Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add risk levels to simple output #516

Merged
merged 3 commits into from
Oct 14, 2024
Merged

Conversation

egibs
Copy link
Member

@egibs egibs commented Oct 12, 2024

Closes: #512

This PR adds a lowercase risk level string next to scanned paths and their behaviors.

I also added consistent formatting to make the output a little cleaner.

@egibs egibs requested a review from tstromberg October 12, 2024 23:42
@egibs
Copy link
Member Author

egibs commented Oct 13, 2024

Looking into why the tests are wanting to downgrade the severity of several test cases when refreshing the test data and manual scans return the correct risk level.

Concurrency: runtime.NumCPU(),
IgnoreSelf: false,
IgnoreTags: []string{"harmless"},
QuantityIncreasesRisk: true,
Copy link
Member Author

@egibs egibs Oct 13, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tstromberg -- without this, some of our known malicious samples are registering as high instead of critical. I guess we never noticed since the risk level was never displayed in the simple reports.

make refresh-sample-testdata calls malcontent where QuantityIncreasesRisk defaults to true which explains the discrepancy.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That said, we do use QuantityIncreasesRisk: true for the markdown tests but not the diff or JSON tests.

@@ -40,7 +41,7 @@ func (r Simple) File(_ context.Context, fr *malcontent.FileReport) error {
})

for _, b := range bs {
fmt.Fprintf(r.w, "%s\n", b.ID)
fmt.Fprintf(r.w, "%s:%s%s\n", b.ID, strings.Repeat(" ", maxLength(bs)-len(b.ID)+1), strings.ToLower(b.RiskLevel))
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you just make this a single space between the ID and the risk level? Otherwise, we'll end up with the same inscrutable diff problem that markdown samples have today.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated in 8395a2a (#516).

Signed-off-by: egibs <[email protected]>
@egibs egibs requested a review from tstromberg October 14, 2024 14:19
@tstromberg tstromberg merged commit 4ea3bad into chainguard-dev:main Oct 14, 2024
6 checks passed
tstromberg pushed a commit to tstromberg/malcontent that referenced this pull request Oct 14, 2024
* Add risk levels to simple output

Signed-off-by: egibs <[email protected]>

* Fix tests; appease the linter

Signed-off-by: egibs <[email protected]>

* One space

Signed-off-by: egibs <[email protected]>

---------

Signed-off-by: egibs <[email protected]>
tstromberg added a commit that referenced this pull request Oct 15, 2024
…ike (#524)

* Add more macOS detections

* macOS alert tuning

* Add risk levels to simple output (#516)

* Add risk levels to simple output

Signed-off-by: egibs <[email protected]>

* Fix tests; appease the linter

Signed-off-by: egibs <[email protected]>

* One space

Signed-off-by: egibs <[email protected]>

---------

Signed-off-by: egibs <[email protected]>

* update makefile

* Fix --min-risk behavior re: overrides (#523)

Signed-off-by: egibs <[email protected]>

* refresh testdata

* refresh testdata

---------

Signed-off-by: egibs <[email protected]>
Co-authored-by: Evan Gibler <[email protected]>
@egibs egibs deleted the simple-risk branch October 15, 2024 22:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add risk values to simple output
2 participants