search

chainguard-dev / malcontent

#supply #chain #attack #detection
Apache License 2.0
446 stars 31 forks source link

Properly render hits and misses #624

Closed egibs closed 3 days ago

egibs commented 4 days ago

Closes: #623

This PR allows for hits and misses surfaced by --err-first-hit or --err-first-miss to be displayed while also preventing additional concurrent processing/rendering of other paths.

This is achieved with a separate goroutine that reads from a channel that stores only the first match returned by errIfHitOrMiss and propagates the match and error properly.

Example output:

$ for i in (seq 1 5); go run cmd/mal/mal.go --err-first-miss analyze /Library/Application\ Support/BTServer/; end
πŸ”Ž Scanning "/Library/Application Support/BTServer/"
πŸ‘‹ no matching capabilities in "/Library/Application Support/BTServer/pincode_defaults.db" kind=file suffix=: matched requested condition
πŸ”Ž Scanning "/Library/Application Support/BTServer/"
πŸ‘‹ no matching capabilities in "/Library/Application Support/BTServer/pincode_defaults.db" kind=file suffix=: matched requested condition
πŸ”Ž Scanning "/Library/Application Support/BTServer/"
πŸ‘‹ no matching capabilities in "/Library/Application Support/BTServer/pincode_defaults.db" kind=file suffix=: matched requested condition
πŸ”Ž Scanning "/Library/Application Support/BTServer/"
πŸ‘‹ no matching capabilities in "/Library/Application Support/BTServer/pincode_defaults.db" kind=file suffix=: matched requested condition
πŸ”Ž Scanning "/Library/Application Support/BTServer/"
πŸ‘‹ no matching capabilities in "/Library/Application Support/BTServer/pincode_defaults.db" kind=file suffix=: matched requested condition

$ for i in (seq 1 5); go run cmd/mal/mal.go --err-first-hit analyze /usr/bin; end
πŸ”Ž Scanning "/usr/bin"
β”œβ”€ πŸ”΅ /usr/bin/SafeEjectGPU [LOW]
β”‚     ≑ networking [LOW]
β”‚       πŸ”΅ url/parse β€” Handles URL strings: NSURL
β”‚
πŸ‘‹ 1 matching capabilities in /usr/bin/SafeEjectGPU file: net/url/parse: matched requested condition
πŸ”Ž Scanning "/usr/bin"
β”œβ”€ πŸ”΅ /usr/bin/SafeEjectGPU [LOW]
β”‚     ≑ networking [LOW]
β”‚       πŸ”΅ url/parse β€” Handles URL strings: NSURL
β”‚
πŸ‘‹ 1 matching capabilities in /usr/bin/SafeEjectGPU file: net/url/parse: matched requested condition
πŸ”Ž Scanning "/usr/bin"
β”œβ”€ πŸ”΅ /usr/bin/AssetCacheManagerUtil [LOW]
β”‚     ≑ filesystem [LOW]
β”‚       πŸ”΅ file/write β€” writes to file: writeToFile:atomically:
β”‚
πŸ‘‹ 1 matching capabilities in /usr/bin/AssetCacheManagerUtil file: fs/file/write: matched requested condition
πŸ”Ž Scanning "/usr/bin"
β”œβ”€ 🟑 /usr/bin/AssetCacheLocatorUtil [MEDIUM]
β”‚     ≑ networking [MEDIUM]
β”‚       🟑 ip/addr β€” mentions an 'IP address'
β”‚
πŸ‘‹ 1 matching capabilities in /usr/bin/AssetCacheLocatorUtil file: net/ip/addr: matched requested condition
πŸ”Ž Scanning "/usr/bin"
β”œβ”€ πŸ”΅ /usr/bin/SafeEjectGPU [LOW]
β”‚     ≑ networking [LOW]
β”‚       πŸ”΅ url/parse β€” Handles URL strings: NSURL
β”‚
πŸ‘‹ 1 matching capabilities in /usr/bin/SafeEjectGPU file: net/url/parse: matched requested condition
tstromberg commented 4 days ago

Can we simplify the exit messages? Instead of:

πŸ‘‹ no matching capabilities in "/Library/Application Support/BTServer/pincode_defaults.db" kind=file suffix=: matched requested condition πŸ‘‹ 1 matching capabilities in /usr/bin/SafeEjectGPU file: net/url/parse: matched requested condition

How about something closer to:

πŸ‘‹ /Library/Application Support/BTServer/pincode_defaults.db matched exit criteria πŸ‘‹ /usr/bin/SafeEjectGPU matched exit criteria

In the second case, in particular, we can already see the list of capabilities just above this line. Eventually we should rename these flags to --exit-if instead of --err-if - that can be done here or in another PR.

egibs commented 4 days ago

Can we simplify the exit messages? Instead of:

πŸ‘‹ no matching capabilities in "/Library/Application Support/BTServer/pincode_defaults.db" kind=file suffix=: matched requested condition πŸ‘‹ 1 matching capabilities in /usr/bin/SafeEjectGPU file: net/url/parse: matched requested condition

How about something closer to:

πŸ‘‹ /Library/Application Support/BTServer/pincode_defaults.db matched exit criteria πŸ‘‹ /usr/bin/SafeEjectGPU matched exit criteria

In the second case, in particular, we can already see the list of capabilities just above this line. Eventually we should rename these flags to --exit-if instead of --err-if - that can be done here or in another PR.

Updated in c949cc4 (#624).

Renamed the errIfHitOrMiss function in 2f68252 (#624) as well.