diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 9173d6301..82b29087b 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,13 +1,26 @@ +# Copyright 2024 Chainguard, Inc. +# SPDX-License-Identifier: Apache-2.0 + +--- version: 2 updates: -- package-ecosystem: gomod - directory: "/" - schedule: - interval: weekly - open-pull-requests-limit: 10 + - package-ecosystem: gomod + directory: "/" + schedule: + interval: weekly + open-pull-requests-limit: 10 + groups: + all: + update-types: + - "patch" -- package-ecosystem: "github-actions" - directory: "/" - schedule: - interval: weekly - open-pull-requests-limit: 10 + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: weekly + open-pull-requests-limit: 10 + groups: + all: + update-types: + - "minor" + - "patch" diff --git a/.github/workflows/boilerplate.yaml b/.github/workflows/boilerplate.yaml new file mode 100644 index 000000000..9c7201a4f --- /dev/null +++ b/.github/workflows/boilerplate.yaml @@ -0,0 +1,40 @@ +# Copyright 2024 Chainguard, Inc. +# SPDX-License-Identifier: Apache-2.0 + +name: Boilerplate + +on: + pull_request: + branches: + - 'main' + +jobs: + + check: + permissions: + contents: read + + name: Boilerplate Check + runs-on: ubuntu-latest + strategy: + fail-fast: false # Keep running if one leg fails. + matrix: + extension: + - go + - sh + + # Map between extension and human-readable name. + include: + - extension: go + language: Go + - extension: sh + language: Bash + + steps: + - name: Check out code + uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + + - uses: chainguard-dev/actions/boilerplate@main + with: + extension: ${{ matrix.extension }} + language: ${{ matrix.language }} diff --git a/.github/workflows/go-tests.yaml b/.github/workflows/go-tests.yaml index c6bb028eb..7bbf9f1a4 100644 --- a/.github/workflows/go-tests.yaml +++ b/.github/workflows/go-tests.yaml @@ -1,10 +1,15 @@ +# Copyright 2024 Chainguard, Inc. +# SPDX-License-Identifier: Apache-2.0 + name: Go Tests on: push: - branches: [ "main" ] + branches: + - "main" pull_request: - branches: [ "main" ] + branches: + - "main" jobs: test: @@ -28,5 +33,15 @@ jobs: - uses: chainguard-dev/actions/goimports@main + - name: install libyara-dev + run: | + sudo add-apt-repository -n -y "deb http://archive.ubuntu.com/ubuntu/ mantic main restricted universe multiverse" + sudo add-apt-repository -n -y "deb http://archive.ubuntu.com/ubuntu/ mantic-updates main restricted universe multiverse" + sudo add-apt-repository -n -y "deb http://archive.ubuntu.com/ubuntu/ mantic-backports main restricted universe multiverse" + sudo add-apt-repository -n -y "deb http://security.ubuntu.com/ubuntu mantic-security main restricted universe multiverse" + + sudo apt update && sudo apt install libyara-dev -y + - name: Test - run: make test + run: | + make test diff --git a/.github/workflows/style.yaml b/.github/workflows/style.yaml new file mode 100644 index 000000000..7cf6b0351 --- /dev/null +++ b/.github/workflows/style.yaml @@ -0,0 +1,119 @@ +# Copyright 2024 Chainguard, Inc. +# SPDX-License-Identifier: Apache-2.0 + +name: Code Style + +on: + pull_request: + branches: + - 'main' + push: + branches: + - 'main' + +jobs: + + gofmt: + name: check gofmt + runs-on: ubuntu-latest + steps: + - name: Check out code + uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + + - name: Set up Go + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + with: + go-version: '1.21' + check-latest: true + + - uses: chainguard-dev/actions/gofmt@main + with: + args: -s + + goimports: + name: check goimports + runs-on: ubuntu-latest + steps: + - name: Check out code + uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + + - name: Set up Go + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + with: + go-version: '1.21' + check-latest: true + + - uses: chainguard-dev/actions/goimports@main + + golangci-lint: + name: golangci-lint + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + + - name: Set up Go + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + with: + go-version: '1.21' + check-latest: true + + - name: install libyara-dev + run: | + sudo add-apt-repository -n -y "deb http://archive.ubuntu.com/ubuntu/ mantic main restricted universe multiverse" + sudo add-apt-repository -n -y "deb http://archive.ubuntu.com/ubuntu/ mantic-updates main restricted universe multiverse" + sudo add-apt-repository -n -y "deb http://archive.ubuntu.com/ubuntu/ mantic-backports main restricted universe multiverse" + sudo add-apt-repository -n -y "deb http://security.ubuntu.com/ubuntu mantic-security main restricted universe multiverse" + + sudo apt update && sudo apt install libyara-dev -y + + - name: golangci-lint + uses: golangci/golangci-lint-action@3cfe3a4abbb849e10058ce4af15d205b6da42804 # v3.7.1 + with: + version: v1.57 + args: --timeout=5m + + lint: + name: Lint + runs-on: ubuntu-latest + + steps: + - name: Check out code + uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + + - name: Set up Go + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + with: + go-version: '1.21' + check-latest: true + + - uses: chainguard-dev/actions/trailing-space@main + if: ${{ always() }} + + - uses: chainguard-dev/actions/eof-newline@main + if: ${{ always() }} + + - uses: reviewdog/action-tflint@master + if: ${{ always() }} + with: + github_token: ${{ secrets.github_token }} + fail_on_error: true + + - uses: reviewdog/action-misspell@5bd7be2fc7ae56a517184f5c4bbcf2fd7afe3927 # v1.17.0 + if: ${{ always() }} + with: + github_token: ${{ secrets.github_token }} + fail_on_error: true + locale: "US" + exclude: | + **/go.sum + **/third_party/** + ./*.yml + + - uses: get-woke/woke-action-reviewdog@d71fd0115146a01c3181439ce714e21a69d75e31 # v0 + if: ${{ always() }} + with: + github-token: ${{ secrets.github_token }} + reporter: github-pr-check + level: error + fail-on-error: true diff --git a/.golangci.yml b/.golangci.yml index d3416a801..828278c7a 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -1,6 +1,6 @@ run: # The default runtime timeout is 1m, which doesn't work well on Github Actions. - timeout: 4m + timeout: 10m # NOTE: This file is populated by the lint-install tool. Local adjustments may be overwritten. linters-settings: diff --git a/Makefile b/Makefile index 5ddc729ec..ff64cebf2 100644 --- a/Makefile +++ b/Makefile @@ -1,3 +1,6 @@ +# Copyright 2024 Chainguard, Inc. +# SPDX-License-Identifier: Apache-2.0 + # BEGIN: lint-install ../bincapz # http://github.com/tinkerbell/lint-install @@ -42,4 +45,8 @@ _lint: $(LINTERS) .PHONY: fix $(FIXERS) fix: $(FIXERS) +.PHONY: test +test: + go test ./... -v + # END: lint-install ../bincapz diff --git a/README.md b/README.md index 5c867734d..2f59edda5 100644 --- a/README.md +++ b/README.md @@ -26,9 +26,9 @@ Enumerates program capabilities and malicious behaviors using fragment analysis. * go 1.21+ * yara 4.3+ library - you can use this one-liner to install it if necessary: - + ```shell -brew install yara || sudo apt install libyara-devel \ +brew install yara || sudo apt install libyara-dev \ || sudo dnf install yara-devel || sudo pacman -S yara ``` diff --git a/bincapz.go b/bincapz.go index 5b1b381ae..2c56d82d0 100644 --- a/bincapz.go +++ b/bincapz.go @@ -1,3 +1,6 @@ +// Copyright 2024 Chainguard, Inc. +// SPDX-License-Identifier: Apache-2.0 + // bincapz returns information about a binaries capabilities package main @@ -29,8 +32,8 @@ func main() { allFlag := flag.Bool("all", false, "Ignore nothing, show all") klog.InitFlags(nil) - flag.Set("logtostderr", "false") - flag.Set("alsologtostderr", "false") + _ = flag.Set("logtostderr", "false") + _ = flag.Set("alsologtostderr", "false") flag.Parse() args := flag.Args() @@ -77,14 +80,12 @@ func main() { } else { res, err = action.Scan(bc) } - if err != nil { fmt.Fprintf(os.Stderr, "failed: %v\n", err) os.Exit(3) } - renderer.Full(*res) - + err = renderer.Full(*res) if err != nil { klog.Errorf("failed: %v", err) os.Exit(1) diff --git a/bincapz_test.go b/bincapz_test.go index 2f0911c3e..8a3a50cc5 100644 --- a/bincapz_test.go +++ b/bincapz_test.go @@ -1,10 +1,12 @@ +// Copyright 2024 Chainguard, Inc. +// SPDX-License-Identifier: Apache-2.0 + package main import ( "bytes" "encoding/json" "io/fs" - "log" "os" "path/filepath" "strings" @@ -27,9 +29,9 @@ func TestJSON(t *testing.T) { fileSystem := os.DirFS(testDataRoot) - fs.WalkDir(fileSystem, ".", func(path string, d fs.DirEntry, err error) error { + fs.WalkDir(fileSystem, ".", func(path string, _ fs.DirEntry, err error) error { if err != nil { - log.Fatal(err) + t.Fatal(err) } if !strings.HasSuffix(path, ".json") { return nil @@ -83,7 +85,7 @@ func TestSimple(t *testing.T) { fileSystem := os.DirFS(testDataRoot) - fs.WalkDir(fileSystem, ".", func(path string, d fs.DirEntry, err error) error { + fs.WalkDir(fileSystem, ".", func(path string, _ fs.DirEntry, err error) error { if err != nil { t.Fatal(err) } @@ -197,9 +199,9 @@ func TestMarkdown(t *testing.T) { fileSystem := os.DirFS(testDataRoot) - fs.WalkDir(fileSystem, ".", func(path string, d fs.DirEntry, err error) error { + fs.WalkDir(fileSystem, ".", func(path string, _ fs.DirEntry, err error) error { if err != nil { - log.Fatal(err) + t.Fatal(err) } if !strings.HasSuffix(path, ".md") { return nil diff --git a/pkg/action/action.go b/pkg/action/action.go index 11d381719..9195d3883 100644 --- a/pkg/action/action.go +++ b/pkg/action/action.go @@ -1,3 +1,6 @@ +// Copyright 2024 Chainguard, Inc. +// SPDX-License-Identifier: Apache-2.0 + package action import ( diff --git a/pkg/action/diff.go b/pkg/action/diff.go index 863472396..57869b643 100644 --- a/pkg/action/diff.go +++ b/pkg/action/diff.go @@ -1,3 +1,6 @@ +// Copyright 2024 Chainguard, Inc. +// SPDX-License-Identifier: Apache-2.0 + package action import ( diff --git a/pkg/action/programkind.go b/pkg/action/programkind.go index 0725a3da4..e6d5f42db 100644 --- a/pkg/action/programkind.go +++ b/pkg/action/programkind.go @@ -1,6 +1,10 @@ +// Copyright 2024 Chainguard, Inc. +// SPDX-License-Identifier: Apache-2.0 + package action import ( + "errors" "io" "log" "os" @@ -11,7 +15,7 @@ import ( "k8s.io/klog/v2" ) -// map from extensions to program kinds +// map from extensions to program kinds. var extMap = map[string]string{ ".scpt": "compiled AppleScript", ".scptd": "compiled AppleScript", @@ -38,7 +42,7 @@ var extMap = map[string]string{ ".c": "C source", } -// programKind tries to identify if a path is a program +// programKind tries to identify if a path is a program. func programKind(path string) string { var header [263]byte f, err := os.Open(path) @@ -52,7 +56,7 @@ func programKind(path string) string { var headerString string n, err := io.ReadFull(f, header[:]) switch { - case err == nil || err == io.ErrUnexpectedEOF: + case err == nil || errors.Is(err, io.ErrUnexpectedEOF): // Read the full buffer, or some bytes, all good kind, err := magic.Lookup(header[:n]) if err == nil { @@ -61,7 +65,7 @@ func programKind(path string) string { desc = "" } headerString = string(header[:n]) - case err == io.EOF: + case errors.Is(err, io.EOF): // Nothing was read, so set the buffer so. desc = "" headerString = "" diff --git a/pkg/action/programkind_test.go b/pkg/action/programkind_test.go index 13d7a0f19..4119c5285 100644 --- a/pkg/action/programkind_test.go +++ b/pkg/action/programkind_test.go @@ -1,3 +1,6 @@ +// Copyright 2024 Chainguard, Inc. +// SPDX-License-Identifier: Apache-2.0 + package action import ( @@ -5,8 +8,8 @@ import ( "testing" ) -func TestProgramKindMagic(t *testing.T) { - +func TestProgramKindMagic(_ *testing.T) { + // nop for now } func TestProgramStringMatch(t *testing.T) { diff --git a/pkg/action/scan.go b/pkg/action/scan.go index bbfb71183..744a13109 100644 --- a/pkg/action/scan.go +++ b/pkg/action/scan.go @@ -1,3 +1,6 @@ +// Copyright 2024 Chainguard, Inc. +// SPDX-License-Identifier: Apache-2.0 + package action import ( @@ -12,7 +15,7 @@ import ( "k8s.io/klog/v2" ) -// return a list of files within a path +// return a list of files within a path. func findFilesRecursively(root string) ([]string, error) { klog.V(1).Infof("finding files in %s ...", root) files := []string{} @@ -51,10 +54,14 @@ func scanSinglePath(c Config, yrs *yara.Rules, path string) (*bincapz.FileReport return &bincapz.FileReport{Path: path, Error: fmt.Sprintf("scanfile: %v", err)}, nil } - fr := report.Generate(path, mrs, c.IgnoreTags, c.MinLevel) + fr, err := report.Generate(path, mrs, c.IgnoreTags, c.MinLevel) + if err != nil { + return nil, err + } if len(fr.Behaviors) == 0 && c.OmitEmpty { return nil, nil } + return &fr, nil } diff --git a/pkg/bincapz/bincapz.go b/pkg/bincapz/bincapz.go index 1fee199ba..b922d572e 100644 --- a/pkg/bincapz/bincapz.go +++ b/pkg/bincapz/bincapz.go @@ -1,3 +1,6 @@ +// Copyright 2024 Chainguard, Inc. +// SPDX-License-Identifier: Apache-2.0 + package bincapz type Behavior struct { diff --git a/pkg/render/json.go b/pkg/render/json.go index ecf7dd65f..9e1af2972 100644 --- a/pkg/render/json.go +++ b/pkg/render/json.go @@ -1,3 +1,6 @@ +// Copyright 2024 Chainguard, Inc. +// SPDX-License-Identifier: Apache-2.0 + package render import ( diff --git a/pkg/render/markdown.go b/pkg/render/markdown.go index b58fa98b5..25595aa87 100644 --- a/pkg/render/markdown.go +++ b/pkg/render/markdown.go @@ -1,3 +1,6 @@ +// Copyright 2024 Chainguard, Inc. +// SPDX-License-Identifier: Apache-2.0 + package render import ( diff --git a/pkg/render/render.go b/pkg/render/render.go index 5ddf792e5..5aaee0eea 100644 --- a/pkg/render/render.go +++ b/pkg/render/render.go @@ -1,3 +1,6 @@ +// Copyright 2024 Chainguard, Inc. +// SPDX-License-Identifier: Apache-2.0 + package render import ( diff --git a/pkg/render/simple.go b/pkg/render/simple.go index 1171787f4..81f60ab13 100644 --- a/pkg/render/simple.go +++ b/pkg/render/simple.go @@ -1,3 +1,6 @@ +// Copyright 2024 Chainguard, Inc. +// SPDX-License-Identifier: Apache-2.0 + package render import ( diff --git a/pkg/render/terminal.go b/pkg/render/terminal.go index 9c77983f4..d6387ea84 100644 --- a/pkg/render/terminal.go +++ b/pkg/render/terminal.go @@ -1,3 +1,6 @@ +// Copyright 2024 Chainguard, Inc. +// SPDX-License-Identifier: Apache-2.0 + package render import ( @@ -135,7 +138,7 @@ func (r Terminal) Full(rep bincapz.Report) error { return nil } -func renderTable(fr *bincapz.FileReport, w io.Writer, rc tableConfig) { +func renderTable(fr *bincapz.FileReport, w io.Writer, rc tableConfig) { //nolint: cyclop // TODO: review this cyclomatic complexity for function renderTable is 39, max is 37 title := rc.Title path := fr.Path diff --git a/pkg/render/yaml.go b/pkg/render/yaml.go index b860fb29f..f3a567e4d 100644 --- a/pkg/render/yaml.go +++ b/pkg/render/yaml.go @@ -1,3 +1,6 @@ +// Copyright 2024 Chainguard, Inc. +// SPDX-License-Identifier: Apache-2.0 + package render import ( diff --git a/pkg/report/report.go b/pkg/report/report.go index ee3394f06..451816c9e 100644 --- a/pkg/report/report.go +++ b/pkg/report/report.go @@ -1,10 +1,12 @@ +// Copyright 2024 Chainguard, Inc. +// SPDX-License-Identifier: Apache-2.0 + package report import ( "crypto/sha256" "fmt" "io" - "log" "os" "path/filepath" "regexp" @@ -26,7 +28,7 @@ var riskLevels = map[int]string{ 4: "CRITICAL", // critical: certainly malware } -// yaraForge has some very very long rule names +// yaraForge has some very very long rule names. var yaraForgeJunkWords = map[string]bool{ "controller": true, "generic": true, @@ -184,7 +186,7 @@ func longestUnique(raw []string) []string { return longest } -// convert MatchString to a usable string +// convert MatchString to a usable string. func matchToString(ruleName string, m yara.MatchString) string { s := string(m.Data) if strings.Contains(ruleName, "base64") && !strings.Contains(s, "base64") { @@ -205,7 +207,7 @@ func matchToString(ruleName string, m yara.MatchString) string { return strings.TrimSpace(s) } -// extract important values +// extract important values. func matchValues(key string, ruleName string, ms []yara.MatchString) []string { raw := []string{} @@ -240,7 +242,7 @@ func matchValues(key string, ruleName string, ms []yara.MatchString) []string { return longestUnique(raw) } -// extract match strings +// extract match strings. func matchStrings(ruleName string, ms []yara.MatchString) []string { raw := []string{} @@ -252,30 +254,35 @@ func matchStrings(ruleName string, ms []yara.MatchString) []string { return longestUnique(raw) } -func pathChecksum(path string) string { +func pathChecksum(path string) (string, error) { f, err := os.Open(path) if err != nil { - return fmt.Sprintf("err-%v", err) + return fmt.Sprintf("err-%v", err), nil } defer f.Close() h := sha256.New() if _, err := io.Copy(h, f); err != nil { - log.Fatal(err) + return "", err } - return fmt.Sprintf("%x", h.Sum(nil)) + return fmt.Sprintf("%x", h.Sum(nil)), nil } -func Generate(path string, mrs yara.MatchRules, ignoreTags []string, minScore int) bincapz.FileReport { +func Generate(path string, mrs yara.MatchRules, ignoreTags []string, minScore int) (bincapz.FileReport, error) { ignore := map[string]bool{} for _, t := range ignoreTags { ignore[t] = true } + ptCheck, err := pathChecksum(path) + if err != nil { + return bincapz.FileReport{}, err + } + fr := bincapz.FileReport{ Path: path, - SHA256: pathChecksum(path), + SHA256: ptCheck, Meta: map[string]string{}, Behaviors: map[string]bincapz.Behavior{}, } @@ -369,9 +376,7 @@ func Generate(path string, mrs yara.MatchRules, ignoreTags []string, minScore in existing.Description = b.Description fr.Behaviors[key] = existing } - } - // If something has a lot of high, it's probably critical if riskCounts[3] >= 4 { overallRiskScore = 4 @@ -387,5 +392,5 @@ func Generate(path string, mrs yara.MatchRules, ignoreTags []string, minScore in fr.RiskLevel = riskLevels[fr.RiskScore] klog.V(4).Infof("yara matches: %+v", mrs) - return fr + return fr, nil } diff --git a/pkg/rules/rules.go b/pkg/rules/rules.go index 5737cb52e..58607aa9e 100644 --- a/pkg/rules/rules.go +++ b/pkg/rules/rules.go @@ -1,3 +1,6 @@ +// Copyright 2024 Chainguard, Inc. +// SPDX-License-Identifier: Apache-2.0 + package rules import ( @@ -30,7 +33,7 @@ func Compile(root fs.FS, thirdParty bool) (*yara.Rules, error) { err = fs.WalkDir(root, ".", func(path string, d fs.DirEntry, err error) error { if err != nil { - return nil + return nil //nolint: nilerr // TODO: review this part } if !thirdParty && strings.Contains(path, "third_party") { diff --git a/testdata/does-nothing/does-nothing.go b/testdata/does-nothing/does-nothing.go index 529637d06..dcac4f0ac 100644 --- a/testdata/does-nothing/does-nothing.go +++ b/testdata/does-nothing/does-nothing.go @@ -1,3 +1,6 @@ +// Copyright 2024 Chainguard, Inc. +// SPDX-License-Identifier: Apache-2.0 + package main import "k8s.io/klog/v2"