Closed tstromberg closed 2 months ago
cc @egibs in case this rings a bell
This is so weird that maybe this is just my macOS machine.
Running bincapz against /bin
works.
Running go run . samples/does-nothing/does-nothing
doesn't work, but it does work if I copy the directory to /tmp. I thought maybe it was an issue with relative paths, but absolute paths within my repository don't seem to work either.
What a curious thing.. I wonder if anyone else is seeing this behavior.
Also, the weirdness does not seem dependent on directory scanning.
go run . samples/Linux/2024.sbcl.market/sbcl.dirty
also shows no results.
Confirmed on my Linux box that go run . samples/
shows no results either.
I did figure it out though; if I set --ignore-self=false
it works! I think the logic needs to be tightened up a bit.
cc @egibs in case this rings a bell
Yep, definitely a consequence of #167. I'll work on improving this 👍🏻
@egibs - I think if we change to just matching the YARA rule, and tightening the YARA rule up to include say, 2 of 3 unique strings from the bincapz binary, it should be sufficient. For example:
bincapz/pkg/rules.FS
bincapz/pkg/report
After looking at the PR implementation, I think there was some confusion about #134 due to my vague wording: my intent was to only ignore the bincapz binary if encountered: for example, in a container image or in your $PATH. It was not to ignore content within the bincapz
repository.
My apologies for the imprecise wording.
directory scans seem to be broken at HEAD:
Returns no results, but shows that it is at least trying:
I also checked to see if it was a recursion issue, but it happens for any other directory, for example
go run . samples/Linux/clean/
. Looking at recent PRs, I think this could be a regression from #174. We'll also need a test case to make sure this doesn't happen again.