Aura is a static analysis framework designed to combat the growing threat of malicious packages and vulnerable code published on PyPI.

Project Objectives:

• Provides an automated monitoring system on packages uploaded to PyPI, alerting to anomalies that may indicate ongoing attacks or vulnerabilities in the code
• Enables organizations to conduct automated security audits of source code and enforce secure coding practices, with a focus on auditing 3rd party code such as python package dependencies
• Allows researchers to scan code repositories at scale, create datasets, and analyze them to further advance research in the area of ​​vulnerable and malicious code dependencies

function list:

• Ideal for analyzing malware with guaranteed zero code execution
• Advanced deobfuscation mechanisms by rewriting AST trees – continuous propagation, code unrolling and other dirty tricks
• Recursive scanning automatically decompresses zip, wheels, etc. files and scans the contents
• Scanning of non-python files is also supported – plugins can work in “raw file” mode, such as the built-in Yara integration
• Scan hardcoded secrets, passwords and other sensitive information
• Custom diff engine – you can compare changes between different data sources, e.g. changes made to PyPI packages by spoofing vs.
• Available for Python 2.x and Python 3.x source code
• High performance, designed to scan the entire PyPI repository
• Output in multiple formats such as plain text, JSON, SQLite, SARIF, etc…
• Tested on over 4TB of compressed Python source code
• Aura is able to report code behavior such as network communication, file access or system command execution
• calculate”Aura score“, tells you the credibility of the source code/input data
• …

Aura uses so-called URIs to identify the protocol and location to scan, if no protocol is used, the scan parameters are taken as paths to files or directories on the local system.

While there are other tools that overlap in functionality with Aura, such as Bandit, dlint, semgrep, etc., these alternatives have a different focus, which affects the functionality and how it is used.These alternatives are primarily intended to be used in a manner similar to linters, integrated into the IDE, run frequently during development, which makes ideallyminimize false positivesand report and provide clearoperableInterpretation is very important.

Aura, on the other hand, reports the code’s behavior,abnormalandloophole, and provide as much information as possible at the cost of false positives. Many of the things aura reports are not necessarily user-actionable, but they tell you a lot about the code’s behavior, such as making network communications, accessing sensitive files, or using obfuscation-related mechanisms to indicate possible malicious code. By collecting such data And aggregated together, Aura can be functionally compared to other security systems (such as antivirus, IDS or firewalls) which essentially do the same analysis but use different types of data (network traffic, running process, ETC).

Here’s a quick overview of the differences between Aura and other similar linters and SAST tools:

• Input data:

  
  

  • Other SAST tools— usually limited to the python (target) source code and the version of python that the tool is installed on.
  • AuraBinary (or non-Python code) and Python source code can also be analyzed.Able to use the same Aura installationAnalyze a mix of python code compatible with different python versions (py2k and py3k).

• Report:

  
  

  • Other SAST tools– Designed to integrate well with other systems (like IDEs, CI systems with actionable results) while minimizing false positives to prevent users from getting too many alerts that don’t matter.
  • Aura – Report as much information as possible that cannot be acted on immediately, such as behavior and anomaly analysis. The output format is intended to be machine-friendly for processing and aggregation, not human-readable.

• configuration:

  
  

  • Other SAST tools– The tools are fine-tuned for the target project by customizing the signature to target the specific technology used by the target project.Overriding configuration can usually be achieved by inserting comments in the source code, e.g.# nosecSuppress the alert at the location
  • Aura – It is expected that little is known in advance about the techniques used by the code being scanned, such as reviewing new python packages for approval for use as dependencies in projects. In most cases it is not even possible to modify the scanned source code, for example using annotations to instruct the linter or aura to skip instrumentation at that location because it is scanning a copy of that code hosted at some remote location.