Skip to content

0.5.0: findings rework — drop trust scoring + ALPM hook#1

Merged
adelmonte merged 6 commits into
mainfrom
findings-overhaul
Jun 18, 2026
Merged

0.5.0: findings rework — drop trust scoring + ALPM hook#1
adelmonte merged 6 commits into
mainfrom
findings-overhaul

Conversation

@adelmonte

Copy link
Copy Markdown
Owner

Reworks traur from a trust-scorer into a findings reporter (this fork's direction).

Changed

  • Flat, color-coded findings grouped by category; each shows the line that triggered it.
  • scan <name> fetches PKGBUILD/.install over HTTP (cgit) instead of cloning; no on-disk cache.

Removed

  • 0–100 trust score, tiers, weights, override-gates.
  • ALPM hook (traur-hook + traur.hook).
  • allow/whitelist; bench; obsolete metadata-dump cache.

Added

  • Offline makepkg wrapper (contrib/makepkg-traur) + traur wrapper --enable/--disable/--status; scans once on --verifysource, never on the network during a build. Prompt [Y/n/d/p] (d=diff, p=flagged source).
  • scan --pkgbuild <path> --source to highlight flagged lines.
  • Known-malicious-list check (B-KNOWN-MALICIOUS): online, cached, fail-open.
  • .install run through shell/gtfobins analysis (IS- prefix).

Fixed

…alls to MALICIOUS

Closes the detection gap exposed by the June 2026 "Atomic Arch" AUR
supply-chain attack, which hijacked orphaned packages and added a benign
looking `npm install atomic-lockfile` / `bun install js-digest` line to
the PKGBUILD or .install file. The payload lived inside the fetched npm/bun
package's lifecycle scripts, so the PKGBUILD itself scored TRUSTED.

- patterns: P-NET-PKG-INSTALL{,-JS} (PKGBUILD) and
  P-INSTALL-PKG-MANAGER{,-JS} (.install) flag a build/install step that
  fetches a *named* package over the network (npm/pnpm/yarn/bun/pip/gem/
  cargo/go). A package argument is required so bare `npm install`/`npm ci`/
  `bun install` (lockfile installs) do not match.
- composite gate: coordinator emits B-ORPHAN-NET-INSTALL (override gate ->
  MALICIOUS) when an adopted/taken-over package (B-SUBMITTER-CHANGED) also
  has one of the network-install signals.
- tests for both patterns (incl. bare-install negatives) and the gate.
- silence pre-existing unused-variable warning in bulk.rs.
Replace the 0-100 trust score, tiers and override-gates with a flat list of findings (ScanResult { package, signals }). Output is now color-coded, grouped by category, and shows the line that triggered each finding.

Remove the ALPM hook (traur-hook binary + traur.hook) entirely.

Stop cloning/caching: 'scan <name>' fetches PKGBUILD/.install over cgit HTTP (no clone, no ~/.cache/traur); local/wrapper scans read on-disk files and diff against the local .git.

Ship an offline makepkg wrapper (contrib/makepkg-traur) plus 'traur wrapper --enable/--disable/--status'. It scans once on the --verifysource pass (before build, never on the network so it cannot hang) and prompts [Y/n/d/p] (d=git diff, p=PKGBUILD/.install with flagged lines highlighted).

Add known-malicious-list check (Sohimaster#17): online-only, short timeout, cached, fail-open.

Drop bench and ThresholdConfig; update PKGBUILD (no hook, no --frozen), README and CLAUDE.md. Tests updated to the flat model (435 passing).
Strip whole-line shell comments before pattern matching (pkgbuild/install/gtfobins) so commented-out code no longer trips signals (e.g. '# modprobe configs'). Fixes the base64-in-maintainer-comment FP too.

Skip the checksum-count mismatch check when an array is built with 'name+=(...)' appends (kernel PKGBUILD pattern) — fixes P-CHECKSUM-MISMATCH on linux-cachyos-native.

Fix AUR comment parser to match the content div regardless of attribute order (id before class), so M-COMMENTS-SECURITY actually fires (issue Sohimaster#15).

Remove the allow/whitelist feature entirely (command, WhitelistConfig, helpers). Delete obsolete ROADMAP.md and FIX.md; drop stale 'allow' line from README.
Add demo.png to the README; replace the AUR install instructions with build-from-source (this fork isn't on the AUR); note the 2026 Atomic Arch supply-chain detection in coverage; rewrite CHANGELOG for the 0.5.0 findings rework.
@adelmonte adelmonte merged commit 4607e65 into main Jun 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant