Address false positives with google-cloud-sdk

rules/combo/backdoor/py_setuptools.yara

@@ -24,6 +24,7 @@ rule setuptools_cmd_exec : suspicious {
     $f_subprocess = /subprocess.\w{0,32}\([\"\'\/\w\ \-\)]{0,64}/
     $not_comment = "Editable install to a prefix should be discoverable."
     $not_egg_info_requires = "os.path.join(egg_info_dir, 'requires.txt')"
+    $not_requests = "'Documentation': 'https://requests.readthedocs.io'"
   condition:
     pythonSetup and any of ($f*) and none of ($not*)
 }
@@ -34,7 +35,12 @@ rule setuptools_eval : critical {
   strings:
     $f_sys_val = /eval\([\"\'\w\ \-\)\/]{0,64}/ fullword
     $f_subprocess_val = /exec\([\"\'\/\w\ \-\)]{0,64}/ fullword
+    $not_apache = "# Licensed under the Apache License, Version 2.0 (the \"License\")"
     $not_comment = "Editable install to a prefix should be discoverable."
+    $not_google = /# Copyright [1-2][0-9]{3} Google Inc/
+    $not_idna = "A library to support the Internationalised Domain Names in Applications"
+    $not_idna2 = "(IDNA) protocol as specified in RFC 5890 et.al."
+    $not_requests = "'Documentation': 'https://requests.readthedocs.io'"
     $not_test_egg_class = "class TestEggInfo"
   condition:
     pythonSetup and any of ($f*) and none of ($not*)

rules/combo/backdoor/remote_eval.yara

@@ -57,10 +57,13 @@ rule python_exec_near_get : critical {
     hash_2024_xFileSyncerx_xfilesyncerx = "c68e907642a8462c6b82a50bf4fde82bbf71245ab4edace246dd341dc72e5867"
     hash_2024_2024_d3duct1v_xfilesyncerx = "b87023e546bcbde77dae065ad3634e7a6bd4cc6056167a6ed348eee6f2a168ae"
   strings:
-    $exec = "exec("
-    $requests = /[a-z]{1,4}.get\(/ fullword
+    $f_exec = "exec("
+    $f_requests = /[a-z]{1,4}.get\(/ fullword
+    $not_pyparser = "All of the heavy"
+    $not_pyparser2 = "lifting is handled by pyparsing (http://pyparsing.sf.net)."
+    $not_sparser = "sparser.py [options] filename"
   condition:
-    all of them and math.abs(@requests - @exec) <= 32
+    all of ($f*) and math.abs(@f_requests - @f_exec) <= 32 and none of ($not*)
 }
 
 rule python_eval_near_get : critical {

samples/Python/clean/google-auth-library-python/setup.py

@@ -0,0 +1,89 @@
+# Copyright 2014 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import io
+import os
+
+from setuptools import find_packages
+from setuptools import setup
+
+
+DEPENDENCIES = (
+    "cachetools>=2.0.0,<6.0",
+    "pyasn1-modules>=0.2.1",
+    # rsa==4.5 is the last version to support 2.7
+    # https://github.com/sybrenstuvel/python-rsa/issues/152#issuecomment-643470233
+    'rsa<4.6; python_version < "3.6"',
+    'rsa>=3.1.4,<5; python_version >= "3.6"',
+    # install enum34 to support 2.7. enum34 only works up to python version 3.3.
+    'enum34>=1.1.10; python_version < "3.4"',
+    "six>=1.9.0",
+)
+
+extras = {
+    "aiohttp": [
+        "aiohttp >= 3.6.2, < 4.0.0dev; python_version>='3.6'",
+        "requests >= 2.20.0, < 3.0.0dev",
+    ],
+    "pyopenssl": ["pyopenssl>=20.0.0", "cryptography>=38.0.3"],
+    "requests": "requests >= 2.20.0, < 3.0.0dev",
+    "reauth": "pyu2f>=0.1.5",
+    # Enterprise cert only works for OpenSSL 1.1.1. Newer versions of these
+    # dependencies are built with OpenSSL 3.0 so we need to fix the version.
+    "enterprise_cert": ["cryptography==36.0.2", "pyopenssl==22.0.0"],
+}
+
+with io.open("README.rst", "r") as fh:
+    long_description = fh.read()
+
+package_root = os.path.abspath(os.path.dirname(__file__))
+
+version = {}
+with open(os.path.join(package_root, "google/auth/version.py")) as fp:
+    exec(fp.read(), version)
+version = version["__version__"]
+
+setup(
+    name="google-auth",
+    version=version,
+    author="Google Cloud Platform",
+    author_email="[email protected]",
+    description="Google Authentication Library",
+    long_description=long_description,
+    url="https://github.com/googleapis/google-auth-library-python",
+    packages=find_packages(exclude=("tests*", "system_tests*")),
+    namespace_packages=("google",),
+    install_requires=DEPENDENCIES,
+    extras_require=extras,
+    python_requires=">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*",
+    license="Apache 2.0",
+    keywords="google auth oauth client",
+    classifiers=[
+        "Programming Language :: Python :: 3",
+        "Programming Language :: Python :: 3.6",
+        "Programming Language :: Python :: 3.7",
+        "Programming Language :: Python :: 3.8",
+        "Programming Language :: Python :: 3.9",
+        "Programming Language :: Python :: 3.10",
+        "Programming Language :: Python :: 3.11",
+        "Development Status :: 5 - Production/Stable",
+        "Intended Audience :: Developers",
+        "License :: OSI Approved :: Apache Software License",
+        "Operating System :: POSIX",
+        "Operating System :: Microsoft :: Windows",
+        "Operating System :: MacOS :: MacOS X",
+        "Operating System :: OS Independent",
+        "Topic :: Internet :: WWW/HTTP",
+    ],
+)

samples/Python/clean/google-auth-library-python/setup.py.simple

@@ -0,0 +1,5 @@
+# Python/clean/google-auth-library-python/setup.py
+exec/shell_command
+fd/read
+ref/site/url
+techniques/code_eval

samples/Python/clean/idna/setup.py

@@ -0,0 +1,62 @@
+"""
+A library to support the Internationalised Domain Names in Applications
+(IDNA) protocol as specified in RFC 5890 et.al. This new methodology,
+known as IDNA 2008, can generate materially different results to the
+previous standard. The library can act as a drop-in replacement for
+the "encodings.idna" module.
+"""
+
+import io, sys
+from setuptools import setup
+
+
+def main():
+
+    python_version = sys.version_info[:2]
+    if python_version < (3,4):
+        raise SystemExit("Sorry, Python 3.4 or newer required")
+
+    package_data = {}
+    exec(open('idna/package_data.py').read(), package_data)
+
+    arguments = {
+        'name': 'idna',
+        'packages': ['idna'],
+        'package_data': {'idna': ['py.typed']},
+        'include_package_data': True,
+        'version': package_data['__version__'],
+        'description': 'Internationalized Domain Names in Applications (IDNA)',
+        'long_description': open("README.rst", encoding="UTF-8").read(),
+        'author': 'Kim Davies',
+        'author_email': '[email protected]',
+        'license': 'BSD-3-Clause',
+        'url': 'https://github.com/kjd/idna',
+        'classifiers': [
+            'Development Status :: 5 - Production/Stable',
+            'Intended Audience :: Developers',
+            'Intended Audience :: System Administrators',
+            'License :: OSI Approved :: BSD License',
+            'Operating System :: OS Independent',
+            'Programming Language :: Python',
+            'Programming Language :: Python :: 3',
+            'Programming Language :: Python :: 3 :: Only',
+            'Programming Language :: Python :: 3.5',
+            'Programming Language :: Python :: 3.6',
+            'Programming Language :: Python :: 3.7',
+            'Programming Language :: Python :: 3.8',
+            'Programming Language :: Python :: 3.9',
+            'Programming Language :: Python :: 3.10',
+            'Programming Language :: Python :: Implementation :: CPython',
+            'Programming Language :: Python :: Implementation :: PyPy',
+            'Topic :: Internet :: Name Service (DNS)',
+            'Topic :: Software Development :: Libraries :: Python Modules',
+            'Topic :: Utilities',
+        ],
+        'python_requires': '>=3.5',
+        'test_suite': 'tests',
+    }
+
+    setup(**arguments)
+
+if __name__ == '__main__':
+    main()

samples/Python/clean/idna/setup.py.simple

@@ -0,0 +1,4 @@
+# Python/clean/idna/setup.py
+fd/read
+ref/site/url
+techniques/code_eval

samples/Python/clean/ml_sdk/setup.py

@@ -0,0 +1,48 @@
+# Copyright 2016 Google Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""Package Setup for the Google Cloud ML SDK.
+"""
+
+import os
+from setuptools import find_packages
+from setuptools import setup
+
+
+def get_required_install_packages():
+  global_names = {}
+  # pylint: disable=exec-used
+  with open(os.path.normpath('google/cloud/ml/version.py')) as f:
+    exec(f.read(), global_names)
+  return global_names['required_install_packages']
+
+
+def get_version():
+  global_names = {}
+  # pylint: disable=exec-used
+  with open(os.path.normpath('google/cloud/ml/version.py')) as f:
+    exec(f.read(), global_names)
+  return global_names['__version__']
+
+
+setup(
+    name='cloudml',
+    version=get_version(),
+    author='Google',
+    author_email='[email protected]',
+    namespace_packages=['google', 'google.cloud'],
+    install_requires=get_required_install_packages(),
+    packages=find_packages(),
+    include_package_data=True,
+    description='Google Cloud Machine Learning Prediction SDK',
+    requires=[])

samples/Python/clean/ml_sdk/setup.py.simple

@@ -0,0 +1,4 @@
+# Python/clean/ml_sdk/setup.py
+fd/read
+ref/site/url
+techniques/code_eval