chainguard-dev / malcontent

#supply #chain #attack #detection
Apache License 2.0
458 stars 32 forks source link

probable false: evasion/base64/php_functions in cassandra-reaper-3.6, dotty-3.4 #286

Closed tstromberg closed 4 months ago

tstromberg commented 5 months ago

We should check that this rule is working as expected:

packages/x86_64/cassandra-reaper-3.6/usr/local/lib/cassandra-reaper.jar ∴ assets/deps.js [🚨 CRITICAL]
---------------------------------------------------------------------------------------------------------
RISK  KEY                           DESCRIPTION                                       EVIDENCE           
---------------------------------------------------------------------------------------------------------
CRIT  evasion/base64/php_functions  References multiple PHP functions in base64 form  VtcHR5::$empty     
                                                                                      ZW1wdH::$empty     
                                                                                      dW5saW5r::$unlink  
                                                                                      lbXB0e::$empty     
---------------------------------------------------------------------------------------------------------

packages/x86_64/dotty-3.4/usr/share/scala/lib/scala3-library_3-3.4.1-bin-SNAPSHOT.jar ∴ scala/quoted/ToExpr$ArrayOfBooleanToExpr$.class [🚨
 CRITICAL]
------------------------------------------------------------------------------------------------------
RISK  KEY                           DESCRIPTION                                       EVIDENCE        
------------------------------------------------------------------------------------------------------
CRIT  evasion/base64/php_functions  References multiple PHP functions in base64 form  BcnJhe::$Array  
                                                                                      FycmF5::$Array  
                                                                                      QXJyYX::$Array  
                                                                                      VtcHR5::$empty  
------------------------------------------------------------------------------------------------------
tstromberg commented 5 months ago

This alert should probably only fire if there is some base64 decoding going on.

tstromberg commented 5 months ago

Still exists in bincapz v0.13.2.