search

chainguard-dev / malcontent

#supply #chain #attack #detection
Apache License 2.0
446 stars 31 forks source link

--min-risk=high breaks overrides #522

Closed tstromberg closed 1 month ago

tstromberg commented 1 month ago

If I have a high -> medium override such as:

rule kandji : override {
  meta:
    description = "Kandji"
    hostinfo_collector = "medium"
  strings:
    $ref = "Developer ID Application: Kandji, Inc. (P3FGV63VK7)"
  condition:
    any of them
}

It properly downgrades the rule until I pass --min-risk=high to either the scan or analyze command:

go run ./cmd/mal --min-risk=high analyze /Applications/Utilities/Kandji\ Extension\ Manager.app/Contents/MacOS/Kandji\ Extension\ Manager
🔎 Scanning "/Applications/Utilities/Kandji Extension Manager.app/Contents/MacOS/Kandji Extension Manager"
/Applications/Utilities/Kandji Extension Manager.app/Contents/MacOS/Kandji Extension Manager [🔥 HIGH]
----------------------------------------------------------------------------------------------------------
RISK  KEY                             DESCRIPTION                                           EVIDENCE
----------------------------------------------------------------------------------------------------------
HIGH  combo/recon/hostinfo_collector  Collects extremely detailed information about a host  launchctl
                                                                                            networksetup
                                                                                            sysctl
----------------------------------------------------------------------------------------------------------
tstromberg commented 1 month ago

cc @egibs who may know what's going on here.

egibs commented 1 month ago

Fix incoming. I missed a !override condition in the Generate function.