Improve frequency-based upgrade heuristics, add flag to disable #342
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
egibs
reviewed
Jul 9, 2024
egibs
reviewed
Jul 9, 2024
egibs
approved these changes
Jul 9, 2024
egibs
reviewed
Jul 9, 2024
egibs
added a commit
to egibs/malcontent
that referenced
this pull request
Aug 5, 2024
…nguard-dev#342) * Improve frequency-based upgrade heuristics, add flag to disable * Update samples * Increase score of unusually small binaries * add period at end of godoc line * Rename flag to --quantity-increases-risk * tighten up the upgrade numbers * tighten up the upgrade numbers --------- Co-authored-by: Evan Gibler <[email protected]>
egibs
added a commit
to egibs/malcontent
that referenced
this pull request
Sep 25, 2024
…nguard-dev#342) * Improve frequency-based upgrade heuristics, add flag to disable * Update samples * Increase score of unusually small binaries * add period at end of godoc line * Rename flag to --quantity-increases-risk * tighten up the upgrade numbers * tighten up the upgrade numbers --------- Co-authored-by: Evan Gibler <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR improves frequency risk upgrade heuristics by:
--quantity-increases-riskflag to disable the feature (other flag naming ideas welcome)Currently, any program with >4 HIGH results is classified as CRITICAL.
This can cause a lot of problems with really large programs, particularly Go binaries with a lot of dependencies. This PR adds size-based heuristics, but also allows you to turn the feature off entirely, which is ideal for environments such as CI/CD where you care more about capabilities diffs and raw capability risks rather than a synthetic combined values.