Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Overhaul CLI functionality with urfave/cli #436

Merged
merged 15 commits into from
Sep 12, 2024
Merged

Conversation

egibs
Copy link
Member

@egibs egibs commented Sep 3, 2024

Our usage of the flags package was struggling with the amount of functionality introduced over the past several months.

This PR moves to the urfave/cli package for the CLI functionality and focuses on:

  • Global flags
  • Making scan and diff commands
  • Adding command-level flags for scan

The changes in this PR will be breaking (as evidenced by the updated refresh-testdata.sh script); however, there is some flexibility around specifying the scan flags. Omitting the flags will default to the original path scanning behavior (i.e., non-image scans). Otherwise, specifying -i will scan OCI images and -p will scan a local file path.

The new use looks like this:

bincapz <flags> analyze -i <image URL>
bincapz <flags> analyze <file path> 
bincapz <flags> diff <file path 1> <file path 2>
bincapz <flags> scan -i <image URL>
bincapz <flags> scan <file path>

To view the flags:

$ bincapz -h
NAME:
   bincapz - Detect malicious program behaviors

USAGE:
   bincapz <flags> [diff, scan] <path>

VERSION:
   bincapz v0.19.0

COMMANDS:
   diff     scan and diff two paths
   scan     scan an image or path
   help, h  Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --all                      Ignore nothing within a provided scan path (default: false)
   --err-first-miss           Exit with error if scan source has no matching capabilities (default: false)
   --err-first-hit            Exit with error if scan source has matching capabilities (default: false)
   --format value             Output format (json, markdown, simple, terminal, yaml) (default: "terminal")
   --ignore-self              Ignore the bincapz binary (default: true)
   --ignore-tags value        Rule tags to ignore
   --include-data-files       Include files that are detected as non-program (binary or source) files (default: false)
   --jobs value, -j value     Concurrently scan files within target scan paths (default: 12)
   --min-file-level value     Obsoleted by --min-file-risk (default: -1)
   --min-file-risk value      Only show results for files which meet the given risk level (any, low, medium, high, critical) (default: "low")
   --min-level value          Obsoleted by --min-risk (default: -1)
   --min-risk value           Only show results which meet the given risk level (any, low, medium, high, critical) (default: "low")
   --output value, -o value   Write output to specified file instead of stdout
   --profile, -p              Generate profile and trace files (default: false)
   --quantity-increases-risk  Increase file risk score based on behavior quantity (default: true)
   --stats, -s                Show scan statistics (default: false)
   --third-party              Include third-party rules which may have licensing restrictions (default: true)
   --verbose                  Emit verbose logging messages to stderr (default: false)
   --help, -h                 show help
   --version, -v              print the version

To view command help:

$ bincapz diff -h
NAME:
   bincapz diff - scan and diff two paths

USAGE:
   bincapz diff [command options]

OPTIONS:
   --help, -h  show help

$ bincapz scan -h
NAME:
   bincapz scan - scan an image or path

USAGE:
   bincapz scan [command options]

OPTIONS:
   --image value, -i value  Scan an image
   --path value, -p value   Scan a file path
   --help, -h               show help

To view the version:

$ bincapz -v
bincapz version v0.19.0

@egibs egibs requested a review from tstromberg September 3, 2024 19:36
@egibs egibs force-pushed the better-cli branch 2 times, most recently from fbc78a0 to 4484e63 Compare September 4, 2024 13:50
@egibs egibs marked this pull request as ready for review September 4, 2024 13:55
@egibs egibs merged commit 885b27d into chainguard-dev:main Sep 12, 2024
6 checks passed
@egibs egibs deleted the better-cli branch September 12, 2024 12:01
egibs added a commit to egibs/malcontent that referenced this pull request Sep 25, 2024
* Overhaul CLI functionality with urfave/cli

Signed-off-by: egibs <[email protected]>

* Use flags to separate image/path scanning

Signed-off-by: egibs <[email protected]>

* Small tweaks

Signed-off-by: egibs <[email protected]>

* Update test data refresh script, handle scan edge cases

Signed-off-by: egibs <[email protected]>

* Simplify risk level map

Signed-off-by: egibs <[email protected]>

* Update wording/formatting

Signed-off-by: egibs <[email protected]>

* Clean up arg parsing

Signed-off-by: egibs <[email protected]>

* Clean up version string

Signed-off-by: egibs <[email protected]>

* Add separate analyze command for displaying all rule matches

Signed-off-by: egibs <[email protected]>

* Appease the linter

Signed-off-by: egibs <[email protected]>

* Scan flag is not needed

Signed-off-by: egibs <[email protected]>

* Filter out < 3 risk scores when running a scan

Signed-off-by: egibs <[email protected]>

* Severity -> risk

Signed-off-by: egibs <[email protected]>

* Only require flags for analyzing/scanning images

Signed-off-by: egibs <[email protected]>

---------

Signed-off-by: egibs <[email protected]>
Signed-off-by: Evan Gibler <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants