Ignore JSON files, except for NPM package.json files

pkg/action/testdata/scan_oci

@@ -83,110 +83,6 @@
             "SHA256": "",
             "Size": 0,
             "RiskScore": 0
-        },
-        "/var/lib/db/sbom/ca-certificates-bundle-20240705-r0.spdx.json": {
-            "Path": "testdata/static.tar.xz ∴ /var/lib/db/sbom/ca-certificates-bundle-20240705-r0.spdx.json",
-            "SHA256": "da392082c5abe93e62ac6b557fd1dae8aedb16851c76a8b0b942235c4f24fcf2",
-            "Size": 1768,
-            "Behaviors": [
-                {
-                    "Description": "download files",
-                    "MatchStrings": [
-                        "downloadLocation"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/download.yara#download",
-                    "ID": "net/download",
-                    "RuleName": "download"
-                },
-                {
-                    "Description": "contains embedded HTTPS URLs",
-                    "MatchStrings": [
-                        "https://spdx.org/spdxdocs/chainguard/melange/e8bb6c0f7fc0c77fe29111695575"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url",
-                    "ID": "net/url/embedded",
-                    "RuleName": "https_url"
-                }
-            ],
-            "RiskScore": 2,
-            "RiskLevel": "MEDIUM"
-        },
-        "/var/lib/db/sbom/tzdata-2024b-r0.spdx.json": {
-            "Path": "testdata/static.tar.xz ∴ /var/lib/db/sbom/tzdata-2024b-r0.spdx.json",
-            "SHA256": "d30d9bc94854359f6e4164fca583b5a51e1a6625c7e8b4b0563364e676a5bcaf",
-            "Size": 1725,
-            "Behaviors": [
-                {
-                    "Description": "download files",
-                    "MatchStrings": [
-                        "downloadLocation"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/download.yara#download",
-                    "ID": "net/download",
-                    "RuleName": "download"
-                },
-                {
-                    "Description": "contains embedded HTTPS URLs",
-                    "MatchStrings": [
-                        "https://spdx.org/spdxdocs/chainguard/melange/7b86e6ff94c1f8dfe207a3ffaf7f"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url",
-                    "ID": "net/url/embedded",
-                    "RuleName": "https_url"
-                },
-                {
-                    "Description": "Uses timezone information",
-                    "MatchStrings": [
-                        "tzdata"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/os/time/tzinfo.yara#tzinfo",
-                    "ID": "os/time/tzinfo",
-                    "RuleName": "tzinfo"
-                }
-            ],
-            "RiskScore": 2,
-            "RiskLevel": "MEDIUM"
-        },
-        "/var/lib/db/sbom/wolfi-baselayout-20230201-r15.spdx.json": {
-            "Path": "testdata/static.tar.xz ∴ /var/lib/db/sbom/wolfi-baselayout-20230201-r15.spdx.json",
-            "SHA256": "2553d473dbfb8842254573d68cd3e857b2e9546fb746d8ae7fc3c243c9eca8ca",
-            "Size": 1425,
-            "Behaviors": [
-                {
-                    "Description": "download files",
-                    "MatchStrings": [
-                        "downloadLocation"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/download.yara#download",
-                    "ID": "net/download",
-                    "RuleName": "download"
-                },
-                {
-                    "Description": "contains embedded HTTPS URLs",
-                    "MatchStrings": [
-                        "https://spdx.org/spdxdocs/chainguard/melange/568a7518ce6c3bdb5ddcf51a311c"
-                    ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url",
-                    "ID": "net/url/embedded",
-                    "RuleName": "https_url"
-                }
-            ],
-            "RiskScore": 2,
-            "RiskLevel": "MEDIUM"
         }
     }
 }

pkg/programkind/programkind.go

@@ -42,7 +42,6 @@ var supportedKind = map[string]string{
 	"html":    "",
 	"java":    "text/x-java",
 	"js":      "application/javascript",
-	"json":    "application/json",
 	"lnk":     "application/x-ms-shortcut",
 	"lua":     "text/x-lua",
 	"macho":   "application/x-mach-binary",
@@ -77,6 +76,12 @@ type FileType struct {
 
 func makeFileType(path string, ext string, mime string) *FileType {
 	ext = strings.TrimPrefix(ext, ".")
+
+	// the only JSON files we currently scan are NPM package metadata, which ends in *package.json
+	if strings.HasSuffix(path, "package.json") {
+		return &FileType{MIME: "application/json", Ext: ext}
+	}
+
 	if supportedKind[ext] == "" {
 		return nil
 	}
@@ -169,8 +174,5 @@ func File(path string) (*FileType, error) {
 func Path(path string) *FileType {
 	ext := strings.ReplaceAll(filepath.Ext(path), ".", "")
 	mime := supportedKind[ext]
-	if mime != "" {
-		return &FileType{MIME: mime, Ext: ext}
-	}
-	return nil
+	return makeFileType(path, ext, mime)
 }

pkg/programkind/programkind_test.go

@@ -47,6 +47,9 @@ func TestPath(t *testing.T) {
 		{"./shell.sh", &FileType{MIME: "application/x-sh", Ext: "sh"}},
 		{"ls", nil},
 		{"/etc/systemd/system/launcher.service", &FileType{MIME: "text/x-systemd", Ext: "service"}},
+		{"yarn-package.json", &FileType{MIME: "application/json", Ext: "json"}},
+		{"/home/yeti/.hidden/package.json", &FileType{MIME: "application/json", Ext: "json"}},
+		{"unknown.json", nil},
 	}
 	for _, tt := range tests {
 		t.Run(tt.in, func(t *testing.T) {

tests/javascript/clean/3937.844b09f50594ca2613b4.js.map.simple

@@ -1,8 +0,0 @@
-# javascript/clean/3937.844b09f50594ca2613b4.js.map: medium
-exec/shell/power: medium
-false-positives/mattermost: low
-fs/directory/remove: low
-fs/file/copy: medium
-fs/file/delete: medium
-net/download/fetch: medium
-net/url/embedded: low

tests/javascript/clean/index.js.map.simple

@@ -1,14 +0,0 @@
-# javascript/clean/index.js.map: medium
-crypto/aes: low
-crypto/cipher: medium
-crypto/decrypt: low
-crypto/encrypt: medium
-crypto/public_key: low
-data/encoding/base64: low
-data/encoding/json_decode: low
-data/encoding/json_encode: low
-net/http/auth: low
-net/http/form_upload: medium
-net/http/post: medium
-net/url/embedded: low
-net/url/parse: low

tests/linux/clean/appsec-rules.json.simple

@@ -1,75 +0,0 @@
-# linux/clean/appsec-rules.json: critical
-collect/databases/mysql: medium
-collect/databases/postgresql: medium
-collect/databases/sqlite: medium
-credential/cloud/aws: medium
-credential/os/gshadow: medium
-credential/os/shadow: medium
-credential/password: low
-credential/server/htpasswd: medium
-credential/shell/bash_history: high
-credential/shell/zsh_history: high
-credential/ssh: high
-credential/ssh/authorized_hosts: medium
-credential/ssh/d: medium
-crypto/openssl: medium
-data/base64/decode: medium
-data/compression/bzip2: low
-data/compression/gzip: low
-data/compression/lzma: low
-data/compression/zlib: low
-data/compression/zstd: low
-data/encoding/base64: low
-discover/multiple: medium
-discover/system/dmesg: low
-discover/system/platform: low
-discover/user/USER: low
-discover/user/name_get: medium
-evasion/bypass_security/linux/iptables: medium
-evasion/bypass_security/linux/ufw: medium
-evasion/file/prefix: medium
-evasion/logging/acct: low
-evasion/process_injection/readelf: medium
-exec/plugin: low
-exec/shell/bash_dev_udp: medium
-exec/shell/command: medium
-exec/shell/nohup: medium
-exec/system_controls/apparmor: medium
-exec/system_controls/systemd: low
-exec/tty/pathname: medium
-exfil: medium
-exfil/stealer/linux_server: high
-fs/fifo_create: low
-fs/file/times_set: medium
-fs/lock_update: low
-fs/mount: low
-fs/node_create: low
-fs/path/etc: low
-fs/path/etc_hosts: medium
-fs/path/home: low
-fs/path/home_config: low
-fs/path/tmp: medium
-fs/path/var: low
-fs/permission/modify: medium
-hw/hardware_enumeration: medium
-hw/wireless: low
-impact/exploit: medium
-impact/exploit/cve: medium
-impact/remote_access/iptables: medium
-net/dns/servers: low
-net/download: medium
-net/ftp/t: low
-net/http/cookies: medium
-net/http/webhook: medium
-net/ip/host_port: medium
-net/socket/connect: medium
-net/tcp/sftp: medium
-persist/cron/tab: medium
-persist/daemon: medium
-persist/linux_multi: high
-persist/shell/bash: high
-persist/shell/zsh: medium
-persist/ssh_authorized_keys: medium
-process/chroot: low
-process/unshare: low
-sec-tool/net/nmap: medium

tests/linux/clean/aws-c-io/aws-c-io.sdiff

@@ -1,3 +0,0 @@
->>> moved: linux/clean/aws-c-io/aws-c-io-0.14.10-r0.spdx.json -> linux/clean/aws-c-io/aws-c-io-0.14.11-r0.spdx.json (score: 0.988000)
-net/download
-net/url/embedded

tests/linux/clean/default_config.json.simple

@@ -1,76 +0,0 @@
-# linux/clean/default_config.json: critical
-collect/databases/mysql: medium
-collect/databases/postgresql: medium
-collect/databases/sqlite: medium
-credential/cloud/aws: medium
-credential/os/gshadow: medium
-credential/os/shadow: medium
-credential/password: low
-credential/server/htpasswd: medium
-credential/shell/bash_history: high
-credential/shell/zsh_history: high
-credential/ssh: high
-credential/ssh/authorized_hosts: medium
-credential/ssh/d: medium
-crypto/openssl: medium
-data/base64/decode: medium
-data/compression/bzip2: low
-data/compression/gzip: low
-data/compression/lzma: low
-data/compression/zlib: low
-data/compression/zstd: low
-data/encoding/base64: low
-discover/multiple: medium
-discover/system/dmesg: low
-discover/system/platform: low
-discover/user/USER: low
-discover/user/name_get: medium
-evasion/bypass_security/linux/iptables: medium
-evasion/bypass_security/linux/ufw: medium
-evasion/file/prefix: medium
-evasion/logging/acct: low
-evasion/process_injection/readelf: medium
-exec/plugin: low
-exec/shell/bash_dev_udp: medium
-exec/shell/command: medium
-exec/shell/nohup: medium
-exec/system_controls/apparmor: medium
-exec/system_controls/systemd: low
-exec/tty/pathname: medium
-exfil: medium
-exfil/stealer/linux_server: high
-fs/fifo_create: low
-fs/file/times_set: medium
-fs/lock_update: low
-fs/mount: low
-fs/node_create: low
-fs/path/etc: low
-fs/path/etc_hosts: medium
-fs/path/home: low
-fs/path/home_config: low
-fs/path/tmp: medium
-fs/path/var: low
-fs/permission/modify: medium
-hw/hardware_enumeration: medium
-hw/wireless: low
-impact/exploit: medium
-impact/exploit/cve: medium
-impact/remote_access/iptables: medium
-net/dns/servers: low
-net/download: medium
-net/ftp/t: low
-net/http/cookies: medium
-net/http/webhook: medium
-net/ip/host_port: medium
-net/socket/connect: medium
-net/tcp/sftp: medium
-persist/cron/tab: medium
-persist/daemon: medium
-persist/linux_multi: high
-persist/shell/bash: high
-persist/shell/zsh: medium
-persist/ssh_authorized_keys: medium
-process/chroot: low
-process/unshare: low
-sec-tool/net/masscan: high
-sec-tool/net/nmap: medium

tests/linux/clean/kibana/2d62889e-e758-4c5e-b57e-c735914ee32a_101.json.simple

@@ -1,5 +0,0 @@
-# linux/clean/kibana/2d62889e-e758-4c5e-b57e-c735914ee32a_101.json: medium
-exec/shell/power: medium
-impact/degrade/win_defender: low
-net/download: medium
-net/url/embedded: low

tests/linux/clean/kibana/2e29e96a-b67c-455a-afe4-de6183431d0d_111.json.simple

@@ -1,9 +0,0 @@
-# linux/clean/kibana/2e29e96a-b67c-455a-afe4-de6183431d0d_111.json: medium
-3P/sig_base/hacktool_strings_p0wnedshell: low
-exec/shell/power: medium
-impact/infection/infected: medium
-malware/ref: medium
-mem/protect: low
-net/download: medium
-net/url/embedded: low
-sus/malicious: medium

tests/linux/clean/kibana/3728c08d-9b70-456b-b6b8-007c7d246128_5.json.simple

@@ -1,17 +0,0 @@
-# linux/clean/kibana/3728c08d-9b70-456b-b6b8-007c7d246128_5.json: critical
-evasion/file/location/dev_shm: medium
-evasion/file/prefix: high
-evasion/file/prefix/dev: low
-exec/shell/command: medium
-exec/system_controls/systemd: low
-fs/path/etc: low
-fs/path/etc_initd: medium
-fs/path/home: low
-fs/path/home_config: low
-fs/path/root: medium
-fs/path/usr_local: medium
-fs/path/var: low
-net/url/embedded: low
-persist/shell/bash: high
-persist/shell/zsh: medium
-privesc/sudoers: medium

tests/linux/clean/kibana/83bf249e-4348-47ba-9741-1202a09556ad_101.json.simple

@@ -1,9 +0,0 @@
-# linux/clean/kibana/83bf249e-4348-47ba-9741-1202a09556ad_101.json: critical
-anti-static/obfuscation/powershell: critical
-exec/shell/command: medium
-exec/shell/power: medium
-false-positives/kibana: low
-malware/ref: medium
-net/download: medium
-net/download/fetch: medium
-net/url/embedded: low

tests/linux/clean/kibana/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_108.json.simple

@@ -1,7 +0,0 @@
-# linux/clean/kibana/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_108.json: medium
-impact/exploit: medium
-impact/exploit/cve: medium
-impact/exploit/pwnkit: low
-impact/remote_access/agent: medium
-net/url/embedded: low
-os/fd/multiplex: low

tests/linux/clean/kibana/951779c2-82ad-4a6c-82b8-296c1f691449_2.json.simple

@@ -1,7 +0,0 @@
-# linux/clean/kibana/951779c2-82ad-4a6c-82b8-296c1f691449_2.json: medium
-3P/sig_base/p0wnedpotato: low
-exec/shell/power: medium
-net/download: medium
-net/rpc/ntlm: medium
-net/url/embedded: low
-sus/intercept: medium