Please check if your PR fulfills the following requirements:
[X] Docs have been reviewed and added / updated if needed (for bug fixes / features)
[X] Tests have been added that prove the fix is effective or that the feature works.
[X] New and existing tests pass locally with the changes.
[X] Code follows the style guidelines of this project (PEP8, clean code).
[X] Linter has passed locally and any fixes were made for failures.
[X] A self-review of the code has been done.
Pull request type
Please check the type of change your PR introduces:
[X] Bugfix
What is the ticket or issue number?
CB-41404
Pull Request Description
Per this CB Knowledge Base article and what I'm assuming is the intent of the get_high_score function here:
If there is no "score" value assigned by the rule, but a hit is determined, it will get a default score of 100
However, there is a bug in the get_high_score function. Since match.meta.get("score", 0) evaluates to 0 if "score" is unset in the rule, but "score" is set to -1 before this loop, the condition will always evaluate to True. Thus, the following line match.meta.get("score") sets score to None and the return 100line is unreachable.
While the README indicates: "Your rules must have meta section with a score = [1-10] tag to appropriately score matching binaries", this conflicts with the guidance given in the KB article, the (assumed) intent of the get_high_score function and the fact that CB seems to score alerts from 1-100 -- thus, I have updated the README as well.
Does this introduce a breaking change?
[ ] Yes
[X] No
How Has This Been Tested?
Buggy behavior confirmed locally with test yara rules (with and without score values). New mock test added to simulate a rule with an empty meta section and thus no set "score" value. Have not yet been able to create manual rpm package to test this fix directly on a CB server.
Pull request checklist
Please check if your PR fulfills the following requirements:
Pull request type
Please check the type of change your PR introduces:
What is the ticket or issue number?
CB-41404Pull Request Description
Per this CB Knowledge Base article and what I'm assuming is the intent of the
get_high_scorefunction here:However, there is a bug in the
get_high_scorefunction. Sincematch.meta.get("score", 0)evaluates to0if "score" is unset in the rule, but "score" is set to-1before this loop, the condition will always evaluate to True. Thus, the following linematch.meta.get("score")sets score toNoneand thereturn 100line is unreachable.This has the effect of causing rules without a score set to not generate any alerts. It appears the bug was introduced in this change: https://github.com/carbonblack/cb-yara-connector/commit/35afcac8908db95850d66b45f2933bf7f1bea601 -- when the default score value was changed from
0to1, the condition was not updated along with it.While the README indicates: "Your rules must have meta section with a score = [1-10] tag to appropriately score matching binaries", this conflicts with the guidance given in the KB article, the (assumed) intent of the
get_high_scorefunction and the fact that CB seems to score alerts from 1-100 -- thus, I have updated the README as well.Does this introduce a breaking change?
How Has This Been Tested?
Buggy behavior confirmed locally with test yara rules (with and without
scorevalues). New mock test added to simulate a rule with an emptymetasection and thus no set "score" value. Have not yet been able to create manual rpm package to test this fix directly on a CB server.