From 008ff73d342301fdcd5287b3e55aa3719c0002ce Mon Sep 17 00:00:00 2001
From: Evan Gibler <keybase@egibs.xyz>
Date: Thu, 2 May 2024 11:18:14 -0500
Subject: [PATCH] Ignore bincapz findings by default (#167)

Signed-off-by: Evan Gibler <keybase@egibs.xyz>
---
 bincapz.go                | 26 ++++++++++++++------------
 pkg/action/action.go      | 13 +++++++------
 pkg/action/scan.go        | 15 +++++++++++++--
 rules/bincapz/bincapz.yar |  8 ++++++++
 samples/samples_test.go   | 16 ++++++++++------
 5 files changed, 52 insertions(+), 26 deletions(-)
 create mode 100644 rules/bincapz/bincapz.yar

diff --git a/bincapz.go b/bincapz.go
index e3e87ca3..f63fe627 100644
--- a/bincapz.go
+++ b/bincapz.go
@@ -20,18 +20,19 @@ import (
 )
 
 func main() {
+	allFlag := flag.Bool("all", false, "Ignore nothing, show all")
+	diffFlag := flag.Bool("diff", false, "show capability drift between two files")
 	formatFlag := flag.String("format", "terminal", "Output type. Valid values are: json, markdown, simple, terminal, yaml")
+	ignoreSelfFlag := flag.Bool("ignore-self", true, "ignore the bincapz repository")
 	ignoreTagsFlag := flag.String("ignore-tags", "", "Rule tags to ignore")
-	minLevelFlag := flag.Int("min-level", 1, "minimum risk level to show results for (1=low, 2=medium, 3=high, 4=critical)")
+	includeDataFilesFlag := flag.Bool("data-files", false, "include files that are detected to as non-program (binary or source) files")
 	minFileLevelFlag := flag.Int("min-file-level", 0, "only show results for files that meet this risk level (1=low, 2=medium, 3=high, 4=critical)")
-	thirdPartyFlag := flag.Bool("third-party", false, "include third-party rules, which may have licensing restrictions")
+	minLevelFlag := flag.Int("min-level", 1, "minimum risk level to show results for (1=low, 2=medium, 3=high, 4=critical)")
+	ociFlag := flag.Bool("oci", false, "scan an OCI image")
 	omitEmptyFlag := flag.Bool("omit-empty", false, "omit files that contain no matches")
-	includeDataFilesFlag := flag.Bool("data-files", false, "include files that are detected to as non-program (binary or source) files")
-	diffFlag := flag.Bool("diff", false, "show capability drift between two files")
-	allFlag := flag.Bool("all", false, "Ignore nothing, show all")
 	statsFlag := flag.Bool("stats", false, "show statistics about the scan")
+	thirdPartyFlag := flag.Bool("third-party", true, "include third-party rules, which may have licensing restrictions")
 	verboseFlag := flag.Bool("verbose", false, "emit verbose logging messages to stderr")
-	ociFlag := flag.Bool("oci", false, "scan an OCI image")
 
 	flag.Parse()
 	args := flag.Args()
@@ -75,15 +76,16 @@ func main() {
 	}
 
 	bc := action.Config{
-		Rules:            yrs,
-		ScanPaths:        args,
+		IgnoreSelf:       *ignoreSelfFlag,
 		IgnoreTags:       ignoreTags,
-		OmitEmpty:        *omitEmptyFlag,
-		MinResultScore:   minLevel,
-		MinFileScore:     *minFileLevelFlag,
 		IncludeDataFiles: includeDataFiles,
-		Renderer:         renderer,
+		MinFileScore:     *minFileLevelFlag,
+		MinResultScore:   minLevel,
 		OCI:              *ociFlag,
+		OmitEmpty:        *omitEmptyFlag,
+		Renderer:         renderer,
+		Rules:            yrs,
+		ScanPaths:        args,
 		Stats:            stats,
 	}
 
diff --git a/pkg/action/action.go b/pkg/action/action.go
index 2d76ce0f..b2fd8c5f 100644
--- a/pkg/action/action.go
+++ b/pkg/action/action.go
@@ -11,15 +11,16 @@ import (
 )
 
 type Config struct {
-	Rules            *yara.Rules
-	ScanPaths        []string
+	IgnoreSelf       bool
 	IgnoreTags       []string
-	MinResultScore   int
+	IncludeDataFiles bool
 	MinFileScore     int
+	MinResultScore   int
+	OCI              bool
 	OmitEmpty        bool
-	IncludeDataFiles bool
-	Renderer         render.Renderer
 	Output           io.Writer
-	OCI              bool
+	Renderer         render.Renderer
+	Rules            *yara.Rules
+	ScanPaths        []string
 	Stats            bool
 }
diff --git a/pkg/action/scan.go b/pkg/action/scan.go
index fa5dfb7c..1b729790 100644
--- a/pkg/action/scan.go
+++ b/pkg/action/scan.go
@@ -19,7 +19,7 @@ import (
 )
 
 // return a list of files within a path.
-func findFilesRecursively(ctx context.Context, root string) ([]string, error) {
+func findFilesRecursively(ctx context.Context, root string, c Config) ([]string, error) {
 	clog.FromContext(ctx).Infof("finding files in %s ...", root)
 	files := []string{}
 
@@ -36,6 +36,17 @@ func findFilesRecursively(ctx context.Context, root string) ([]string, error) {
 			if strings.Contains(path, "/.git/") {
 				return nil
 			}
+			// Skip the bincapz directory if IgnoreSelf is true
+			if c.IgnoreSelf {
+				// we need the fully-qualified path here
+				fq, err := filepath.Abs(path)
+				if err != nil {
+					return err
+				}
+				if strings.Contains(fq, "bincapz") {
+					return nil
+				}
+			}
 			files = append(files, path)
 			return nil
 		})
@@ -110,7 +121,7 @@ func recursiveScan(ctx context.Context, c Config) (*bincapz.Report, error) {
 			}
 		}
 
-		rp, err := findFilesRecursively(ctx, sp)
+		rp, err := findFilesRecursively(ctx, sp, c)
 		if err != nil {
 			return nil, fmt.Errorf("find files: %w", err)
 		}
diff --git a/rules/bincapz/bincapz.yar b/rules/bincapz/bincapz.yar
new file mode 100644
index 00000000..40885929
--- /dev/null
+++ b/rules/bincapz/bincapz.yar
@@ -0,0 +1,8 @@
+rule bincapz_path : harmless {
+    meta:
+        description = "path reference containing bincapz binary"
+    strings:
+        $path = "bincapz"
+    condition:
+        none of them
+}
diff --git a/samples/samples_test.go b/samples/samples_test.go
index f53cc231..aba2ac5c 100644
--- a/samples/samples_test.go
+++ b/samples/samples_test.go
@@ -65,10 +65,11 @@ func TestJSON(t *testing.T) {
 				t.Fatalf("render: %v", err)
 			}
 			bc := action.Config{
-				ScanPaths:  []string{binPath},
+				IgnoreSelf: false,
 				IgnoreTags: []string{"harmless"},
 				Renderer:   render,
 				Rules:      yrs,
+				ScanPaths:  []string{binPath},
 			}
 
 			tcLogger := clog.FromContext(ctx).With("test", name)
@@ -123,10 +124,11 @@ func TestSimple(t *testing.T) {
 			}
 
 			bc := action.Config{
-				ScanPaths:  []string{binPath},
+				IgnoreSelf: false,
 				IgnoreTags: []string{"harmless"},
 				Renderer:   simple,
 				Rules:      yrs,
+				ScanPaths:  []string{binPath},
 			}
 
 			tcLogger := clog.FromContext(ctx).With("test", name)
@@ -190,12 +192,13 @@ func TestDiff(t *testing.T) {
 			}
 
 			bc := action.Config{
-				ScanPaths:      []string{tc.src, tc.dest},
+				IgnoreSelf:     false,
 				IgnoreTags:     []string{"harmless"},
+				MinFileScore:   tc.minFileScore,
+				MinResultScore: tc.minResultScore,
 				Renderer:       simple,
 				Rules:          yrs,
-				MinResultScore: tc.minResultScore,
-				MinFileScore:   tc.minFileScore,
+				ScanPaths:      []string{tc.src, tc.dest},
 			}
 
 			logger := clog.New(slog.Default().Handler()).With("src", tc.src)
@@ -253,10 +256,11 @@ func TestMarkdown(t *testing.T) {
 			}
 
 			bc := action.Config{
-				ScanPaths:  []string{binPath},
+				IgnoreSelf: false,
 				IgnoreTags: []string{"harmless"},
 				Renderer:   simple,
 				Rules:      yrs,
+				ScanPaths:  []string{binPath},
 			}
 
 			tcLogger := clog.FromContext(ctx).With("test", name)