0.5.0: findings rework — drop trust scoring + ALPM hook#1
Merged
Conversation
…alls to MALICIOUS
Closes the detection gap exposed by the June 2026 "Atomic Arch" AUR
supply-chain attack, which hijacked orphaned packages and added a benign
looking `npm install atomic-lockfile` / `bun install js-digest` line to
the PKGBUILD or .install file. The payload lived inside the fetched npm/bun
package's lifecycle scripts, so the PKGBUILD itself scored TRUSTED.
- patterns: P-NET-PKG-INSTALL{,-JS} (PKGBUILD) and
P-INSTALL-PKG-MANAGER{,-JS} (.install) flag a build/install step that
fetches a *named* package over the network (npm/pnpm/yarn/bun/pip/gem/
cargo/go). A package argument is required so bare `npm install`/`npm ci`/
`bun install` (lockfile installs) do not match.
- composite gate: coordinator emits B-ORPHAN-NET-INSTALL (override gate ->
MALICIOUS) when an adopted/taken-over package (B-SUBMITTER-CHANGED) also
has one of the network-install signals.
- tests for both patterns (incl. bare-install negatives) and the gate.
- silence pre-existing unused-variable warning in bulk.rs.
Replace the 0-100 trust score, tiers and override-gates with a flat list of findings (ScanResult { package, signals }). Output is now color-coded, grouped by category, and shows the line that triggered each finding.
Remove the ALPM hook (traur-hook binary + traur.hook) entirely.
Stop cloning/caching: 'scan <name>' fetches PKGBUILD/.install over cgit HTTP (no clone, no ~/.cache/traur); local/wrapper scans read on-disk files and diff against the local .git.
Ship an offline makepkg wrapper (contrib/makepkg-traur) plus 'traur wrapper --enable/--disable/--status'. It scans once on the --verifysource pass (before build, never on the network so it cannot hang) and prompts [Y/n/d/p] (d=git diff, p=PKGBUILD/.install with flagged lines highlighted).
Add known-malicious-list check (Sohimaster#17): online-only, short timeout, cached, fail-open.
Drop bench and ThresholdConfig; update PKGBUILD (no hook, no --frozen), README and CLAUDE.md. Tests updated to the flat model (435 passing).
Strip whole-line shell comments before pattern matching (pkgbuild/install/gtfobins) so commented-out code no longer trips signals (e.g. '# modprobe configs'). Fixes the base64-in-maintainer-comment FP too. Skip the checksum-count mismatch check when an array is built with 'name+=(...)' appends (kernel PKGBUILD pattern) — fixes P-CHECKSUM-MISMATCH on linux-cachyos-native. Fix AUR comment parser to match the content div regardless of attribute order (id before class), so M-COMMENTS-SECURITY actually fires (issue Sohimaster#15). Remove the allow/whitelist feature entirely (command, WhitelistConfig, helpers). Delete obsolete ROADMAP.md and FIX.md; drop stale 'allow' line from README.
Add demo.png to the README; replace the AUR install instructions with build-from-source (this fork isn't on the AUR); note the 2026 Atomic Arch supply-chain detection in coverage; rewrite CHANGELOG for the 0.5.0 findings rework.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Reworks traur from a trust-scorer into a findings reporter (this fork's direction).
Changed
scan <name>fetches PKGBUILD/.install over HTTP (cgit) instead of cloning; no on-disk cache.Removed
Added
traur wrapper --enable/--disable/--status; scans once on --verifysource, never on the network during a build. Prompt [Y/n/d/p] (d=diff, p=flagged source).scan --pkgbuild <path> --sourceto highlight flagged lines.Fixed