Skip to content

fix(yara): reduce packaged malware-signature false positives (#236)#247

Open
rodboev wants to merge 1 commit into
NVIDIA:mainfrom
rodboev:pr/yara-packaging-236
Open

fix(yara): reduce packaged malware-signature false positives (#236)#247
rodboev wants to merge 1 commit into
NVIDIA:mainfrom
rodboev:pr/yara-packaging-236

Conversation

@rodboev

@rodboev rodboev commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Summary

SkillSpector should avoid shipping raw malware-signature rule source in a form that causes repository archives to look like malware payloads, while preserving the built-in YARA detector behavior those rules provide.

Closes #236

Root cause

The YARA analyzer compiles built-in rule files directly from src/skillspector/yara_rules, including malware.yar. Those rule strings are benign detector material, but archive scanners can treat them as suspicious content when scanning the repository zip itself.

Diff Notes

  • Replace the raw malware.yar package file with an encoded built-in asset that static_yara decodes at load time, so the detector source no longer ships as plain rule text.
  • Preserve built-in YARA matching and YR1 severity/category behavior.
  • Add tests for built-in malware rule matching and user-supplied extra rule loading.

Scope

This does not remove malware detection, disable YARA, rename --yara-rules-dir, or claim that external scanners are clean unless that live scanner proof is collected.

Verification

  • .\.venv\Scripts\python.exe -m pytest tests/nodes/analyzers/test_static_yara.py
  • .\.venv\Scripts\python.exe -m pytest tests/nodes/analyzers/test_static_yara.py -k "malformed or build_namespace or builtin or extra"
  • .\.venv\Scripts\python.exe -m pytest tests/nodes/analyzers/test_static_yara.py -k "collect_rule_files_finds_yar"
  • rg -n "bash -i >& /dev/tcp/127\.0\.0\.1/4444 0>&1" src tests returns no matches
  • uv run ruff check src/ tests/
  • uv run ruff format --check src/ tests/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Skillspector is flagged to contain malware

1 participant