Closed tstromberg closed 2 weeks ago
It gets weirder: it missed a result in the same directory:
go run . analyze ../jail/npm/ethersscan-api-0.0.2/lib/
.. no output ...
go run . analyze ../jail/npm/ethersscan-api-0.0.2/lib/hash-blob.js
../jail/npm/ethersscan-api-0.0.2/lib/hash-blob.js [šØ CRITICAL]
-----------------------------------------------------------------------------------------------------------------------------------------------------
RISK KEY DESCRIPTION EVIDENCE
-----------------------------------------------------------------------------------------------------------------------------------------------------
LOW fs/file/write writes to file writeFileS
LOW ref/path/home/config path reference within ~/.config /.config/s
MED combo/stealer/browser Uses HTTP, archives, and references multiple browsers .config
Brave
Chrome
http
tar
zip
MED evasion/dynamic_import imports a library dynamically require(_0x5d6b18(0x2d3,'0x323',0x2f4,'0x35e')),_0x18e755ā¦
MED net/upload uploads files uploads
HIGH evasion/hex excessive references to hexadecimal values 0x1009c3
0x101dba
0x102
0x103
0x104df7c
0x105
0x106
0x107
ā¦
CRIT evasion/script/obfuscation javascript function obfuscation (excessive const) const _0x10c657=_0x5d9a0b
const _0x1169b3=
const _0x126ac7=_0x41483f
const _0x127271=async
const _0x135542=
const _0x165870=
const _0x16f58b=
const _0x171e6b=_0x4c1e70
ā¦
-----------------------------------------------------------------------------------------------------------------------------------------------------
I'm worried that this may be related to the new parallelism improvements...
Here's a good example from main
:
go run . analyze ../bincapz-samples/
It generated no output.
I noticed this behavior a while back but wasn't sure what the cause was.
I also get no output with go run . analyze ../bincapz-samples/
but doing go run . --min-risk any --min-file-risk any analyze ../bincapz-samples/
instead results in what I would expect. This precedes the CLI refactoring so I think there was something amiss going back several weeks at least.
I think it's related to this: https://github.com/chainguard-dev/bincapz/blob/ab542c394ed394cd5de31193ef4dbdf74d2eb3b7/pkg/action/scan.go#L330-L332
If I comment that out, I see results. I'll look into why that's invalid (we should probably use continue
here?).
Update: continue
rather than return nil, nil
š
For example:
I expected a result to show up... there was in fact a malicious file here: