purl-next: Validate the integrity of PURL source and binaries of popular packages in major package ecosystems.

[pombredanne]

We should be auditing the integrity of PURLs for source and binaries to detect malicious backdoors or missing source code for the 5,000 most popular PURLs in major package ecosystems, and working with upstream FOSS projects and ecosystems to resolve the key security issues uncovered.

This is about running map_deploy_to_devel and analyzing results

[chinyeungli]

This summarizes the SCIO validation of Package URL (PURL) integrity between source and binary distributions across five ecosystems: PyPI, Maven, NPM, Rust, and NuGet.

Ecosystem Coverage

• NuGet: Not supported by the current SCIO tool.
• Rust: D2D validation is not feasible, as crates.io hosts only source code, not precompiled binaries.
• PyPI, Maven, NPM: Sample sets of 5,000 projects were initially created for each. Validation was stopped once sufficient data was collected

Final Sample Sizes Use

Ecosystem	Source	Binary	Sample Size
PyPI	pypi.org	pypi.org	468
Maven	maven.org	maven.org	2,500
NPM	Github	npmjs.org	2,500

Related Discussions

• purl-next: Validate the integrity of PURL source and binaries of popular packages in PyPI #62
• purl-next: Validate the integrity of PURL source and binaries of popular packages in Maven #63
• purl-next: Validate the integrity of PURL source and binaries of popular packages in npm #64

D2D Improvement Issues Logged

• PyPI
  • Flagging Autogenerated Files in "map_deploy_to_develop" Pipeline - Pypi scancode.io#1845
  • Reducing Noise in "map_deploy_to_develop" pipeline - Pypi scancode.io#1846
  • Improving Source Mapping for .pyd scancode.io#1847
  • Improving Source Mapping for .so scancode.io#1848
  • Improving Source Mapping for .exe in rust projects scancode.io#1849
  • Improving Source Mapping for .py and .pyi scancode.io#1850
• Maven
  • Improve the .class file mapping logic within the map_deploy_to_devel pipeline scancode.io#1871
  • Exclude certain files/pattern from "map_deploy_to_devel" Java scancode.io#1872
  • Misdentify inner class in "map_deploy_to_devel" - Java scancode.io#1873
  • Compiled .class May Differ from Source Filename - map_deploy_to_devel (scala) scancode.io#1875
• NPM
  • Improving D2D mapping for npm - .map files scancode.io#1859
  • Improving D2D mapping for npm - .github/ scancode.io#1860
  • Improving D2D mapping - generated files scancode.io#1861
  • Improving D2D mapping for npm - Basename matching scancode.io#1862

These issues aim to reduce noise from generated or irrelevant files and address bugs affecting D2D validation accuracy.