diff --git a/assets/semgrep_rules/services/find-links-without-no-index.txt b/assets/semgrep_rules/services/find-links-without-no-index.txt index b559e0de..bd00ecaf 100644 --- a/assets/semgrep_rules/services/find-links-without-no-index.txt +++ b/assets/semgrep_rules/services/find-links-without-no-index.txt @@ -9,4 +9,8 @@ sphinx-reredirects==0.1.2 // ruleid: find-links-without-no-index --find-links https://mlc.ai/wheels mlc-ai-nightly ---find-links --no-index https://mlc.ai/wheels \ No newline at end of file +--find-links --no-index https://mlc.ai/wheels +--no-index --find-links https://mlc.ai/wheels +// ruleid: find-links-without-no-index +pip install --quiet --pre -U -f https://mlc.ai/wheels mlc-ai-nightly +pip install --quiet --pre -U -f --no-index https://mlc.ai/wheels mlc-ai-nightly diff --git a/assets/semgrep_rules/services/find-links-without-no-index.yaml b/assets/semgrep_rules/services/find-links-without-no-index.yaml index 6abf6cfe..842fcec0 100644 --- a/assets/semgrep_rules/services/find-links-without-no-index.yaml +++ b/assets/semgrep_rules/services/find-links-without-no-index.yaml @@ -6,8 +6,10 @@ rules: - https://portswigger.net/daily-swig/dependency-confusion-attack-mounted-via-pypi-repo-exposes-flawed-package-installer-behavior - https://www.bleepingcomputer.com/news/security/pytorch-discloses-malicious-dependency-chain-compromise-over-holidays/ confidence: LOW - pattern-regex: '^(?!.*--no-index).*--find-links' - message: "When --find-links is used without --no-index, pip may try to install the package from PyPI. Add --no-index to avoid dependency confusion." + pattern-either: + - pattern-regex: ^(?!.*--no-index).*--find-links + - pattern-regex: ^(?!.*--no-index).*pip\s.*\s-f + message: "When --find-links or -f is used without --no-index, pip may try to install the package from PyPI. Add --no-index to avoid dependency confusion." severity: INFO languages: - generic