New false positive rules

pkg/action/scan.go

@@ -211,7 +211,7 @@ func cachedRules(ctx context.Context, fss []fs.FS) (*yara.Rules, error) {
 
 // recursiveScan recursively YARA scans the configured paths - handling archives and OCI images.
 //
-//nolint:gocognit // ignoring complexity of 101 > 98
+//nolint:gocognit,cyclop // ignoring complexity of 101,38
 func recursiveScan(ctx context.Context, c malcontent.Config) (*malcontent.Report, error) {
 	logger := clog.FromContext(ctx)
 	logger.Debug("recursive scan", slog.Any("config", c))
@@ -225,7 +225,9 @@ func recursiveScan(ctx context.Context, c malcontent.Config) (*malcontent.Report
 	var scanPathFindings sync.Map
 
 	for _, scanPath := range c.ScanPaths {
-		c.Renderer.Scanning(ctx, scanPath)
+		if c.Renderer != nil {
+			c.Renderer.Scanning(ctx, scanPath)
+		}
 		logger.Debug("recursive scan", slog.Any("scanPath", scanPath))
 		imageURI := ""
 		ociExtractPath := ""

pkg/report/report.go

@@ -652,6 +652,9 @@ func handleOverrides(original, override []*malcontent.Behavior) []*malcontent.Be
 		if b, exists := behaviorMap[o.Override]; exists {
 			b.RiskLevel = o.RiskLevel
 			b.RiskScore = o.RiskScore
+
+			// Delete the override rule from the behavior after applying its severity to the original rule
+			delete(behaviorMap, o.RuleName)
 		}
 	}
 

rules/false_positives/clickhouse.yara

@@ -0,0 +1,15 @@
+rule clickhouse_binary : override {
+  meta:
+    malware_PlugX_config = "high"
+    description = "clickhouse"
+    original_severity = "critical"
+  strings:
+    $clickhouse_binary = "/usr/bin/clickhouse"
+    $clickhouse_client = "clickhouse-client"
+    $clickhouse_service = /clickhouse-\w{0,32}/ fullword
+    $clickhouse_server = "clickhouse-server"
+    $clickhouse_site = "https://clickhouse.com"
+    $usage = "Usage: ./clickhouse"
+  condition:
+    all of them
+}

rules/false_positives/datadog.yara

@@ -0,0 +1,12 @@
+rule ddtrace_rules_json : override {
+  meta:
+    description = "appsec/rules.json"
+    linux_multi_persist = "high"
+    original_severity = "critical"
+  strings:
+    $datadog = /[Dd]atadog/
+    $datadog_generic = /[Dd]atadog \w{0,32}/
+    $datadog_test_scanner = "Datadog test scanner"
+  condition:
+    all of them
+}

rules/false_positives/k8s_dashboard.yara

@@ -0,0 +1,16 @@
+rule mode_php_js : override {
+  meta:
+    description = "mode-php.js, mode-php_laravel_blade.js"
+    original_severity = "critical"
+    php_executor = "high"
+  strings:
+    $ace_define = "ace.define"
+    $ace_lib = "ace/lib"
+    $ace_mode = "ace/mode"
+    $ace_require = "ace.require"
+    $mode_php_laravel_blade = "ace/mode/php_laravel_blade"
+    $php_worker = "ace/mode/php_worker"
+    $php_worker2 = "PhpWorker"
+  condition:
+    all of ($ace*) and ($mode_php_laravel_blade or $php_worker) and $php_worker2
+}

rules/false_positives/kuma_cp.yara

@@ -0,0 +1,13 @@
+rule kuma_cp_binary : override {
+  meta:
+    description = "kuma-cp"
+    downgrade = "true"
+    malware_shellcode_hash = "high"
+    original_severity = "critical"
+  strings:
+    $kuma_cp = "kuma_cp"
+    $kuma_io = "kuma.io"
+    $kuma_repo = "github.com/kumahq/kuma"
+  condition:
+    all of them
+}

rules/false_positives/melange.yara

@@ -0,0 +1,14 @@
+rule melange_binary : override {
+  meta:
+    curl_tor_chmod_relative_run = "high"
+    description = "melange"
+    downgrade = "true"
+    original_severity = "critical"
+  strings:
+    $chainguard = "chainguard.dev"
+    $dev = "github.com/chainguard-dev"
+    $false_positive_string = "domaingophertelnetreturn.locallisten.onionndots:sendtoip"
+    $melange = "chainguard.dev/melange"
+  condition:
+    all of them
+}

rules/false_positives/nvim.yara

@@ -0,0 +1,11 @@
+rule nvim_binary : override {
+  meta:
+    description = "nvim"
+    linux_multi_persist = "high"
+    original_severity = "critical"
+  strings:
+    $nvim_generic = /nvim_\w{0,32}/
+    $nvim_path = "/home/build/src/nvim"
+  condition:
+    all of them
+}

rules/false_positives/pulumi.yara

@@ -0,0 +1,12 @@
+rule pulumi_binary : override {
+  meta:
+    description = "pulumi"
+    malware_shellcode_hash = "high"
+    original_severity = "critical"
+  strings:
+    $author = ".Package.Publisher \"Pulumi Corp.\""
+    $pulumi = "github.com/pulumi"
+    $pulumi_repo = "github.com/pulumi/pulumi"
+  condition:
+    all of them
+}

rules/false_positives/rancher.yara

@@ -0,0 +1,14 @@
+rule pull_script : override {
+  meta:
+    curl_chmod_relative_run_tiny = "high"
+    description = "pull-script"
+    original_severity = "critical"
+  strings:
+    $binary = "BINARY_NAME=\"charts-build-scripts_${OS}_${ARCH}.exe\""
+    $chmod = "chmod +x ./bin/charts-build-scripts"
+    $echo1 = "echo \"Downloading charts-build-scripts version ${CHARTS_BUILD_SCRIPTS_REPO}@${CHARTS_BUILD_SCRIPT_VERSION}\""
+    $echo2 = "echo \"${BINARY_NAME} => ./bin/charts-build-scripts\""
+    $version_cmd = "./bin/charts-build-scripts --version"
+  condition:
+    all of them
+}

rules/false_positives/tensorflow_model_analysis.yara

@@ -0,0 +1,14 @@
+rule tfjs_predict_extractor_util : override {
+  meta:
+    description = "tfjs_predict_extractor_util.py"
+    original_severity = "critical"
+    py_dropper_chmod = "high"
+  strings:
+    $copyright_google = "# Copyright 2019 Google LLC"
+    $subprocess_chmod = "subprocess.check_call(['chmod', '+x', path])"
+    $tfjs_predict_extractor = "Utilities for tfjs_predict_extractor."
+    $tfjs_url_linux = "http://storage.googleapis.com/tfjs-inference/tfjs-inference-linux"
+    $tfjs_url_macos = "http://storage.googleapis.com/tfjs-inference/tfjs-inference-macos"
+  condition:
+    all of them
+}

rules/false_positives/trivy.yara

@@ -0,0 +1,12 @@
+rule trivy_binary : override {
+  meta:
+    curl_tor_chmod_relative_run = "high"
+    description = "trivy"
+    original_severity = "critical"
+  strings:
+    $aqua_security_trivy = "aquasecurity:trivy"
+    $trivy_install = "# curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh"
+    $trivy_repo = "github.com/aquasecurity/trivy"
+  condition:
+    all of them
+}

rules/false_positives/vitess.yara

@@ -0,0 +1,13 @@
+rule vitess : override {
+  meta:
+    linux_multi_persist = "high"
+    description = "vitess"
+    original_severity = "critical"
+  strings:
+    $issue = "This error should not happen and is a bug. Please file an issue on GitHub: https://github.com/vitessio/vitess/issues/new/choose"
+    $vitess = "vitess"
+    $vitess_io = "vitess.io"
+    $vitess_repo = "https://github.com/vitessio"
+  condition:
+    all of them
+}

rules/false_positives/wolfictl.yara

@@ -0,0 +1,14 @@
+rule wolfictl_binary : override {
+  meta:
+    curl_tor_chmod_relative_run = "high"
+    description = "wolfictl"
+    original_severity = "critical"
+  strings:
+    $chainguard = "chainguard.dev"
+    $false_positive_string = "domaingophertelnetreturn.locallisten.onionndots:sendtoip"
+    $wolfi = "github.com/wolfi-dev"
+    $wolfictl_repo = "github.com/wolfi-dev/wolfictl"
+    $wolfictl = "wolf-dev/wolfictl"
+  condition:
+    all of them
+}

test_data/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple

@@ -26,6 +26,7 @@ exec/cmd
 exec/program
 exec/program/background
 exec/shell_command
+false_positives/k8s_dashboard
 fd/read
 fs/directory/create
 fs/directory/remove

test_data/javascript/clean/mode-php.js.simple

@@ -0,0 +1,65 @@
+# javascript/clean/mode-php.js
+combo/backdoor/php
+combo/net/tunnel_proxy
+compression/bzip2
+compression/gzip
+databases/mysql
+databases/sqlite
+encoding/base64
+encoding/reverse
+env/USER
+evasion/base64/decode
+exec/program
+exec/program/background
+exec/shell_command
+fs/directory/create
+fs/directory/remove
+fs/fifo/create
+fs/file/delete
+fs/file/delete/forcibly
+fs/file/truncate
+fs/link/read
+fs/lock/update
+fs/node/create
+fs/permission/modify
+fs/symlink/resolve
+fs/watch
+hash/md5
+kernel/acct
+kernel/hostname/get
+kernel/platform
+net/fetch
+net/hostname/resolve
+net/hostport/parse
+net/http/cookies
+net/http/form/upload
+net/http/post
+net/ip/parse
+net/ip/resolve
+net/ip/string
+net/socket/connect
+net/socket/listen
+net/socket/local/address
+net/socket/peer/address
+net/socket/receive
+net/socket/send
+net/upload
+net/url/encode
+process/chroot
+process/effective/groupid/get
+process/groupid/set
+process/parent_pid/get
+process/userid/set
+process/username/get
+random/insecure
+ref/daemon
+ref/ip_port
+ref/path/etc
+ref/path/hidden
+ref/site/url
+ref/words/agent
+ref/words/password
+ref/words/plugin
+ref/words/spoof
+secrets/private_key
+tty/pathname

test_data/javascript/clean/mode-php_laravel_blade.js.simple

@@ -0,0 +1,65 @@
+# javascript/clean/mode-php_laravel_blade.js
+combo/backdoor/php
+combo/net/tunnel_proxy
+compression/bzip2
+compression/gzip
+databases/mysql
+databases/sqlite
+encoding/base64
+encoding/reverse
+env/USER
+evasion/base64/decode
+exec/program
+exec/program/background
+exec/shell_command
+fs/directory/create
+fs/directory/remove
+fs/fifo/create
+fs/file/delete
+fs/file/delete/forcibly
+fs/file/truncate
+fs/link/read
+fs/lock/update
+fs/node/create
+fs/permission/modify
+fs/symlink/resolve
+fs/watch
+hash/md5
+kernel/acct
+kernel/hostname/get
+kernel/platform
+net/fetch
+net/hostname/resolve
+net/hostport/parse
+net/http/cookies
+net/http/form/upload
+net/http/post
+net/ip/parse
+net/ip/resolve
+net/ip/string
+net/socket/connect
+net/socket/listen
+net/socket/local/address
+net/socket/peer/address
+net/socket/receive
+net/socket/send
+net/upload
+net/url/encode
+process/chroot
+process/effective/groupid/get
+process/groupid/set
+process/parent_pid/get
+process/userid/set
+process/username/get
+random/insecure
+ref/daemon
+ref/ip_port
+ref/path/etc
+ref/path/hidden
+ref/site/url
+ref/words/agent
+ref/words/password
+ref/words/plugin
+ref/words/spoof
+secrets/private_key
+tty/pathname

test_data/linux/2022.Symbiote/kerneldev.so.bkp.simple

@@ -1,6 +1,5 @@
 # linux/2022.Symbiote/kerneldev.so.bkp
 3P/threat_hunting/keylogger
-combo/stealer/pam
 dylib/symbol/address
 evasion/process/hide
 fs/link/read

test_data/linux/2024.Kaiji/eight-nebraska-autumn-illinois.simple

@@ -2,7 +2,6 @@
 3P/elastic/threat
 combo/backdoor/kill_rm
 combo/botnet/systemctl
-combo/dropper/binary
 combo/dropper/shell
 combo/stealer/linux_server
 combo/stealer/ssh

test_data/linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72.simple

@@ -1,7 +1,6 @@
 # linux/2024.clobber_xmrig/cba8d79949adc3c56c02fee56644f4084b7471bc5aed1c81803054f017240a72
 3P/elastic/threat
 3P/threat_hunting/xmrig
-combo/stealer/pam
 compression/gzip
 crypto/aes
 crypto/ecdsa