fixed Thug and CI complaints + changelog + bump

Author: mlodic

.github/CHANGELOG.md

@@ -2,6 +2,15 @@
 
 [**Upgrade Guide**](https://intelowlproject.github.io/docs/IntelOwl/installation/#update-to-the-most-recent-version)
 
+## [v6.1.0](https://github.com/intelowlproject/IntelOwl/releases/tag/v6.1.0)
+This release merges all the developments performed by our Google Summer of Code contributors for this year. The program has just ended. You can read the related blogs for more info about:
+- [Nilay Gupta](https://x.com/guptanilay1): [New analyzers for IntelOwl](https://intelowlproject.github.io/blogs/gsoc24_new_analyzers_for_intelowl)
+- [Aryan Bhokare](https://www.linkedin.com/in/aryan-b-3803751a7/): [New Documentation Site for IntelOwl and friends](https://intelowlproject.github.io/blogs/gsoc24_New_documentation_site_summary)
+
+You'll get really tons of new analyzers this time to try out!
+
+Plus we have a new official [documentation site](https://intelowlproject.github.io/docs/)! Please refer to this one from now onwards.
+
 ## [v6.0.4](https://github.com/intelowlproject/IntelOwl/releases/tag/v6.0.4)
 Mostly adjusts and fixes with few new analyzers: Vulners and AILTypoSquatting Library.
 

.github/release_template.md

@@ -2,7 +2,7 @@
 
 - [ ] (optional) If we changed/added Docker Analyzers, we need to configure Docker Hub / Dependabot properly.
 - [ ] Update `CHANGELOG.md` for the new version
-- [ ] Change version number in `docs/source/schema.yml` and `docker/.env`
+- [ ] Change version number `docker/.env`
 - [ ] Verify CI Tests
 - [ ] Create release for the branch `develop`.
       Write the following statement there (change the version number):

api_app/analyzers_manager/file_analyzers/pe_info.py

@@ -1,11 +1,6 @@
 # This file is a part of IntelOwl https://github.com/intelowlproject/IntelOwl
 # See the file 'LICENSE' for copying permission.
 
-# this analyzer leverage a forked version of PEfile ...
-# ... that fixes one common problem encountered in a lot of analysis
-# original repository: https://github.com/erocarrera/pefile
-# forked repository: https://github.com/mlodic/pefile
-
 import logging
 import os
 from datetime import datetime
@@ -59,6 +54,55 @@ def dotnetpe(self):
             results["is_dotnet"] = False
         return results
 
+    @staticmethod
+    def _extract_sections(pe):
+        sections = []
+        for section in pe.sections:
+            try:
+                name = section.Name.decode()
+            except UnicodeDecodeError as e:
+                name = "UnableToDecode"
+                logger.warning(f"Unable to decode section {section.Name} exception {e}")
+            section_item = {
+                "name": name,
+                "address": hex(section.VirtualAddress),
+                "virtual_size": hex(section.Misc_VirtualSize),
+                "size": section.SizeOfRawData,
+                "entropy": section.get_entropy(),
+            }
+            sections.append(section_item)
+
+        return sections
+
+    @staticmethod
+    def _extract_import_table(pe):
+        import_table = []
+        directory_entry_import = getattr(pe, "DIRECTORY_ENTRY_IMPORT", [])
+        for entry in directory_entry_import:
+            imp = {
+                "entryname": entry.dll.decode() if entry.dll else None,
+                "symbols": [],
+            }
+            for symbol in entry.imports:
+                if symbol.name:
+                    imp["symbols"].append(symbol.name.decode())
+            import_table.append(imp)
+        return import_table
+
+    @staticmethod
+    def _extract_export_table(full_dump):
+        export_table = []
+        for entry in full_dump.get("Exported symbols", []):
+            symbol_name = entry.get("Name", None)
+            # in case it is a dictionary, we do not mind it
+            try:
+                export_table.append(symbol_name.decode())
+            except (UnicodeDecodeError, AttributeError) as e:
+                logger.debug(f"PE info error while decoding export table symbols: {e}")
+        # this is to reduce the output
+        export_table = export_table[:100]
+        return export_table
+
     def run(self):
         results = {}
         results["dotnet"] = self.dotnetpe()
@@ -80,25 +124,7 @@ def run(self):
             elif pe.is_exe():
                 results["type"] = "EXE"
 
-            sections = []
-            for section in pe.sections:
-                try:
-                    name = section.Name.decode()
-                except UnicodeDecodeError as e:
-                    name = "UnableToDecode"
-                    logger.warning(
-                        f"Unable to decode section {section.Name} exception {e}"
-                    )
-                section_item = {
-                    "name": name,
-                    "address": hex(section.VirtualAddress),
-                    "virtual_size": hex(section.Misc_VirtualSize),
-                    "size": section.SizeOfRawData,
-                    "entropy": section.get_entropy(),
-                }
-                sections.append(section_item)
-
-            results["sections"] = sections
+            results["sections"] = self._extract_sections(pe)
 
             machine_value = pe.FILE_HEADER.Machine
             results["machine"] = machine_value
@@ -127,32 +153,8 @@ def run(self):
                 timestamp
             ).strftime("%Y-%m-%d %H:%M:%S")
 
-            import_table = []
-            directory_entry_import = getattr(pe, "DIRECTORY_ENTRY_IMPORT", [])
-            for entry in directory_entry_import:
-                imp = {
-                    "entryname": entry.dll.decode() if entry.dll else None,
-                    "symbols": [],
-                }
-                for symbol in entry.imports:
-                    if symbol.name:
-                        imp["symbols"].append(symbol.name.decode())
-                import_table.append(imp)
-            results["import_table"] = import_table
-
-            export_table = []
-            for entry in full_dump.get("Exported symbols", []):
-                symbol_name = entry.get("Name", None)
-                # in case it is a dictionary, we do not mind it
-                try:
-                    export_table.append(symbol_name.decode())
-                except (UnicodeDecodeError, AttributeError) as e:
-                    logger.debug(
-                        f"PE info error while decoding export table symbols: {e}"
-                    )
-            # this is to reduce the output
-            export_table = export_table[:100]
-            results["export_table"] = export_table
+            results["import_table"] = self._extract_import_table(pe)
+            results["export_table"] = self._extract_export_table(full_dump)
 
             results["flags"] = full_dump.get("Flags", [])
 

api_app/analyzers_manager/file_analyzers/thug_file.py

@@ -47,16 +47,17 @@ def run(self):
         # construct a valid dir name into which thug will save the result
         fname = str(self.filename).replace("/", "_").replace(" ", "_")
         tmp_dir = f"{fname}_{secrets.token_hex(4)}"
+        tmp_dir_full_path = "/opt/deploy/thug" + tmp_dir
         # get the file to send
         binary = self.read_file_bytes()
         # append final arguments,
         # -n -> output directory
         # -l -> the local file to analyze
-        args.extend(["-n", "/home/thug/" + tmp_dir, "-l", f"@{fname}"])
+        args.extend(["-n", tmp_dir_full_path, "-l", f"@{fname}"])
         # make request parameters
         req_data = {
             "args": args,
-            "callback_context": {"read_result_from": tmp_dir},
+            "callback_context": {"read_result_from": tmp_dir_full_path},
         }
         req_files = {fname: binary}
 

api_app/analyzers_manager/observable_analyzers/thug_url.py

@@ -46,12 +46,13 @@ def run(self):
         args = self._thug_args_builder()
         # construct a valid directory name into which thug will save the result
         tmp_dir = secrets.token_hex(4)
+        tmp_dir_full_path = "/opt/deploy/thug" + tmp_dir
         # make request data
-        args.extend(["-n", "/home/thug/" + tmp_dir, self.observable_name])
+        args.extend(["-n", tmp_dir_full_path, self.observable_name])
 
         req_data = {
             "args": args,
-            "callback_context": {"read_result_from": tmp_dir},
+            "callback_context": {"read_result_from": tmp_dir_full_path},
         }
 
         return self._docker_run(req_data=req_data, req_files=None)

api_app/serializers/plugin.py

@@ -35,7 +35,8 @@ class Meta:
         )
 
     class CustomValueField(rfs.JSONField):
-        def to_internal_value(self, data):
+        @staticmethod
+        def to_internal_value(data):
             if not data:
                 raise ValidationError({"detail": "Empty insertion"})
             logger.info(f"verifying that value {data} ({type(data)}) is JSON compliant")
@@ -84,7 +85,8 @@ def to_representation(self, value):
     plugin_name = rfs.CharField()
     value = CustomValueField()
 
-    def validate_value_type(self, value: Any, parameter: Parameter):
+    @staticmethod
+    def validate_value_type(value: Any, parameter: Parameter):
         if type(value).__name__ != parameter.type:
             raise ValidationError(
                 {
@@ -155,7 +157,8 @@ class Meta:
         fields = ["name", "type", "description", "required", "value", "is_secret"]
         list_serializer_class = ParamListSerializer
 
-    def get_value(self, param: Parameter):
+    @staticmethod
+    def get_value(param: Parameter):
         if hasattr(param, "value") and hasattr(param, "is_from_org"):
             if param.is_secret and param.is_from_org:
                 return "redacted"

docker/.env

@@ -1,6 +1,6 @@
 ### DO NOT CHANGE THIS VALUE !!
 ### It should be updated only when you pull latest changes off from the 'master' branch of IntelOwl.
 # this variable must start with "REACT_APP_" to be used in the frontend too
-REACT_APP_INTELOWL_VERSION=v6.0.4
+REACT_APP_INTELOWL_VERSION=v6.1.0
 # if you want to use a nfs volume for shared files
 # NFS_ADDRESS=

integrations/malware_tools_analyzers/Dockerfile

@@ -30,8 +30,8 @@ RUN npm install [email protected] --global --production \
 
 # Install CAPA
 WORKDIR ${PROJECT_PATH}/capa
-RUN wget -q https://github.com/mandiant/capa/releases/download/v6.1.0/capa-v6.1.0-linux.zip \
-    && unzip capa-v6.1.0-linux.zip \
+RUN wget -q https://github.com/mandiant/capa/releases/download/v7.2.0/capa-v7.2.0-linux.zip \
+    && unzip capa-v7.2.0-linux.zip \
     && ln -s ${PROJECT_PATH}/capa/capa /usr/local/bin/capa
 
 # Install Floss
@@ -74,28 +74,6 @@ RUN python3 -m venv venv \
     && pip3 install --no-cache-dir --upgrade pip \
     && pip3 install --no-cache-dir -r apkid-requirements.txt
 
-# Install Thug
-# https://github.com/buffer/thug/blob/master/docker/Dockerfile
-WORKDIR ${PROJECT_PATH}/thug
-COPY requirements/thug-requirements.txt ./
-RUN python3 -m venv venv \
-    && . venv/bin/activate \
-    && pip3 install --no-cache-dir --upgrade pip \
-    && wget -q https://github.com/cloudflare/stpyv8/releases/download/v11.1.277.14/stpyv8-ubuntu-20.04-python-3.8.zip \
-    && unzip stpyv8-ubuntu-20.04-python-3.8.zip \
-    && pip3 install --no-cache-dir stpyv8-ubuntu-20.04-3.8/stpyv8-11.1.277.14-cp38-cp38-linux_x86_64.whl \
-    && mkdir -p /usr/share/stpyv8 \
-    && mv stpyv8-ubuntu-20.04-3.8/icudtl.dat /usr/share/stpyv8 \
-    && rm -rf stpyv8-ubuntu-20.04* \
-    && git clone https://github.com/buffer/libemu.git && cd libemu && autoreconf -v -i && ./configure && make install && cd .. && rm -rf libemu && ldconfig \
-    && pip3 install --no-cache-dir -r thug-requirements.txt \
-    && git clone --depth 1 https://github.com/buffer/thug.git \
-    && mkdir -p /etc/thug \
-    && cp -R thug/thug/conf/* /etc/thug \
-    && rm -rf thug \
-    && mkdir -p /tmp/thug/logs \
-    && chown -R ${USER}:${USER} /tmp/thug/logs
-
 # Install GoReSym
 WORKDIR ${PROJECT_PATH}/goresym
 RUN wget -q https://github.com/mandiant/GoReSym/releases/download/v2.7.4/GoReSym-linux.zip \
@@ -153,6 +131,27 @@ RUN python3 -m venv venv \
     && chown -R ${USER}:${USER} /root/.semgrep \
     && chmod 711 /root
 
+# Install Thug
+# https://github.com/buffer/thug/blob/master/docker/Dockerfile
+WORKDIR ${PROJECT_PATH}/thug
+COPY requirements/thug-requirements.txt ./
+RUN python3 -m venv venv \
+    && . venv/bin/activate \
+    && pip3 install --no-cache-dir --upgrade pip \
+    # this is the python 3.9 version. Once you update the base image you should switch to the right version (cp39)
+    && wget -q https://github.com/cloudflare/stpyv8/releases/download/v12.7.224.18/stpyv8-12.7.224.18-cp39-cp39-manylinux_2_31_x86_64.whl \
+    && pip3 install --no-cache-dir stpyv8-12.7.224.18-cp39-cp39-manylinux_2_31_x86_64.whl \
+    && rm stpyv8-12.7.224.18-cp39-cp39-manylinux_2_31_x86_64.whl \
+    && mkdir -p /usr/share/stpyv8 \
+    && git clone https://github.com/buffer/libemu.git && cd libemu && autoreconf -v -i && ./configure && make install && cd .. && rm -rf libemu && ldconfig \
+    && pip3 install --no-cache-dir -r thug-requirements.txt \
+    && git clone --depth 1 https://github.com/buffer/thug.git \
+    && mkdir -p /etc/thug \
+    && cp -R thug/thug/conf/* /etc/thug \
+    && rm -rf thug \
+    && mkdir -p /tmp/thug/logs \
+    && chown -R ${USER}:${USER} /tmp/thug/logs /etc/thug
+
 # prepare fangfrisch installation
 COPY crontab /etc/cron.d/crontab
 RUN mkdir -m 0770 -p /var/lib/fangfrisch \

integrations/malware_tools_analyzers/app.py

@@ -133,18 +133,16 @@ def intercept_thug_result(context, future: Future) -> None:
     by reading the final analysis result from the saved result file
     before it is ready to be consumed.
     """
-    dir_loc = None
     # 1. get current result object
     res = future.result()
     # 2. dir from which we will read final analysis result
-    dir_name = context.get("read_result_from", None)
-    if not dir_name:
+    dir_loc = context.get("read_result_from", None)
+    if not dir_loc:
         res["error"] += ", No specified file to read result from"
         if res.get("returncode", -1) == 0:
             res["returncode"] = -1
     else:
         # 3. read saved result file, if it exists
-        dir_loc = safe_join("/opt/deploy/thug", dir_name)
         f_loc = dir_loc + "/analysis/json/analysis.json"
         if not os.path.exists(f_loc):
             res["error"] += f", result file {f_loc} does not exists."