Update diff output to delineate between changed and unchanged files

[egibs]

Closes: #689

This PR adds better context when rendering diffs across the bubbletea, markdown, simple, and terminal renderers.

For example:

$ go run cmd/mal/mal.go diff out/chainguard-dev/malcontent-samples/python/2024.ultralytics/v8.3.40/ out/chainguard-dev/malcontent-samples/python/2024.ultralytics/v8.3.41/
├─ 🟡 Unchanged: out/chainguard-dev/malcontent-samples/python/2024.ultralytics/v8.3.41/nn/autobackend.py
│     ≡ collection [MEDIUM]
│       🟡 archives/zip — Works with zip files: zipfile
│     ≡ command & control [MEDIUM]
│       🟡 tool_transfer/os — references multiple operating systems: Darwin, Linux, Windows, https://
│     ≡ data [LOW]
│       🔵 encoding/json_decode — Decodes JSON messages: json.loads
│     ≡ discovery [MEDIUM]
│       🟡 system/platform — system platform identification: platform.system()
│     ≡ execution [MEDIUM]
│       🔵 imports/python — imports python modules:
│          from PIL import Image, from collections import OrderedDict, from pathlib import Path, from ultralytics.engine.exporter im…
│       🟡 remote_commands/code_eval — evaluate code dynamically using eval(): eval(v)
│     ≡ filesystem [MEDIUM]
│       🔵 file/open — opens files: open(
│       🟡 file/read — opens a binary file for read: open(w, "rb")
│     ≡ networking [MEDIUM]
│       🟡 download — download files: Download if not local, downloads import attempt, import attempt_download_asset, nvidia-tensorrt-download
│       🔵 url/embedded — contains embedded HTTPS URLs:
│          https://coral.ai/docs/edgetpu/tflite-python/, https://coral.ai/software/, https://developer.nvidia.com/nvidia-tensorrt-do…
│       🔵 url/parse — Handles URL strings: urllib
│     ≡ operating-system [LOW]
│       🔵 fd/read — reads from a file handle: ParseFromString(f.read(), deserialize_cuda_engine(f.read(), x.read()
│
├─ 🔵 Unchanged: out/chainguard-dev/malcontent-samples/python/2024.ultralytics/v8.3.41/solutions/heatmap.py
│     ≡ execution [LOW]
│       🔵 imports/python — imports python modules:
│          from ultralytics.solutions import Heatmap, from ultralytics.utils.plotting import Annotator, import cv2, import numpy
│
├─ 🟡 Unchanged: out/chainguard-dev/malcontent-samples/python/2024.ultralytics/v8.3.41/engine/predictor.py
│     ≡ command & control [MEDIUM]
│       🟡 tool_transfer/os — references multiple operating systems: Linux, https://, macOS
│     ≡ discovery [MEDIUM]
│       🟡 system/platform — system platform identification: platform.system()
│     ≡ execution [LOW]
│       🔵 imports/python — imports python modules:
│          from pathlib import Path, from ultralytics.cfg import get, from ultralytics.data import load, from ultralytics.data.augme…
│     ≡ filesystem [LOW]
│       🔵 directory/create — creates directories: mkdir
│     ≡ networking [LOW]
│       🔵 url/embedded — contains embedded HTTPS URLs: https://docs.ultralytics.com/modes/predict/, https://youtu.be/LNwODJXcvt4
│     ≡ operating-system [LOW]
│       🔵 fd/multiplex — monitor multiple file descriptors: select
│
├─ 🟡 Unchanged: out/chainguard-dev/malcontent-samples/python/2024.ultralytics/v8.3.41/utils/checks.py
│     ≡ anti-static [LOW]
│       🔵 obfuscation/bitwise — uses bitwise math: 1 << 30
│     ≡ command & control [MEDIUM]
│       🟡 addr/url — contains hardcoded endpoint with a question mark: https://url.com/file.txt?auth, import, requests.get
│       🟡 refs — downloads files: download file
│       🔵 tool_transfer/os — references a specific operating system: Windows, http://, https://
│     ≡ discovery [MEDIUM]
│       🟡 system/platform — system platform identification: platform.platform()
│       🔵 user/USER — Looks up the USER name of the current user: environ, getenv
│     ≡ execution [MEDIUM]
│       🔵 imports/python — imports python modules:
│          from IPython import display, from importlib import metadata, from matplotlib import font, from pathlib import Path, from …
│       🟡 install_additional/pip_install — Installs software using pip from python:
│          pip install --no-cache-dir, pip install -U, pip install command, pip install torchvision
│       🟡 program — execute external program:
│          subprocess.CalledProcessError, FileNotFoundError, ValueError):, subprocess.check_output(f"git -C {path} describe --tags -…
│       🟡 remote_commands/code_eval — evaluate code dynamically using eval(): eval(imgsz)
│     ≡ networking [MEDIUM]
│       🟡 download — download files:
│          download YAML file, download_dir, elif download and file, font locally or download to user, if downloads, safe_download, …
│       🔵 tcp/grpc — Uses the gRPC Remote Procedure Call framework
│       🔵 url/embedded — contains embedded HTTPS URLs:
│          https://git-scm.com/docs/git-describe., https://github.com/pytorch/vision, https://github.com/ultralytics/assets/releases…
│       🔵 url/parse — Handles URL strings: urllib
│       🟡 url/request — requests resources via URL: import requests, requests.get(f
│
├─ 🟡 Changed (3 added, 0 removed): out/chainguard-dev/malcontent-samples/python/2024.ultralytics/v8.3.41/engine/model.py
│     ≡ execution [LOW]
│       🔵 imports/python — imports python modules
│+    ▲ networking [NONE → MEDIUM]
│+      🟡 download — download files: download_dir
│+      🔵 url/embedded — contains embedded HTTPS URLs:
│+         https://docs.ultralytics.com, https://hub.ultralytics.com/models/MODEL, https://ultralytics.com/images/bus.jpg, https://u…
│+      🔵 url/parse — Handles URL strings: urllib
│
├─ 😈 Changed (5 added, 0 removed): out/chainguard-dev/malcontent-samples/python/2024.ultralytics/v8.3.41/utils/downloads.py
│     ≡ anti-static [LOW]
│       🔵 obfuscation/bitwise — uses bitwise math
│     ≡ collection [MEDIUM]
│       🟡 archives/zip — Works with zip files
│       🔵 code/github_api — access GitHub API
│     ▲ command & control [MEDIUM → HIGH]
│       🟡 addr/url — contains hardcoded endpoint with a question mark
│       🟡 tool_transfer/download — accesses hardcoded archive file endpoint
│+      🛑 tool_transfer/github — downloads program from GitHub blob:
│+         api.github.com/repos/ultralytics/ultralytics/git/blobs/{url}, chmod, curl, headers.get, requests.get, session.get
│       🔵 tool_transfer/os — references a specific operating system
│+      🛑 tool_transfer/python — fetch, stores, chmods, and execute programs: 770
│+    ▲ evasion [NONE → HIGH]
│+      🛑 self_deletion/run_and_delete — fetch, run in background, delete: os.remove(, os.setsid, subprocess.Popen(, subprocess.run(
│     ≡ execution [MEDIUM]
│       🔵 imports/python — imports python modules
│       🟡 program — execute external program
│       🟡 shell/command — execute a shell command
│     ≡ exfiltration [MEDIUM]
│       🟡 stealer/browser — may access cookies
│       🟡 upload — References known file hosting site
│     ▲ filesystem [LOW → HIGH]
│       🔵 directory/create — creates directories
│       🔵 file/delete — deletes files
│       🔵 file/exists — check if a file exists
│       🔵 file/open — opens files
│+      🛑 permission/modify — Makes path group writeable and executable: chmod(path, 0o770)
│     ▲ networking [MEDIUM → HIGH]
│       🟡 download/fetch — Invokes curl
│+      🛑 ip/host_port — hardcoded hostname:port destination with high port: connect.consrensys.com:8080
│       🔵 url/embedded — contains embedded HTTPS URLs
│       🔵 url/parse — Handles URL strings
│       🟡 url/request — requests resources via URL
│     ≡ operating-system [LOW]
│       🔵 fd/write — writes to a file handle
│     ≡ process [MEDIUM]
│       🔵 chdir — changes working directory
│       🟡 multi — uses python multiprocessing
│
├─ 🔵 Unchanged: out/chainguard-dev/malcontent-samples/python/2024.ultralytics/v8.3.41/trackers/utils/matching.py
│     ≡ execution [LOW]
│       🔵 imports/python — imports python modules:
│          from scipy.spatial.distance import cdist, from ultralytics.utils.checks import check, from ultralytics.utils.metrics impo…
│     ≡ networking [LOW]
│       🔵 url/embedded — contains embedded HTTPS URLs:
│          https://docs.scipy.org/doc/scipy/reference/generated/scipy.optimize.linea, https://github.com/gatagat/lap, https://github…
│
├─ 🟡 Unchanged: out/chainguard-dev/malcontent-samples/python/2024.ultralytics/v8.3.41/__init__.py
│     ≡ execution [LOW]
│       🔵 imports/python — imports python modules:
│          from ultralytics.models import NAS, from ultralytics.utils import ASSETS, from ultralytics.utils.checks import check, fro…
│     ≡ networking [MEDIUM]
│       🟡 download — download files: import download
│
├─ 🔵 Unchanged: out/chainguard-dev/malcontent-samples/python/2024.ultralytics/v8.3.41/utils/ops.py
│     ≡ execution [LOW]
│       🔵 imports/python — imports python modules:
│          from .metrics import box, from ultralytics.data.converter import merge, from ultralytics.utils import LOGGER, from ultral…
│     ≡ filesystem [LOW]
│       🔵 file/delete_forcibly — Forcibly deletes files: rm non-maximum suppression
│
├─ 🔵 Unchanged: out/chainguard-dev/malcontent-samples/python/2024.ultralytics/v8.3.41/solutions/queue_management.py
│     ≡ execution [LOW]
│       🔵 imports/python — imports python modules:
│          from ultralytics.solutions.solutions import BaseSolution, from ultralytics.utils.plotting import Annotator
│
├─ 🔵 Unchanged: out/chainguard-dev/malcontent-samples/python/2024.ultralytics/v8.3.41/utils/triton.py
│     ≡ execution [LOW]
│       🔵 imports/python — imports python modules: from typing import List, from urllib.parse import urlsplit, import numpy, import tritonclient
│     ≡ networking [LOW]
│       🔵 tcp/grpc — Uses the gRPC Remote Procedure Call framework
│       🔵 url/parse — Handles URL strings: urllib
│

Markdown example (excerpt):

## Changed (5 added, 0 removed): out/chainguard-dev/malcontent-samples/python/2024.ultralytics/v8.3.41/models/yolo/model.py

### 5 new behaviors

| RISK | KEY | DESCRIPTION | EVIDENCE |
|--|--|--|--|
| +HIGH | **[exec/program/tmpdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/program/tmpdir.yara#exec_program_tmpdir)** | runs program from hardcoded temporary path | [safe_run("/tmp/ultralytics_runner")](https://github.com/search?q=safe_run%28%22%2Ftmp%2Fultralytics_runner%22%29&type=code) |
| +MEDIUM | **[c2/tool_transfer/python](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/python.yara#py_arch_dropper)** | fetches and executes program based on OS & architecture | [Linux](https://github.com/search?q=Linux&type=code)<br>[arm64](https://github.com/search?q=arm64&type=code)<br>[download](https://github.com/search?q=download&type=code)<br>[platform.machine()](https://github.com/search?q=platform.machine%28%29&type=code)<br>[platform.system()](https://github.com/search?q=platform.system%28%29&type=code)<br>[run](https://github.com/search?q=run&type=code)<br>[x86](https://github.com/search?q=x86&type=code) |
| +MEDIUM | **[discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#python_platform)** | [system platform identification](https://docs.python.org/3/library/platform.html) | [platform.system()](https://github.com/search?q=platform.system%28%29&type=code) |
| +MEDIUM | **[fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path)** | path reference within /tmp | [/tmp/ultralytics_runner](https://github.com/search?q=%2Ftmp%2Fultralytics_runner&type=code) |
| +MEDIUM | **[net/download](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/download.yara#download)** | download files | [import safe_download](https://github.com/search?q=import+safe_download&type=code) |

### 1 consistent behavior

| RISK | KEY | DESCRIPTION | EVIDENCE |
|--|--|--|--|
| LOW | [exec/imports/python](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/imports/python.yara#has_import) | imports python modules | [from pathlib import Path](https://github.com/search?q=from+pathlib+import+Path&type=code)<br>[from ultralytics.engine.model import Model](https://github.com/search?q=from+ultralytics.engine.model+import+Model&type=code)<br>[from ultralytics.models import yolo](https://github.com/search?q=from+ultralytics.models+import+yolo&type=code)<br>[from ultralytics.nn.tasks import ClassificationModel](https://github.com/search?q=from+ultralytics.nn.tasks+import+ClassificationModel&type=code)<br>[from ultralytics.utils import ROOT](https://github.com/search?q=from+ultralytics.utils+import+ROOT&type=code)<br>[from ultralytics.utils.downloads import safe](https://github.com/search?q=from+ultralytics.utils.downloads+import+safe&type=code)<br>[import platform](https://github.com/search?q=import+platform&type=code) |

## Unchanged: out/chainguard-dev/malcontent-samples/python/2024.ultralytics/v8.3.41/utils/triton.py

### 3 consistent behaviors

| RISK | KEY | DESCRIPTION | EVIDENCE |
|--|--|--|--|
| LOW | [exec/imports/python](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/imports/python.yara#has_import) | imports python modules | [from typing import List](https://github.com/search?q=from+typing+import+List&type=code)<br>[from urllib.parse import urlsplit](https://github.com/search?q=from+urllib.parse+import+urlsplit&type=code)<br>[import numpy](https://github.com/search?q=import+numpy&type=code)<br>[import tritonclient](https://github.com/search?q=import+tritonclient&type=code) |
| LOW | [net/tcp/grpc](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/tcp/grpc.yara#grpc) | Uses the gRPC Remote Procedure Call framework | [gRPC](https://github.com/search?q=gRPC&type=code) |
| LOW | [net/url/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/parse.yara#url_handle) | Handles URL strings | [urllib](https://github.com/search?q=urllib&type=code) |

Simple example:

$ go run cmd/mal/mal.go --format simple diff out/chainguard-dev/malcontent-samples/python/2024.ultralytics/v8.3.40/ out/chainguard-dev/malcontent-samples/python/2024.ultralytics/v8.3.41/
*** Unchanged: out/chainguard-dev/malcontent-samples/python/2024.ultralytics/v8.3.41/utils/checks.py
anti-static/obfuscation/bitwise
c2/addr/url
c2/refs
c2/tool_transfer/os
discover/system/platform
discover/user/USER
exec/imports/python
exec/install_additional/pip_install
exec/program
exec/remote_commands/code_eval
net/download
net/tcp/grpc
net/url/embedded
net/url/parse
net/url/request
*** Unchanged: out/chainguard-dev/malcontent-samples/python/2024.ultralytics/v8.3.41/nn/autobackend.py
c2/tool_transfer/os
collect/archives/zip
data/encoding/json_decode
discover/system/platform
exec/imports/python
exec/remote_commands/code_eval
fs/file/open
fs/file/read
net/download
net/url/embedded
net/url/parse
os/fd/read
*** Changed (5 added, 0 removed): out/chainguard-dev/malcontent-samples/python/2024.ultralytics/v8.3.41/utils/downloads.py
anti-static/obfuscation/bitwise
c2/addr/url
c2/tool_transfer/download
+c2/tool_transfer/github
c2/tool_transfer/os
+c2/tool_transfer/python
collect/archives/zip
collect/code/github_api
+evasion/self_deletion/run_and_delete
exec/imports/python
exec/program
exec/shell/command
exfil/stealer/browser
exfil/upload
fs/directory/create
fs/file/delete
fs/file/exists
fs/file/open
+fs/permission/modify
net/download/fetch
+net/ip/host_port
net/url/embedded
net/url/parse
net/url/request
os/fd/write
process/chdir
process/multi
*** Unchanged: out/chainguard-dev/malcontent-samples/python/2024.ultralytics/v8.3.41/trackers/utils/matching.py
exec/imports/python
net/url/embedded
*** Unchanged: out/chainguard-dev/malcontent-samples/python/2024.ultralytics/v8.3.41/utils/triton.py
exec/imports/python
net/tcp/grpc
net/url/parse
*** Unchanged: out/chainguard-dev/malcontent-samples/python/2024.ultralytics/v8.3.41/solutions/queue_management.py
exec/imports/python
*** Unchanged: out/chainguard-dev/malcontent-samples/python/2024.ultralytics/v8.3.41/__init__.py
exec/imports/python
net/download
*** Unchanged: out/chainguard-dev/malcontent-samples/python/2024.ultralytics/v8.3.41/engine/predictor.py
c2/tool_transfer/os
discover/system/platform
exec/imports/python
fs/directory/create
net/url/embedded
os/fd/multiplex
*** Unchanged: out/chainguard-dev/malcontent-samples/python/2024.ultralytics/v8.3.41/solutions/heatmap.py
exec/imports/python
*** Changed (4 added, 2 removed): out/chainguard-dev/malcontent-samples/python/2024.ultralytics/v8.3.41/models/yolo/model.py
+c2/tool_transfer/python
+discover/system/platform
exec/imports/python
+exec/program/tmpdir
+fs/path/tmp
net/download
-net/url/embedded
-net/url/parse
*** Unchanged: out/chainguard-dev/malcontent-samples/python/2024.ultralytics/v8.3.41/utils/ops.py
exec/imports/python
fs/file/delete_forcibly

Interactive example:

[tstromberg]

I think the default diff output should act more like the diff(1) tool, or code review tools that people are used to.

• Unchanged files should not show up in the output by default
• Unchanged objectives should not show up in the output by default (the top-level of the rule ID hierarchy)

I'm a little on the fence about Unchanged behaviors, but sometimes the context is helpful within an objective; similarly to how diff(1) or GitHub code reviews show context. Both have allowances for more context if necessary, but it isn't the default.

I would aim for terser output by default, and finding ways to make the output easier to understand without adding bulk. If there are only 2 lines of difference between versions of a file, I feel like we should be able to keep the output to 5 lines or less. Anything more than that adds cognitive overhead.

[egibs]

I think the default diff output should act more like the diff(1) tool, or code review tools that people are used to.

* Unchanged files should not show up in the output by default

* Unchanged objectives should not show up in the output by default (the top-level of the rule ID hierarchy)

I'm a little on the fence about Unchanged behaviors, but sometimes the context is helpful within an objective; similarly to how diff(1) or GitHub code reviews show context. Both have allowances for more context if necessary, but it isn't the default.

I would aim for terser output by default, and finding ways to make the output easier to understand without adding bulk. If there are only 2 lines of difference between versions of a file, I feel like we should be able to keep the output to 5 lines or less. Anything more than that adds cognitive overhead.

Tightened up the output in ddee6e6 (#726).

We'll now only report:

• files that have changed behaviors
• the behaviors that changed within the files

[stevebeattie]

Generally, this looks good to me.

In testing I do see one weird behavior in the terminal mode, the up/down triangles associated with risk changes don't seem quite consistent, e.g.:

+    ▲ evasion [NONE → MEDIUM]
+      🟡 file/prefix — possible hidden file path: /usr/lib/debug/.dwz
     ≡ execution [LOW]
     ▼ filesystem [LOW → MEDIUM]
+      🟡 path/relative — references and possibly executes relative path: ./epan

I think what's happening is that strings are being compared, rather than the numeric values, and possibly the comparisons have inverted logic; I would have expected the output to look like:

+    ▲ evasion [NONE → MEDIUM]
+      🟡 file/prefix — possible hidden file path: /usr/lib/debug/.dwz
     ≡ execution [LOW] 
     ▲ filesystem [LOW → MEDIUM] 
+      🟡 path/relative — references and possibly executes relative path: ./epan

The following patch applied on top of the branch gives me the second result:

diff --git a/pkg/render/terminal.go b/pkg/render/terminal.go
index d7c510db..8cdf1a25 100644
--- a/pkg/render/terminal.go
+++ b/pkg/render/terminal.go
@@ -291,10 +291,10 @@ func renderFileSummary(_ context.Context, fr *malcontent.FileReport, w io.Writer
 				diff = color.HiGreenString("+")
 			}
 
-			if riskLevel < previousRiskLevel {
+			if riskScore > previousNsRiskScore[ns]{
 				nsIcon = color.HiYellowString("▲")
 			}
-			if riskLevel > previousRiskLevel {
+			if riskScore < previousNsRiskScore[ns]{
 				nsIcon = color.HiGreenString("▼")
 			}
 			if riskLevel == "NONE" {

but I'm not sure I understand the symbols correctly.

[egibs]

Generally, this looks good to me.

In testing I do see one weird behavior in the terminal mode, the up/down triangles associated with risk changes don't seem quite consistent, e.g.:

+    ▲ evasion [NONE → MEDIUM]
+      🟡 file/prefix — possible hidden file path: /usr/lib/debug/.dwz
     ≡ execution [LOW]
     ▼ filesystem [LOW → MEDIUM]
+      🟡 path/relative — references and possibly executes relative path: ./epan

I think what's happening is that strings are being compared, rather than the numeric values, and possibly the comparisons have inverted logic; I would have expected the output to look like:

+    ▲ evasion [NONE → MEDIUM]
+      🟡 file/prefix — possible hidden file path: /usr/lib/debug/.dwz
     ≡ execution [LOW] 
     ▲ filesystem [LOW → MEDIUM] 
+      🟡 path/relative — references and possibly executes relative path: ./epan

The following patch applied on top of the branch gives me the second result:

diff --git a/pkg/render/terminal.go b/pkg/render/terminal.go
index d7c510db..8cdf1a25 100644
--- a/pkg/render/terminal.go
+++ b/pkg/render/terminal.go
@@ -291,10 +291,10 @@ func renderFileSummary(_ context.Context, fr *malcontent.FileReport, w io.Writer
 				diff = color.HiGreenString("+")
 			}
 
-			if riskLevel < previousRiskLevel {
+			if riskScore > previousNsRiskScore[ns]{
 				nsIcon = color.HiYellowString("▲")
 			}
-			if riskLevel > previousRiskLevel {
+			if riskScore < previousNsRiskScore[ns]{
 				nsIcon = color.HiGreenString("▼")
 			}
 			if riskLevel == "NONE" {

but I'm not sure I understand the symbols correctly.

Yep, it looks like this is backward. Good catch!

[stevebeattie]

Yep, it looks like this is backward. Good catch!

Thanks, the backward indicators commit addresses part of the issue, but the other part I think is happening is that comparisons are made from the strings values in the riskLevel table, not the numeric scores, so the comparison result is unexpected in some situations.

I created egibs#6 with what I think the fix for this is, and hopefully a clearer explanation.

Thanks!

[stevebeattie]

Thanks for fixing up my formatting mistake, will use make lint going forward.

Everything LGTM, thanks!