Not able to use the vet inspect malware feature

[chheda-deshaw]

Hi,
I have authenticated to the safedep cloud tenant successfully. But I'm not able to run vet inspect malware --purl pkg:/npm/[email protected] as mentioned in these docs: https://docs.safedep.io/cloud/malware-analysis.

Output:

$ vet auth verify                                                                                                                                                                                                                                                              

Yb    dP 888888 888888
 Yb  dP  88__     88
  YbdP   88""     88
   YP    888888   88

Authentication key is valid!
------------------------------------------------------------------------------------------------------------------------------
$ vet inspect malware --purl pkg:/npm/[email protected]                                                                                                                                                                                                                             
Error: unknown flag: --purl
Usage:
  vet [OPTIONS] COMMAND [ARG...] [flags]
  vet [command]

Available Commands:
  auth        Configure vet authentication
  cloud       Manage and query cloud resources (control plane)
  code        Analyze souce code
  completion  Generate the autocompletion script for the specified shell
  connect     Connect with 3rd party apps
  help        Help about any command
  query       Query JSON dump and run filters or render reports
  scan        Scan and analyse package manifests
  version     Show version and build information

Flags:
  -d, --debug                      Show debug logs
  -e, --exceptions string          Load exceptions from file
      --exceptions-extra strings   Load additional exceptions from file
  -h, --help                       help for vet
  -l, --log string                 Write command logs to file, use - as for stdout
      --no-banner                  Do not display the vet banner
  -v, --verbose                    Show verbose logs

Use "vet [command] --help" for more information about a command.

What am I doing wrong here?

[chheda-deshaw]

vet scan works well in cloud mode:

$ vet scan -D docling                                                                                                                                                                                                                                                          

Yb    dP 888888 888888
 Yb  dP  88__     88
  YbdP   88""     88
   YP    888888   88

Running in Cloud (authenticated) Mode
Scanning packages    ... done! [296 in 23.346s]
Scanning manifests   ... done! [8 in 23.346s]
  **   Summary of Findings

  ** 0 critical, 8 high and 0 other vulnerabilities were identified

  ** 4 potentially unpopular library identified as direct dependency

  ** Provenance: 0 verified, 0 unverified, 297 missing

  ** Found usage evidences for 0/297 libraries

  ** 0/297 libraries were actively scanned for malware

  ** 40 libraries are out of date with major version drift in direct dependencies

  ** across 297 libraries in 9 manifest(s)

Top 5 libraries to fix ...

┌───────────┬──────────────────────────┬────────┬──────────────┬─────────────────────────┐
│ ECOSYSTEM │ PACKAGE                  │ LATEST │ IMPACT SCORE │ VULN RISK               │
├───────────┼──────────────────────────┼────────┼──────────────┼─────────────────────────┤
│ PyPI      │ [email protected]      │ 4.49.0 │ 48           │  High                   │
│           │  vulnerability           │        │              │ GHSA-hxxf-235m-72v3 + 5 │
├───────────┼──────────────────────────┼────────┼──────────────┼─────────────────────────┤
│ PyPI      │ [email protected]             │ 3.1.6  │ 16           │  High                   │
│           │  vulnerability           │        │              │ GHSA-gmj6-6f8f-6699 + 1 │
├───────────┼──────────────────────────┼────────┼──────────────┼─────────────────────────┤
│ PyPI      │ [email protected]           │ 3.3.9  │ 2            │  None                   │
│           │  drift                   │        │              │                         │
│           │  ... [1] > [email protected] │        │              │                         │
├───────────┼──────────────────────────┼────────┼──────────────┼─────────────────────────┤
│ PyPI      │ [email protected]             │ 25.1.0 │ 2            │  None                   │
│           │  drift                   │        │              │                         │
├───────────┼──────────────────────────┼────────┼──────────────┼─────────────────────────┤
│ PyPI      │ [email protected]            │ 25.1.0 │ 2            │  None                   │
│           │  drift                   │        │              │                         │
└───────────┴──────────────────────────┴────────┴──────────────┴─────────────────────────┘

There are 41 more libraries that should be upgraded to reduce risk
Run vet with `--report-markdown=/path/to/report.md` for details

Run with `vet --filter="..."` for custom filters to identify risky libraries
For more details https://github.com/safedep/vet

[abhisek]

@chheda-deshaw The inspect command is experimental. You have to set the following environment variable

export VET_ENABLE_PACKAGE_INSPECT_COMMAND=true

https://docs.safedep.io/cloud/malware-analysis

[chheda-deshaw]

Apologies for the oversight.
Thanks @abhisek.

Could we also extend the inspect malware functionality to github.com packages?

[abhisek]

@chheda-deshaw The current system supports only packages from a package registry such as npm, pypi etc. We need to analyse the effort required to support a GitHub repository.

Can you share a bit on your use-case? how do you plan to use it? May be there is a workaround without supporting GitHub right away.

[chheda-deshaw]

Sure @abhisek

Can you share a bit on your use-case? how do you plan to use it? May be there is a workaround without supporting GitHub right away.

I was looking to "vet" OSS Langfuse: https://github.com/langfuse/langfuse for use in the internal enviornment.
I can't perform malware analysis on the core code of it cause it doesn't fall into one of the package registries. I can "vet" the SDKs (Clients) written in Python and JS which are available via pypi and npm but not the core server code.

[abhisek]

Thanks @chheda-deshaw for sharing the use-case. Let us come back on how we can support this.

I think we can probably build an adapter to pull the code from GitHub similar to what we already do for package registries like npm, PyPI etc.

cc: @OmkarPh

[abhisek]

@chheda-deshaw This is now supported. See the docs here:

https://github.com/safedep/vet?tab=readme-ov-file#-scanning-github-actions-or-any-other-github-repository

[chheda-deshaw]

Thanks @abhisek!
This works like a charm:

$ vet inspect malware --purl pkg:github/langfuse/langfuse@59eafb42c393111fa85e5aa91a89e91aedcac647                                                                                                             

Yb    dP 888888 888888
 Yb  dP  88__     88
  YbdP   88""     88
   YP    888888   88

Submitted package for malware analysis with ID: 01JPVM90639CQFTDCPM3R753SW
Waiting for malware analysis to complete ... ⠇
Malware analysis completed successfully
Malware analysis report for package: pkg:github/langfuse/langfuse@59eafb42c393111fa85e5aa91a89e91aedcac647
┌───────────────────────────────────────────────────────────────────────┬────────┬────────────┐
│ PACKAGE URL                                                           │ STATUS │ CONFIDENCE │
├───────────────────────────────────────────────────────────────────────┼────────┼────────────┤
│ pkg:github/langfuse/langfuse@59eafb42c393111fa85e5aa91a89e91aedcac647 │ SAFE   │ MEDIUM     │
└───────────────────────────────────────────────────────────────────────┴────────┴────────────┘

** The full report is available at: https://platform.safedep.io/community/malysis/01JPVM90639CQFTDCPM3R753SW