Bug: Potential False Positive Scanning @types/node

[davekerber]

Using this config to scan my package.json:

https://github.com/cloud-copilot/iam-shrink/blob/main/.github/workflows/guarddog.yml

Specifically this line:

guarddog npm verify package.json --exclude-rules empty_information --exit-non-zero-on-finding

I've been getting this error for a few weeks now:

Found 1 potentially malicious indicators in @types/node

suspicious_passwd_access_linux: found 1 source code matches
  * Detects suspicious read access to /etc/passwd file, which is often targeted by malware for credential harvesting at node v22.18/fs.d.ts:117191
        b"readFile('/etc/passwd"

Looking in @types/node I can't find a line 117191. But I can see in that file things like this in the ts docs section:

     /**
     * ...
     * readFile('/etc/passwd', (err, data) => {
     *   if (err) throw err;
     *   console.log(data);
     * });
     * ...
     */ 

Here is a permalink
https://github.com/DefinitelyTyped/DefinitelyTyped/blob/c030728c3e25d15bcb3fbf48edf2df784b9f08db/types/node/v22/fs.d.ts#L2725

So the string does technically exist in the source but its in the documentation of the method so I think this is a false positive.

[benoittgt]

Maybe https://raw.githubusercontent.com/DataDog/guarddog/2ca15d1797b325770ef57c45b7321aa6147b5563/guarddog/analyzer/sourcecode/suspicious_passwd_access_linux.yar should ignore comment ?

[sobregosodd]

Hello @davekerber , thanks for reporting this, I don't think that you can safely ignore a comment in YARA
You would need to do something like:
Not allow /* [code] */, but if the comment is multiline (which is the usual usage for /*, then the regex will be unreliable.
Do you have any proposal on how to do it?