chainguard-dev · tstromberg · Oct 8, 2024 · Oct 7, 2024 · Oct 7, 2024 · Oct 7, 2024
diff --git a/pkg/compile/compile.go b/pkg/compile/compile.go
@@ -1,4 +1,4 @@
 // Copyright 2024 Chainguard, Inc.
 // SPDX-License-Identifier: Apache-2.0

 package compile
@@ -59,6 +59,9 @@
 	"Windows_API_Function": true,
 	// TTC-CERT
 	"cve_202230190_html_payload": true,
+	// JPCERT
+	"malware_PlugX_config": true,
+	"malware_shellcode_hash": true,
 }
 
 // rulesWithWarnings determines what to do with rules that have known warnings: true=keep, false=disable.

diff --git a/pkg/report/report.go b/pkg/report/report.go
@@ -652,6 +652,9 @@ func handleOverrides(original, override []*malcontent.Behavior) []*malcontent.Be
 		if b, exists := behaviorMap[o.Override]; exists {
 			b.RiskLevel = o.RiskLevel
 			b.RiskScore = o.RiskScore
+
+			// Delete the override rule from the behavior map
+			delete(behaviorMap, o.RuleName)
 		}
 	}
 

diff --git a/rules/combo/dropper/shell.yara b/rules/combo/dropper/shell.yara
@@ -40,7 +40,7 @@ rule curl_chmod_relative_run_tiny : critical {
     filesize < 6KB and all of them
 }
 
-rule curl_tor_chmod_relative_run : critical {
+rule curl_tor_chmod_relative_run : high {
   meta:
     description = "change dir, fetch file via tor, make it executable, and run it"
     hash_2024_Downloads_4ba700b0e86da21d3dcd6b450893901c252bf817bd8792548fc8f389ee5aec78 = "fd3e21b8e2d8acf196cb63a23fc336d7078e72c2c3e168ee7851ea2bef713588"
@@ -55,8 +55,10 @@ rule curl_tor_chmod_relative_run : critical {
     $curl = /curl [\-\w \$\@\{\w\/\.\:]{0,96}/
     $chmod = /chmod [\+\-\w \$\@\{\w\/\.]{0,64}/
     $dot_slash = /\.\/[a-z]{1,2}[a-z\.\/\- ]{0,32}/ fullword
+
+  $not_go = "listen.onionndots"
   condition:
-     any of ($tor*) and $cd and $curl and $chmod and $dot_slash
+     any of ($tor*) and $cd and $curl and $chmod and $dot_slash and filesize < 1MB and none of ($not*)
 }
 
 
@@ -167,4 +169,4 @@ rule obsessive_dropper : critical {
 		$cmd_chmod = "chmod" fullword
 	condition:
 		filesize < 768 and any of ($http*) and 2 of ($tool*) and any of ($cmd*)
-}
+}
diff --git a/rules/false_positives/clickhouse.yara b/rules/false_positives/clickhouse.yara
diff --git a/rules/false_positives/datadog.yara b/rules/false_positives/datadog.yara
@@ -1,8 +1,7 @@
 rule ddtrace_rules_json : override {
   meta:
     description = "appsec/rules.json"
-    linux_multi_persist = "high"
-    original_severity = "critical"
+    linux_multi_persist = "medium"
   strings:
     $datadog = /[Dd]atadog/
     $datadog_generic = /[Dd]atadog \w{0,32}/

diff --git a/rules/false_positives/k8s_dashboard.yara b/rules/false_positives/k8s_dashboard.yara
@@ -1,7 +1,6 @@
 rule mode_php_js : override {
   meta:
     description = "mode-php.js, mode-php_laravel_blade.js"
-    original_severity = "critical"
     php_executor = "high"
   strings:
     $ace_define = "ace.define"
@@ -12,5 +11,5 @@ rule mode_php_js : override {
     $php_worker = "ace/mode/php_worker"
     $php_worker2 = "PhpWorker"
   condition:
-    all of ($ace*) and ($mode_php_laravel_blade or $php_worker) and $php_worker2
+    6 of them
 }
diff --git a/rules/false_positives/kuma_cp.yara b/rules/false_positives/kuma_cp.yara
diff --git a/rules/false_positives/melange.yara b/rules/false_positives/melange.yara
diff --git a/rules/false_positives/nvim.yara b/rules/false_positives/nvim.yara
@@ -1,8 +1,7 @@
 rule nvim_binary : override {
   meta:
     description = "nvim"
-    linux_multi_persist = "high"
-    original_severity = "critical"
+    linux_multi_persist = "medium"
   strings:
     $nvim_generic = /nvim_\w{0,32}/
     $nvim_path = "/home/build/src/nvim"

diff --git a/rules/false_positives/pulumi.yara b/rules/false_positives/pulumi.yara
diff --git a/rules/false_positives/rancher.yara b/rules/false_positives/rancher.yara
@@ -1,8 +1,7 @@
-rule pull_script : override {
+rule pull_scripts : override {
   meta:
-    curl_chmod_relative_run_tiny = "high"
-    description = "pull-script"
-    original_severity = "critical"
+    curl_chmod_relative_run_tiny = "medium"
+    description = "pull-scripts"
   strings:
     $binary = "BINARY_NAME=\"charts-build-scripts_${OS}_${ARCH}.exe\""
     $chmod = "chmod +x ./bin/charts-build-scripts"

diff --git a/rules/false_positives/tensorflow_model_analysis.yara b/rules/false_positives/tensorflow_model_analysis.yara
@@ -1,8 +1,7 @@
 rule tfjs_predict_extractor_util : override {
   meta:
     description = "tfjs_predict_extractor_util.py"
-    original_severity = "critical"
-    py_dropper_chmod = "high"
+    py_dropper_chmod = "medium"
   strings:
     $copyright_google = "# Copyright 2019 Google LLC"
     $subprocess_chmod = "subprocess.check_call(['chmod', '+x', path])"

diff --git a/rules/false_positives/trivy.yara b/rules/false_positives/trivy.yara
@@ -1,8 +1,7 @@
 rule trivy_binary : override {
   meta:
-    curl_tor_chmod_relative_run = "high"
+    curl_tor_chmod_relative_run = "medium"
     description = "trivy"
-    original_severity = "critical"
   strings:
     $aqua_security_trivy = "aquasecurity:trivy"
     $trivy_install = "# curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh"

diff --git a/rules/false_positives/vitess.yara b/rules/false_positives/vitess.yara
@@ -1,8 +1,7 @@
 rule vitess : override {
   meta:
-    linux_multi_persist = "high"
+    linux_multi_persist = "medium"
     description = "vitess"
-    original_severity = "critical"
   strings:
     $issue = "This error should not happen and is a bug. Please file an issue on GitHub: https://github.com/vitessio/vitess/issues/new/choose"
     $vitess = "vitess"

diff --git a/rules/false_positives/wolfictl.yara b/rules/false_positives/wolfictl.yara
diff --git a/test_data/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple b/test_data/javascript/clean/5A50D54796BB27126E03A7E25DD5D589.cache.js.simple
@@ -20,7 +20,6 @@ env/LANG
 env/TEMP
 env/USER
 evasion/base64/decode
-evasion/int_to_char
 evasion/unusual_include
 exec/cmd
 exec/program

diff --git a/test_data/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple b/test_data/javascript/clean/5D3EB8D016DDDA0665CB8CD8EEA6C537.cache.js.simple
@@ -19,7 +19,6 @@ env/HOME
 env/TEMP
 env/USER
 evasion/base64/decode
-evasion/int_to_char
 evasion/unusual_include
 exec/cmd
 exec/program

diff --git a/test_data/javascript/clean/napi_rs_runtime.js.simple b/test_data/javascript/clean/napi_rs_runtime.js.simple
@@ -4,7 +4,6 @@ data/embedded/base64/url
 encoding/base64
 encoding/json/decode
 encoding/json/encode
-evasion/int_to_char
 fd/write
 fs/directory/create
 fs/directory/list

diff --git a/test_data/javascript/clean/securityDashboards.plugin.js.simple b/test_data/javascript/clean/securityDashboards.plugin.js.simple
@@ -10,7 +10,6 @@ databases/mysql
 encoding/base64
 encoding/json/decode
 encoding/json/encode
-evasion/int_to_char
 evasion/xor/commands
 fs/link/create
 fs/lock/update

diff --git a/test_data/linux/clean/appsec-rules.json.simple b/test_data/linux/clean/appsec-rules.json.simple
@@ -15,7 +15,6 @@ databases/sqlite
 device/hardware/enumeration
 encoding/base64
 evasion/base64/decode
-evasion/int_to_char
 exec/shell_command
 fs/fifo/create
 fs/file/times/set

diff --git a/test_data/linux/clean/chezmoi.simple b/test_data/linux/clean/chezmoi.simple
@@ -41,7 +41,6 @@ env/TMPDIR
 env/USER
 env/get
 evasion/content/length/0
-evasion/int_to_char
 evasion/xor/commands
 exec/cmd
 exec/program

diff --git a/test_data/linux/clean/clickhouse.simple b/test_data/linux/clean/clickhouse.simple
@@ -43,12 +43,10 @@ env/TERM
 env/TMPDIR
 env/USER
 evasion/base64/decode
-evasion/int_to_char
 exec/cmd
 exec/program
 exec/program/background
 exec/shell_echo
-false_positives/clickhouse
 fd/epoll
 fd/read
 fs/directory/create

diff --git a/test_data/linux/clean/default_config.json.simple b/test_data/linux/clean/default_config.json.simple
@@ -16,7 +16,6 @@ databases/sqlite
 device/hardware/enumeration
 encoding/base64
 evasion/base64/decode
-evasion/int_to_char
 exec/shell_command
 fs/fifo/create
 fs/file/times/set