Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rule tuning: make severities more appropriate #510

Merged
merged 21 commits into from
Oct 12, 2024
Merged

rule tuning: make severities more appropriate #510

merged 21 commits into from
Oct 12, 2024

Conversation

tstromberg
Copy link
Collaborator

@tstromberg tstromberg commented Oct 10, 2024
edited
Loading

risk tuning, mostly relating to "HIGH" findings in Wolfi.

Add/fix testdata missing for clean Linux files.

@tstromberg tstromberg requested a review from egibs October 10, 2024 13:37
egibs
egibs approved these changes Oct 10, 2024
View reviewed changes
Copy link
Member

@egibs egibs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

Would you mind looking at wolfi-dev/os#30457?

The gitaly binary is 252MB and 66MB after being compressed which is still pretty large.

Would it make sense to tune the linux_multi_persist rule to high or just add a quick override rule for that binary?

rules/evasion/bitwise_math.yara Outdated Show resolved Hide resolved
rules/combo/stealer/crypto.yara Show resolved Hide resolved
@tstromberg @egibs
Update rules/evasion/bitwise_math.yara
845efce 
Co-authored-by: Evan Gibler <[email protected]>
Signed-off-by: Thomas Strömberg <[email protected]>
@tstromberg
Copy link
Collaborator Author

Would you mind looking at wolfi-dev/os#30457?

gitaly looks interesting.

Would it make sense to tune the linux_multi_persist rule to high or just add a quick override rule for that binary?

For now, I think the rule should hit rare enough that we should do overrides; assuming the binary we are looking at isn't doing anything bad.

@egibs
Copy link
Member

egibs commented Oct 10, 2024
edited
Loading

gitaly looks interesting.

Indeed. AFAIK none of the previous releases triggered that rule.

Update -- investigation is here: wolfi-dev/os#30457 (comment)

I'll open a PR for an override rule.

@tstromberg tstromberg enabled auto-merge (squash) October 11, 2024 14:56
@tstromberg tstromberg merged commit e3be5da into chainguard-dev:main Oct 12, 2024
5 of 6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@egibs egibs egibs approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tstromberg @egibs