RiskLevel": "MEDIUM",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/request.yara#requests_urls",
"ID": "net/url/request",
"RuleName": "requests_urls"
},
{
"Description": "Retrieve environment variables",
"MatchStrings": [
"os.environ",
"getenv"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/env/get.yara#getenv",
"ID": "os/env/get",
"RuleName": "getenv"
}
],
"RiskScore": 2,
"RiskLevel": "MEDIUM"
},
"/head/2024.ultralytics/v8.3.41/models/yolo/model.py": {
"Path": "/head/2024.ultralytics/v8.3.41/models/yolo/model.py",
"SHA256": "0b4869b2894b5be809de81d99b36ad020c6eb2f7ffe40c39f42e9fb46e799fc6",
"Size": 5072,
"Behaviors": [
{
"Description": "fetches and executes program based on OS & architecture",
"MatchStrings": [
"platform.machine()",
"platform.system()",
"download",
"arm64",
"Linux",
"x86",
"run"
],
"RiskScore": 2,
"RiskLevel": "MEDIUM",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/python.yara#py_arch_dropper",
"ID": "c2/tool_transfer/python",
"RuleName": "py_arch_dropper"
},
{
"Description": "system platform identification",
"MatchStrings": [
"platform.system()"
],
"RiskScore": 2,
"RiskLevel": "MEDIUM",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#python_platform",
"ReferenceURL": "https://docs.python.org/3/library/platform.html",
"ID": "discover/system/platform",
"RuleName": "python_platform"
},
{
"Description": "imports python modules",
"MatchStrings": [
"from ultralytics.nn.tasks import ClassificationModel",
"from ultralytics.utils.downloads import safe",
"from ultralytics.engine.model import Model",
"from ultralytics.models import yolo",
"from ultralytics.utils import ROOT",
"from pathlib import Path",
"import platform"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/imports/python.yara#has_import",
"ID": "exec/imports/python",
"RuleName": "has_import"
},
{
"Description": "runs program from hardcoded temporary path",
"MatchStrings": [
"safe_run(\"/tmp/ultralytics_runner\")"
],
"RiskScore": 3,
"RiskLevel": "HIGH",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/tmpdir.yara#exec_program_tmpdir",
"ID": "exec/program/tmpdir",
"RuleName": "exec_program_tmpdir"
},
{
"Description": "path reference within /tmp",
"MatchStrings": [
"/tmp/ultralytics_runner"
],
"RiskScore": 2,
"RiskLevel": "MEDIUM",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path",
"ID": "fs/path/tmp",
"RuleName": "tmp_path"
},
{
"Description": "download files",
"MatchStrings": [
"import safe_download"
],
"RiskScore": 2,
"RiskLevel": "MEDIUM",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/download.yara#download",
"ID": "net/download",
"RuleName": "download"
}
],
"RiskScore": 3,
"RiskLevel": "HIGH"
},
"/head/2024.ultralytics/v8.3.40/utils/downloads.py": {
"Path": "/head/2024.ultralytics/v8.3.40/utils/downloads.py",
"SHA256": "7e1ec8e6da134a8c00397b66c79cc8cc21034447d3146e3970b2079ac0e6b98c",
"Size": 21974,
"Syscalls": [
"close",
"execve",
"open",
"pthread_create",
"pwrite",
"unlink"
],
"Pledge": [
"exec",
"inet",
"rpath",
"wpath"
],
"Behaviors": [
{
"Description": "uses bitwise math",
"MatchStrings": [
"1 << 30"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/bitwise.yara#bitwise_math",
"ID": "anti-static/obfuscation/bitwise",
"RuleName": "bitwise_math"
},
{
"Description": "contains hardcoded endpoint with a question mark",
"MatchStrings": [
"https://drive.google.com/uc?export=download&id=",
"https://url.com/file.txt?auth",
"requests.get",
"urlopen",
"import",
".get(",
"curl"
],
"RiskScore": 2,
"RiskLevel": "MEDIUM",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/url.yara#http_url_with_question",
"ID": "c2/addr/url",
"RuleName": "http_url_with_question"
},
{
"Description": "accesses hardcoded archive file endpoint",
"MatchStrings": [
"https://ultralytics.com/assets/example.zip",
"https://ultralytics.com/assets/coco8.zip"
],
"RiskScore": 2,
"RiskLevel": "MEDIUM",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/download.yara#program_dropper_url",
"ReferenceURL": "https://unfinished.bike/qubitstrike-and-diamorphine-linux-kernel-rootkits-go-mainstream",
"ID": "c2/tool_transfer/download",
"RuleName": "program_dropper_url"
},
{
"Description": "references a specific operating system",
"MatchStrings": [
"https://",
"Windows"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#os_ref",
"ID": "c2/tool_transfer/os",
"RuleName": "os_ref"
},
{
"Description": "Works with zip files",
"MatchStrings": [
"zip files",
"zipfile"
],
"RiskScore": 2,
"RiskLevel": "MEDIUM",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip",
"ID": "collect/archives/zip",
"RuleName": "zip"
},
{
"Description": "access GitHub API",
"MatchStrings": [
"api.github.com"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/code/github_api.yara#github_api_user",
"ID": "collect/code/github_api",
"RuleName": "github_api_user"
},
{
"Description": "imports python modules",
"MatchStrings": [
"from ultralytics.utils.downloads import delete",
"from ultralytics.utils.downloads import unzip",
"from ultralytics.utils.downloads import safe",
"from multiprocessing.pool import ThreadPool",
"from ultralytics.utils.downloads import zip",
"from ultralytics.utils.downloads import get",
"from ultralytics.utils import SETTINGS",
"from ultralytics.utils import LOGGER",
"from zipfile import BadZipFile",
"from itertools import repeat",
"from urllib import parse",
"from pathlib import Path",
"from zipfile import ZIP",
"from zipfile import is",
"import subprocess",
"import requests",
"import shutil",
"import torch"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/imports/python.yara#has_import",
"ID": "exec/imports/python",
"RuleName": "has_import"
},
{
"Description": "execute external program",
"MatchStrings": [
"subprocess.run([\"tar\", \"xf\" if f.suffix == \".tar\" else \"xfz\", f, \"--directory\", unzip_dir], check=True)",
"subprocess.run([\"curl\", \"-#\", f\"-{s}L\", url, \"-o\", f, \"--retry\", \"3\", \"-C\", \"-\"]).returncode"
],
"RiskScore": 2,
"RiskLevel": "MEDIUM",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#py_subprocess",
"ReferenceURL": "https://man7.org/linux/man-pages/man2/execve.2.html",
"ID": "exec/program",
"RuleName": "py_subprocess"
},
{
"Description": "may access cookies",
"MatchStrings": [
"cookies"
],
"RiskScore": 2,
"RiskLevel": "MEDIUM",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/stealer/browser.yara#cookies",
"ID": "exfil/stealer/browser",
"RuleName": "cookies"
},
{
"Description": "References known file hosting site",
"MatchStrings": [
"drive.google.com/uc?export=download",
"drive.google.com/file/d/1cqT"
],
"RiskScore": 2,
"RiskLevel": "MEDIUM",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/exfil/upload.yara#google_drive",
"ReferenceURL": "https://github.com/ditekshen/detection/blob/e6579590779f62cbe7f5e14b5be7d77b2280f516/yara/indicator_high.yar#L1001",
"ID": "exfil/upload",
"RuleName": "google_drive"
},
{
"Description": "creates directories",
"MatchStrings": [
"mkdir"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir",
"ReferenceURL": "https://man7.org/linux/man-pages/man2/mkdir.2.html",
"ID": "fs/directory/create",
"RuleName": "mkdir"
},
{
"Description": "deletes files",
"MatchStrings": [
"unlink"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#unlink",
"ReferenceURL": "https://man7.org/linux/man-pages/man2/unlink.2.html",
"ID": "fs/file/delete",
"RuleName": "unlink"
},
{
"Description": "check if a file exists",
"MatchStrings": [
"path.exists"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/exists.yara#path_exists",
"ID": "fs/file/exists",
"RuleName": "path_exists"
},
{
"Description": "opens files",
"MatchStrings": [
"open("
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-open.yara#py_open",
"ID": "fs/file/open",
"RuleName": "py_open"
},
{
"Description": "Invokes curl",
"MatchStrings": [
"curl command line tool for downloading. Default: False.",
"curl for downloading. Defaults to False.",
"curl download with retry",
"curl or i"
],
"RiskScore": 2,
"RiskLevel": "MEDIUM",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/fetch.yara#curl_value",
"ID": "net/download/fetch",
"RuleName": "curl_value"
},
{
"Description": "Uses the HTTP protocol",
"MatchStrings": [
"http"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http.yara#http",
"ID": "net/http",
"RuleName": "http"
},
{
"Description": "contains embedded HTTPS URLs",
"MatchStrings": [
"https://drive.google.com/file/d/1cqT-cJgANNrhIHCrEufUYhQ4RqiWG_lJ/view?us",
"https://github.com/ultralytics/assets/releases/download/v0.0.0/",
"https://drive.google.com/uc?export=download",
"https://ultralytics.com/assets/example.zip",
"https://ultralytics.com/assets/coco8.zip",
"https://ultralytics.com/assets/bus.jpg",
"https://url.com/file.txt?auth...",
"https://api.github.com/repos/",
"https://www.example.com"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url",
"ID": "net/url/embedded",
"RuleName": "https_url"
},
{
"Description": "Handles URL strings",
"MatchStrings": [
"urllib"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/parse.yara#url_handle",
"ID": "net/url/parse",
"RuleName": "url_handle"
},
{
"Description": "requests resources via URL",
"MatchStrings": [
"requests.get(url)",
"import requests"
],
"RiskScore": 2,
"RiskLevel": "MEDIUM",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/request.yara#requests_urls",
"ID": "net/url/request",
"RuleName": "requests_urls"
},
{
"Description": "writes to a file handle",
"MatchStrings": [
"f_opened.write(data)"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/write.yara#py_fd_write",
"ID": "os/fd/write",
"RuleName": "py_fd_write"
},
{
"Description": "changes working directory",
"MatchStrings": [
"cd"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chdir.yara#chdir_shell",
"ID": "process/chdir",
"RuleName": "chdir_shell"
},
{
"Description": "uses python multiprocessing",
"MatchStrings": [
"multiprocessing"
],
"RiskScore": 2,
"RiskLevel": "MEDIUM",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multiprocess.yara#py_multiprocessing",
"ID": "process/multi",
"RuleName": "py_multiprocessing"
}
],
"RiskScore": 2,
"RiskLevel": "MEDIUM"
},
"/head/2024.ultralytics/v8.3.41/utils/triton.py": {
"Path": "/head/2024.ultralytics/v8.3.41/utils/triton.py",
"SHA256": "820d5f8a7c67a3fb58d867bd3cc866bbb3c8f70be8159a2289c753e0186abf7c",
"Size": 3936,
"Pledge": [
"inet"
],
"Behaviors": [
{
"Description": "imports python modules",
"MatchStrings": [
"from urllib.parse import urlsplit",
"from typing import List",
"import tritonclient",
"import numpy"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/imports/python.yara#has_import",
"ID": "exec/imports/python",
"RuleName": "has_import"
},
{
"Description": "Uses the HTTP protocol",
"MatchStrings": [
"http",
"HTTP"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http.yara#http",
"ID": "net/http",
"RuleName": "http"
},
{
"Description": "Uses the gRPC Remote Procedure Call framework",
"MatchStrings": [
"gRPC"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/grpc.yara#grpc",
"ID": "net/tcp/grpc",
"RuleName": "grpc"
},
{
"Description": "Handles URL strings",
"MatchStrings": [
"urllib"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/parse.yara#url_handle",
"ID": "net/url/parse",
"RuleName": "url_handle"
}
],
"RiskScore": 1,
"RiskLevel": "LOW"
},
"/head/2024.ultralytics/v8.3.41/solutions/queue_management.py": {
"Path": "/head/2024.ultralytics/v8.3.41/solutions/queue_management.py",
"SHA256": "0fd4eac09495ad9405c69fccf0eeb659f040c6402e0d65a75deec51669e9effc",
"Size": 4881,
"Behaviors": [
{
"Description": "imports python modules",
"MatchStrings": [
"from ultralytics.solutions.solutions import BaseSolution",
"from ultralytics.utils.plotting import Annotator"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/imports/python.yara#has_import",
"ID": "exec/imports/python",
"RuleName": "has_import"
}
],
"RiskScore": 1,
"RiskLevel": "LOW"
},
"/head/2024.ultralytics/v8.3.41/trackers/utils/matching.py": {
"Path": "/head/2024.ultralytics/v8.3.41/trackers/utils/matching.py",
"SHA256": "6020bd3b58b0ad6283e64e96af2925aedb6841971d52ab92422e5c4d69a9e08e",
"Size": 7107,
"Behaviors": [
{
"Description": "uses a random number generator",
"MatchStrings": [
"random"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/random_behavior.yara#random",
"ID": "anti-behavior/random_behavior",
"RuleName": "random"
},
{
"Description": "imports python modules",
"MatchStrings": [
"from ultralytics.utils.metrics import batch",
"from ultralytics.utils.checks import check",
"from scipy.spatial.distance import cdist",
"import numpy",
"import scipy",
"import lap"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/imports/python.yara#has_import",
"ID": "exec/imports/python",
"RuleName": "has_import"
},
{
"Description": "contains embedded HTTPS URLs",
"MatchStrings": [
"https://docs.scipy.org/doc/scipy/reference/generated/scipy.optimize.linea",
"https://github.com/rathaROG/lapx",
"https://github.com/gatagat/lap"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url",
"ID": "net/url/embedded",
"RuleName": "https_url"
}
],
"RiskScore": 1,
"RiskLevel": "LOW"
},
"/head/2024.ultralytics/v8.3.40/utils/ops.py": {
"Path": "/head/2024.ultralytics/v8.3.40/utils/ops.py",
"SHA256": "a23c3d013ec7235fd2826608156ac533b413b3bcef7f440fb122eb32002adae2",
"Size": 33051,
"Behaviors": [
{
"Description": "imports python modules",
"MatchStrings": [
"from ultralytics.data.converter import merge",
"from ultralytics.utils.metrics import batch",
"from ultralytics.utils.ops import Profile",
"from ultralytics.utils import LOGGER",
"from .metrics import box",
"import ultralytics",
"import torchvision",
"import contextlib",
"import numpy",
"import time",
"import math",
"import cv2",
"import re"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/imports/python.yara#has_import",
"ID": "exec/imports/python",
"RuleName": "has_import"
},
{
"Description": "Forcibly deletes files",
"MatchStrings": [
"rm non-maximum suppression"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete-forcibly.yara#rm_force",
"ID": "fs/file/delete_forcibly",
"RuleName": "rm_force"
}
],
"RiskScore": 1,
"RiskLevel": "LOW"
},
"/head/2024.ultralytics/v8.3.40/models/sam/predict.py": {
"Path": "/head/2024.ultralytics/v8.3.40/models/sam/predict.py",
"SHA256": "7eff6cd64631f04af666c68ca66881f4f873e65d2619d8c2caa42998cd82a5c1",
"Size": 82535,
"Behaviors": [
{
"Description": "uses a random number generator",
"MatchStrings": [
"random"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/random_behavior.yara#random",
"ID": "anti-behavior/random_behavior",
"RuleName": "random"
}
],
"RiskScore": 1,
"RiskLevel": "LOW"
},
"/head/2024.ultralytics/v8.3.41/nn/autobackend.py": {
"Path": "/head/2024.ultralytics/v8.3.41/nn/autobackend.py",
"SHA256": "02b91ee41691426af8c9077ec6be99f0fee46d304d2c8f8ed1fb033c52ce5ccc",
"Size": 35625,
"Syscalls": [
"close",
"open"
],
"Pledge": [
"inet"
],
"Behaviors": [
{
"Description": "references multiple operating systems",
"MatchStrings": [
"https://",
"Windows",
"Darwin",
"Linux"
],
"RiskScore": 2,
"RiskLevel": "MEDIUM",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref",
"ID": "c2/tool_transfer/os",
"RuleName": "multiple_os_ref"
},
{
"Description": "Works with zip files",
"MatchStrings": [
"zipfile"
],
"RiskScore": 2,
"RiskLevel": "MEDIUM",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/collect/archives/zip.yara#zip",
"ID": "collect/archives/zip",
"RuleName": "zip"
},
{
"Description": "Decodes JSON messages",
"MatchStrings": [
"json.loads"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/json-decode.yara#jsondecode",
"ID": "data/encoding/json_decode",
"RuleName": "jsondecode"
},
{
"Description": "system platform identification",
"MatchStrings": [
"platform.system()"
],
"RiskScore": 2,
"RiskLevel": "MEDIUM",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#python_platform",
"ReferenceURL": "https://docs.python.org/3/library/platform.html",
"ID": "discover/system/platform",
"RuleName": "python_platform"
},
{
"Description": "imports python modules",
"MatchStrings": [
"from ultralytics.utils.triton import TritonRemoteModel",
"from ultralytics.utils.downloads import attempt",
"from ultralytics.engine.exporter import export",
"from ultralytics.utils.ops import xywh2xyxy",
"from ultralytics.engine.exporter import gd",
"from ultralytics.utils.checks import check",
"from ultralytics.nn.tasks import attempt",
"from collections import OrderedDict",
"from ultralytics.utils import ARM64",
"from urllib.parse import urlsplit",
"from pathlib import Path",
"from PIL import Image",
"import coremltools",
"import Interpreter",
"import onnxruntime",
"import torchvision",
"import tensorflow",
"import tensorrt",
"import openvino",
"import platform",
"import zipfile",
"import paddle",
"import numpy",
"import here",
"import time",
"import json",
"import ncnn",
"import ast",
"import mct",
"import nms",
"import cv2",
"import MNN",
"import os"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/imports/python.yara#has_import",
"ID": "exec/imports/python",
"RuleName": "has_import"
},
{
"Description": "opens files",
"MatchStrings": [
"open("
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-open.yara#py_open",
"ID": "fs/file/open",
"RuleName": "py_open"
},
{
"Description": "opens a binary file for read",
"MatchStrings": [
"open(w, \"rb\")"
],
"RiskScore": 2,
"RiskLevel": "MEDIUM",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-read.yara#python_file_read_binary",
"ID": "fs/file/read",
"RuleName": "python_file_read_binary"
},
{
"Description": "download files",
"MatchStrings": [
"import attempt_download_asset",
"downloads import attempt",
"nvidia-tensorrt-download",
"Download if not local"
],
"RiskScore": 2,
"RiskLevel": "MEDIUM",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/download.yara#download",
"ID": "net/download",
"RuleName": "download"
},
{
"Description": "Uses the HTTP protocol",
"MatchStrings": [
"http"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http.yara#http",
"ID": "net/http",
"RuleName": "http"
},
{
"Description": "contains embedded HTTPS URLs",
"MatchStrings": [
"https://developer.nvidia.com/nvidia-tensorrt-download",
"https://github.com/ultralytics/ultralytics/pull/14239",
"https://github.com/ultralytics/ultralytics/pull/1695",
"https://www.tensorflow.org/lite/guide/python",
"https://coral.ai/docs/edgetpu/tflite-python/",
"https://docs.ultralytics.com/modes/predict",
"https://www.tensorflow.org/guide/migrate",
"https://github.com/pnnx/pnnx/issues/130",
"https://github.com/Tencent/ncnn.git",
"https://coral.ai/software/"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url",
"ID": "net/url/embedded",
"RuleName": "https_url"
},
{
"Description": "Handles URL strings",
"MatchStrings": [
"urllib"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/parse.yara#url_handle",
"ID": "net/url/parse",
"RuleName": "url_handle"
},
{
"Description": "reads from a file handle",
"MatchStrings": [
"deserialize_cuda_engine(f.read()",
"ParseFromString(f.read()",
"x.read()"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/fd/read.yara#py_fd_read",
"ID": "os/fd/read",
"RuleName": "py_fd_read"
}
],
"RiskScore": 2,
"RiskLevel": "MEDIUM"
},
"/head/2024.ultralytics/v8.3.40/cfg/__init__.py": {
"Path": "/head/2024.ultralytics/v8.3.40/cfg/__init__.py",
"SHA256": "2e04ef5bf45dfe9859a0bcc2f29e54121f28ee9223c7dc5cebb23dd578799656",
"Size": 38910,
"Syscalls": [
"close",
"execve",
"open",
"pwrite",
"unlink"
],
"Pledge": [
"exec",
"wpath"
],
"Behaviors": [
{
"Description": "imports python modules",
"MatchStrings": [
"from ultralytics.utils.files import increment",
"from ultralytics import solutions",
"from types import SimpleNamespace",
"from ultralytics.cfg import get",
"from ultralytics import FastSAM",
"from ultralytics import RTDETR",
"from ultralytics import YOLO",
"from ultralytics import hub",
"from ultralytics import SAM",
"from pathlib import Path",
"from difflib import get",
"from typing import Dict",
"import ultralytics",
"import subprocess",
"import shutil",
"import cv2",
"import sys",
"import os"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/imports/python.yara#has_import",
"ID": "exec/imports/python",
"RuleName": "has_import"
},
{
"Description": "execute external program",
"MatchStrings": [
"subprocess.run([\"streamlit\", \"run\", ROOT / \"solutions/streamlit_inference.py\", \"--server.headless\", \"true\"])"
],
"RiskScore": 2,
"RiskLevel": "MEDIUM",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/program.yara#py_subprocess",
"ReferenceURL": "https://man7.org/linux/man-pages/man2/execve.2.html",
"ID": "exec/program",
"RuleName": "py_subprocess"
},
{
"Description": "creates directories",
"MatchStrings": [
"mkdir"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir",
"ReferenceURL": "https://man7.org/linux/man-pages/man2/mkdir.2.html",
"ID": "fs/directory/create",
"RuleName": "mkdir"
},
{
"Description": "deletes files",
"MatchStrings": [
"unlink"
],
"RiskScore": 1,
"RiskLevel": "LOW",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-delete.yara#unlink",
"ReferenceURL": "https://man7.org/linux/man-pages/man2/unlink.2.html",
"ID": "fs/file/delete",
"RuleName": "unlink"
},
{
"Description": "path reference within /tmp",
"MatchStrings": [
"/tmp/runs"
],
"RiskScore": 2,
"RiskLevel": "MEDIUM",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path",
"ID": "fs/path/tmp",
"RuleName": "tmp_path"
},
{
"Description": "accesses webcam",
"MatchStrings": [
"cv2.VideoCapture"
],
"RiskScore": 2,
"RiskLevel": "MEDIUM",
"RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/hw/webcam.yara#macos_webcam_user",
"ID": "hw/webcam",
"RuleName": "macos_webcam_user"
},
{
"Description": "contains embedded HTTPS URLs",
"MatchSt
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
#26 failed to add the analysis comment because it was opened from a fork, and the GITHUB_TOKEN doesn't have write permissions on PRs from forks. This PR is opened from a branch on the origin repo, so should have comments.
The fix for comments-on-PRs-from-forks would be to use
pull_request_targetwhich is hard to use and can expose some security risk, so we'll just test this with PRs from origin branches, instead of forks.