Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix --min-risk behavior re: overrides #523

Merged
merged 2 commits into from
Oct 14, 2024
Merged

Fix --min-risk behavior re: overrides #523

merged 2 commits into from
Oct 14, 2024

Conversation

egibs
Copy link
Member

@egibs egibs commented Oct 14, 2024
edited
Loading

Closes: #522

We weren't applying overrides correctly when specifying minimum risk levels because we were dropping the override rule (of lower severity) before adding it to the fr.Overrides slice.

With this change (using a simple high -> medium override):

$ go run cmd/mal/mal.go --min-risk high --quantity-increases-risk=true  analyze ./out/samples-0ff28cbe99bc4610c58016faeb1a806a6e5cebbb/windows/2024.GitHub.Clipper/raw.py
🔎 Scanning "./out/samples-0ff28cbe99bc4610c58016faeb1a806a6e5cebbb/windows/2024.GitHub.Clipper/raw.py"
out/samples-0ff28cbe99bc4610c58016faeb1a806a6e5cebbb/windows/2024.GitHub.Clipper/raw.py [🚨 CRITICAL]
-------------------------------------------------------------------------------------------------------------------------------------------------------------
RISK  KEY                   DESCRIPTION                             EVIDENCE                                                                                 
-------------------------------------------------------------------------------------------------------------------------------------------------------------
MED   ref/site/exe          accesses hardcoded executable endpoint  https://cdn.discordapp.com/attachments/1222129364288671834/1224848705887404072/main.exe  
HIGH  combo/dropper/python  fetch, stores, and execute programs     open(                                                                                    
                                                                    write(                                                                                   
HIGH  ref/site/download     References known file hosting site      cdn.discordapp.com                                                                       
-------------------------------------------------------------------------------------------------------------------------------------------------------------

Without (and the override rule present):

$ go run cmd/mal/mal.go --min-risk high --quantity-increases-risk=true  analyze ./out/samples-0ff28cbe99bc4610c58016faeb1a806a6e5cebbb/windows/2024.GitHub.Clipper/raw.py
🔎 Scanning "./out/samples-0ff28cbe99bc4610c58016faeb1a806a6e5cebbb/windows/2024.GitHub.Clipper/raw.py"
out/samples-0ff28cbe99bc4610c58016faeb1a806a6e5cebbb/windows/2024.GitHub.Clipper/raw.py [🚨 CRITICAL]
-------------------------------------------------------------------------------------------------------------------------------------------------------------
RISK  KEY                   DESCRIPTION                             EVIDENCE                                                                                 
-------------------------------------------------------------------------------------------------------------------------------------------------------------
HIGH  combo/dropper/python  fetch, stores, and execute programs     open(                                                                                    
                                                                    write(                                                                                   
HIGH  ref/site/download     References known file hosting site      cdn.discordapp.com                                                                       
HIGH  ref/site/exe          accesses hardcoded executable endpoint  https://cdn.discordapp.com/attachments/1222129364288671834/1224848705887404072/main.exe  
-------------------------------------------------------------------------------------------------------------------------------------------------------------

@egibs egibs requested a review from tstromberg October 14, 2024 16:30
@tstromberg tstromberg enabled auto-merge (squash) October 14, 2024 18:13
@tstromberg tstromberg merged commit a08d983 into chainguard-dev:main Oct 14, 2024
6 checks passed
tstromberg pushed a commit to tstromberg/malcontent that referenced this pull request Oct 14, 2024
@egibs @tstromberg
Fix --min-risk behavior re: overrides (chainguard-dev#523)
f6f1b6d 
Signed-off-by: egibs <[email protected]>
tstromberg added a commit that referenced this pull request Oct 15, 2024
@tstromberg @egibs
Improve macOS detection, particularly for AMOS/Poseidon and Cobaltstr…
d0fb51e 
…ike (#524)

* Add more macOS detections

* macOS alert tuning

* Add risk levels to simple output (#516)

* Add risk levels to simple output

Signed-off-by: egibs <[email protected]>

* Fix tests; appease the linter

Signed-off-by: egibs <[email protected]>

* One space

Signed-off-by: egibs <[email protected]>

---------

Signed-off-by: egibs <[email protected]>

* update makefile

* Fix --min-risk behavior re: overrides (#523)

Signed-off-by: egibs <[email protected]>

* refresh testdata

* refresh testdata

---------

Signed-off-by: egibs <[email protected]>
Co-authored-by: Evan Gibler <[email protected]>
@egibs egibs deleted the fix-min-risk-overrides branch October 15, 2024 22:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tstromberg tstromberg tstromberg approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

--min-risk=high breaks overrides
2 participants
@egibs @tstromberg