YARA rules for setup.py not ignoring comments

[di]

Looking at a verdict from a release on TestPyPI (https://test.pypi.org/admin/verdicts/530819ab-b0bb-4405-8474-bea1c7aed983) it indicates that there are calls to exec:

{
    "process_spawn_in_setup": {
        "classification": "threat",
        "confidence": "high",
        "strings": [
            [
                247,
                "$from_os_import"
            ],
            [
                7794,
                "$bare_exec"
            ],
            [
                7977,
                "$bare_exec"
            ],
            [
                8110,
                "$bare_exec"
            ]
        ]
    }
}

However there aren't any exec calls in the package, instead it seems to be picking up on the following comments in setup.py:

    # To provide executable scripts, use entry points in preference to the
    # "scripts" keyword. Entry points provide cross-platform support and allow
    # `pip` to create the appropriate form of executable for the target
    # platform.
    #
    # For example, the following would provide a command called `sample` which
    # executes the function `main` from this package when invoked:

Due to the following rule:

https://github.com/pypa/warehouse/blob/630ac09321d93a6867f2b801153f45a90ba50d58/warehouse/malware/checks/setup_patterns/setup_py_rules.yara#L18

Is there a way we can exclude all lines that are comments?

[xmunoz]

I'm happy to take a look :)

[xmunoz]

Doesn't look like yara supports negative lookaheads, so we'll have to great creative with the condition clause. VirusTotal/yara#584

[dstufft]

This is gone now #13647