Ignore bincapz findings by default (chainguard-dev#167)

Signed-off-by: Evan Gibler <[email protected]>

bincapz.go

@@ -20,18 +20,19 @@ import (
 )
 
 func main() {
+	allFlag := flag.Bool("all", false, "Ignore nothing, show all")
+	diffFlag := flag.Bool("diff", false, "show capability drift between two files")
 	formatFlag := flag.String("format", "terminal", "Output type. Valid values are: json, markdown, simple, terminal, yaml")
+	ignoreSelfFlag := flag.Bool("ignore-self", true, "ignore the bincapz repository")
 	ignoreTagsFlag := flag.String("ignore-tags", "", "Rule tags to ignore")
-	minLevelFlag := flag.Int("min-level", 1, "minimum risk level to show results for (1=low, 2=medium, 3=high, 4=critical)")
+	includeDataFilesFlag := flag.Bool("data-files", false, "include files that are detected to as non-program (binary or source) files")
 	minFileLevelFlag := flag.Int("min-file-level", 0, "only show results for files that meet this risk level (1=low, 2=medium, 3=high, 4=critical)")
-	thirdPartyFlag := flag.Bool("third-party", false, "include third-party rules, which may have licensing restrictions")
+	minLevelFlag := flag.Int("min-level", 1, "minimum risk level to show results for (1=low, 2=medium, 3=high, 4=critical)")
+	ociFlag := flag.Bool("oci", false, "scan an OCI image")
 	omitEmptyFlag := flag.Bool("omit-empty", false, "omit files that contain no matches")
-	includeDataFilesFlag := flag.Bool("data-files", false, "include files that are detected to as non-program (binary or source) files")
-	diffFlag := flag.Bool("diff", false, "show capability drift between two files")
-	allFlag := flag.Bool("all", false, "Ignore nothing, show all")
 	statsFlag := flag.Bool("stats", false, "show statistics about the scan")
+	thirdPartyFlag := flag.Bool("third-party", true, "include third-party rules, which may have licensing restrictions")
 	verboseFlag := flag.Bool("verbose", false, "emit verbose logging messages to stderr")
-	ociFlag := flag.Bool("oci", false, "scan an OCI image")
 
 	flag.Parse()
 	args := flag.Args()
@@ -75,15 +76,16 @@ func main() {
 	}
 
 	bc := action.Config{
-		Rules:            yrs,
-		ScanPaths:        args,
+		IgnoreSelf:       *ignoreSelfFlag,
 		IgnoreTags:       ignoreTags,
-		OmitEmpty:        *omitEmptyFlag,
-		MinResultScore:   minLevel,
-		MinFileScore:     *minFileLevelFlag,
 		IncludeDataFiles: includeDataFiles,
-		Renderer:         renderer,
+		MinFileScore:     *minFileLevelFlag,
+		MinResultScore:   minLevel,
 		OCI:              *ociFlag,
+		OmitEmpty:        *omitEmptyFlag,
+		Renderer:         renderer,
+		Rules:            yrs,
+		ScanPaths:        args,
 		Stats:            stats,
 	}
 

pkg/action/action.go

@@ -11,15 +11,16 @@ import (
 )
 
 type Config struct {
-	Rules            *yara.Rules
-	ScanPaths        []string
+	IgnoreSelf       bool
 	IgnoreTags       []string
-	MinResultScore   int
+	IncludeDataFiles bool
 	MinFileScore     int
+	MinResultScore   int
+	OCI              bool
 	OmitEmpty        bool
-	IncludeDataFiles bool
-	Renderer         render.Renderer
 	Output           io.Writer
-	OCI              bool
+	Renderer         render.Renderer
+	Rules            *yara.Rules
+	ScanPaths        []string
 	Stats            bool
 }

pkg/action/scan.go

@@ -19,7 +19,7 @@ import (
 )
 
 // return a list of files within a path.
-func findFilesRecursively(ctx context.Context, root string) ([]string, error) {
+func findFilesRecursively(ctx context.Context, root string, c Config) ([]string, error) {
 	clog.FromContext(ctx).Infof("finding files in %s ...", root)
 	files := []string{}
 
@@ -36,6 +36,17 @@ func findFilesRecursively(ctx context.Context, root string) ([]string, error) {
 			if strings.Contains(path, "/.git/") {
 				return nil
 			}
+			// Skip the bincapz directory if IgnoreSelf is true
+			if c.IgnoreSelf {
+				// we need the fully-qualified path here
+				fq, err := filepath.Abs(path)
+				if err != nil {
+					return err
+				}
+				if strings.Contains(fq, "bincapz") {
+					return nil
+				}
+			}
 			files = append(files, path)
 			return nil
 		})
@@ -110,7 +121,7 @@ func recursiveScan(ctx context.Context, c Config) (*bincapz.Report, error) {
 			}
 		}
 
-		rp, err := findFilesRecursively(ctx, sp)
+		rp, err := findFilesRecursively(ctx, sp, c)
 		if err != nil {
 			return nil, fmt.Errorf("find files: %w", err)
 		}

rules/bincapz/bincapz.yar

@@ -0,0 +1,8 @@
+rule bincapz_path : harmless {
+    meta:
+        description = "path reference containing bincapz binary"
+    strings:
+        $path = "bincapz"
+    condition:
+        none of them
+}

samples/samples_test.go

@@ -65,10 +65,11 @@ func TestJSON(t *testing.T) {
 				t.Fatalf("render: %v", err)
 			}
 			bc := action.Config{
-				ScanPaths:  []string{binPath},
+				IgnoreSelf: false,
 				IgnoreTags: []string{"harmless"},
 				Renderer:   render,
 				Rules:      yrs,
+				ScanPaths:  []string{binPath},
 			}
 
 			tcLogger := clog.FromContext(ctx).With("test", name)
@@ -123,10 +124,11 @@ func TestSimple(t *testing.T) {
 			}
 
 			bc := action.Config{
-				ScanPaths:  []string{binPath},
+				IgnoreSelf: false,
 				IgnoreTags: []string{"harmless"},
 				Renderer:   simple,
 				Rules:      yrs,
+				ScanPaths:  []string{binPath},
 			}
 
 			tcLogger := clog.FromContext(ctx).With("test", name)
@@ -190,12 +192,13 @@ func TestDiff(t *testing.T) {
 			}
 
 			bc := action.Config{
-				ScanPaths:      []string{tc.src, tc.dest},
+				IgnoreSelf:     false,
 				IgnoreTags:     []string{"harmless"},
+				MinFileScore:   tc.minFileScore,
+				MinResultScore: tc.minResultScore,
 				Renderer:       simple,
 				Rules:          yrs,
-				MinResultScore: tc.minResultScore,
-				MinFileScore:   tc.minFileScore,
+				ScanPaths:      []string{tc.src, tc.dest},
 			}
 
 			logger := clog.New(slog.Default().Handler()).With("src", tc.src)
@@ -253,10 +256,11 @@ func TestMarkdown(t *testing.T) {
 			}
 
 			bc := action.Config{
-				ScanPaths:  []string{binPath},
+				IgnoreSelf: false,
 				IgnoreTags: []string{"harmless"},
 				Renderer:   simple,
 				Rules:      yrs,
+				ScanPaths:  []string{binPath},
 			}
 
 			tcLogger := clog.FromContext(ctx).With("test", name)