Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Leverage yr scan --profile to tune slowest rules #708

Merged
merged 7 commits into from
Dec 16, 2024
Merged

Leverage yr scan --profile to tune slowest rules #708

merged 7 commits into from
Dec 16, 2024

Conversation

egibs
Copy link
Member

@egibs egibs commented Dec 16, 2024

There were a few rules that yr scan showed as being slow in main, especially decompress_base64_entropy:

 1592 file(s) scanned in 7.4s. 559 file(s) matched.

«««««««««««« PROFILING INFORMATION »»»»»»»»»»»»

Slowest rules:

* rule                 : decompress_base64_entropy
  namespace            : default
  pattern matching     : 26.565195737s
  condition evaluation : 249.969µs
  TOTAL                : 26.565445706s

* rule                 : http_archive_url
  namespace            : default
  pattern matching     : 273.386026ms
  condition evaluation : 28.231µs
  TOTAL                : 273.414257ms

* rule                 : http_archive_url_higher
  namespace            : default
  pattern matching     : 273.386026ms
  condition evaluation : 21.056µs
  TOTAL                : 273.407082ms

* rule                 : osascript_window_closer
  namespace            : default
  pattern matching     : 271.315156ms
  condition evaluation : 18.015µs
  TOTAL                : 271.333171ms

* rule                 : osascript_quitter
  namespace            : default
  pattern matching     : 271.231338ms
  condition evaluation : 19.172µs
  TOTAL                : 271.25051ms

With these tweaks, the decompress_base64_entropy rule is now much, much faster with the other rules seeing a small improvement as well:

 1592 file(s) scanned in 4.0s. 559 file(s) matched.

«««««««««««« PROFILING INFORMATION »»»»»»»»»»»»

Slowest rules:

* rule                 : http_archive_url
  namespace            : default
  pattern matching     : 272.495941ms
  condition evaluation : 21.731µs
  TOTAL                : 272.517672ms

* rule                 : http_archive_url_higher
  namespace            : default
  pattern matching     : 272.495941ms
  condition evaluation : 14.334µs
  TOTAL                : 272.510275ms

* rule                 : decompress_base64_entropy
  namespace            : default
  pattern matching     : 122.998664ms
  condition evaluation : 7.835µs
  TOTAL                : 123.006499ms

* rule                 : osascript_window_closer
  namespace            : default
  pattern matching     : 122.534656ms
  condition evaluation : 14.036µs
  TOTAL                : 122.548692ms

* rule                 : osascript_quitter
  namespace            : default
  pattern matching     : 122.51377ms
  condition evaluation : 10.88µs
  TOTAL                : 122.52465ms

With these changes, yr compile runs cleanly and we get no performance warnings.

@egibs egibs requested a review from tstromberg December 16, 2024 15:38
@egibs
Run make yara-x-fmt
477b283 
Signed-off-by: egibs <[email protected]>
@tstromberg tstromberg merged commit 3903332 into chainguard-dev:main Dec 16, 2024
8 checks passed
@egibs egibs deleted the yara-x-profiling-findings branch January 17, 2025 23:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tstromberg tstromberg tstromberg approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@egibs @tstromberg