From a154e050a2ff3a4229782ca6f2d87c9ad131363c Mon Sep 17 00:00:00 2001 From: Evan Gibler <20933572+egibs@users.noreply.github.com> Date: Tue, 5 Nov 2024 11:38:19 -0600 Subject: [PATCH] Fix inconsistent path behaviors when running diffs (#581) * Fix inconsistent path behaviors when running diffs Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Refresh test data with new diff path parsing Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --------- Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- pkg/action/diff.go | 115 +++++++++++------- .../freedownloadmanager.sdiff | 17 ++- test_data/linux/2024.sbcl.market/sbcl.sdiff | 41 ++++++- test_data/linux/clean/aws-c-io/aws-c-io.sdiff | 2 +- .../2023.3CX/libffmpeg.change_decrease.mdiff | Bin 23847 -> 39788 bytes .../2023.3CX/libffmpeg.change_increase.mdiff | Bin 23937 -> 39868 bytes .../2023.3CX/libffmpeg.change_unrelated.mdiff | 38 +++--- .../macOS/2023.3CX/libffmpeg.decrease.mdiff | Bin 0 -> 39788 bytes .../macOS/2023.3CX/libffmpeg.dirty.mdiff | Bin 23937 -> 39868 bytes .../macOS/2023.3CX/libffmpeg.increase.mdiff | Bin 23937 -> 39868 bytes .../libffmpeg.increase_unrelated.mdiff | 38 +++--- test_data/macOS/clean/ls.mdiff | 26 ++-- test_data/macOS/clean/ls.sdiff.level_2 | 3 +- test_data/macOS/clean/ls.sdiff.trigger_2 | 9 +- test_data/macOS/clean/ls.sdiff.trigger_3 | 10 ++ 15 files changed, 196 insertions(+), 103 deletions(-) diff --git a/pkg/action/diff.go b/pkg/action/diff.go index eecf0e1e1..b8cca290a 100644 --- a/pkg/action/diff.go +++ b/pkg/action/diff.go @@ -8,6 +8,7 @@ import ( "fmt" "log/slog" "math" + "os" "path/filepath" "regexp" "sync" @@ -32,7 +33,27 @@ func relFileReport(ctx context.Context, c malcontent.Config, fromPath string) (m if files.Value.Skipped != "" || files.Value.Error != "" { continue } - rel, err := filepath.Rel(fromPath, files.Value.Path) + // Evaluate symlinks to cover edge cases like macOS' /private/tmp -> /tmp symlink + // Also, remove any filenames to correctly determine the relative path + // Using "." and "." will show as modifications for completely unrelated files and paths + info, err := os.Stat(fromPath) + if err != nil { + return nil, fmt.Errorf("failed to stat file %s: %w", fromPath, err) + } + dir := filepath.Dir(fromPath) + var fromRoot string + if info.IsDir() { + fromRoot, err = filepath.EvalSymlinks(fromPath) + } else { + fromRoot, err = filepath.EvalSymlinks(dir) + } + if err != nil { + return nil, fmt.Errorf("failed to evaluate symlink for %s: %w", fromPath, err) + } + if fromRoot == "." { + fromRoot = fromPath + } + rel, err := filepath.Rel(fromRoot, files.Value.Path) if err != nil { return nil, fmt.Errorf("rel(%q,%q): %w", fromPath, files.Value.Path, err) } @@ -99,6 +120,52 @@ func processSrc(ctx context.Context, c malcontent.Config, src, dest map[string]* } } +func processDest(ctx context.Context, c malcontent.Config, from, to map[string]*malcontent.FileReport, d *malcontent.DiffReport) { + // findings that exist only in the destination + for relPath, tr := range to { + fr, exists := from[relPath] + if !exists { + d.Added.Set(relPath, tr) + continue + } + + fileDestination(ctx, c, fr, tr, relPath, d) + } +} + +func fileDestination(ctx context.Context, c malcontent.Config, fr, tr *malcontent.FileReport, relPath string, d *malcontent.DiffReport) { + // We've now established that this file exists in both source and destination + if fr.RiskScore < c.MinFileRisk && tr.RiskScore < c.MinFileRisk { + clog.FromContext(ctx).Info("diff does not meet min trigger level", slog.Any("path", tr.Path)) + return + } + + // Filter files that are marked as added + if filterDiff(ctx, c, fr, tr) { + return + } + + abs := createFileReport(tr, fr) + + // if destination behavior is not in the source + for _, tb := range tr.Behaviors { + if !behaviorExists(tb, fr.Behaviors) { + tb.DiffAdded = true + abs.Behaviors = append(abs.Behaviors, tb) + continue + } + } + + // are there already modified behaviors for this file? + rel, exists := d.Modified.Get(relPath) + if !exists { + d.Modified.Set(relPath, abs) + } else { + rel.Behaviors = append(rel.Behaviors, abs.Behaviors...) + d.Modified.Set(relPath, rel) + } +} + func handleFile(ctx context.Context, c malcontent.Config, fr, tr *malcontent.FileReport, relPath string, d *malcontent.DiffReport) { // We've now established that file exists in both source & destination if fr.RiskScore < c.MinFileRisk && tr.RiskScore < c.MinFileRisk { @@ -148,52 +215,6 @@ func behaviorExists(b *malcontent.Behavior, behaviors []*malcontent.Behavior) bo return false } -func processDest(ctx context.Context, c malcontent.Config, from, to map[string]*malcontent.FileReport, d *malcontent.DiffReport) { - // findings that exist only in the destination - for relPath, tr := range to { - fr, exists := from[relPath] - if !exists { - d.Added.Set(relPath, tr) - continue - } - - fileDestination(ctx, c, fr, tr, relPath, d) - } -} - -func fileDestination(ctx context.Context, c malcontent.Config, fr, tr *malcontent.FileReport, relPath string, d *malcontent.DiffReport) { - // We've now established that this file exists in both source and destination - if fr.RiskScore < c.MinFileRisk && tr.RiskScore < c.MinFileRisk { - clog.FromContext(ctx).Info("diff does not meet min trigger level", slog.Any("path", tr.Path)) - return - } - - // Filter files that are marked as added - if filterDiff(ctx, c, fr, tr) { - return - } - - abs := createFileReport(tr, fr) - - // if destination behavior is not in the source - for _, tb := range tr.Behaviors { - if !behaviorExists(tb, fr.Behaviors) { - tb.DiffAdded = true - abs.Behaviors = append(abs.Behaviors, tb) - } - } - - // are there already modified behaviors for this file? - if _, exists := d.Modified.Get(relPath); !exists { - d.Modified.Set(relPath, abs) - } else { - if rel, exists := d.Modified.Get(relPath); exists { - rel.Behaviors = append(rel.Behaviors, abs.Behaviors...) - d.Modified.Set(relPath, rel) - } - } -} - // filterMap filters orderedmap pairs by checking for matches against a slice of compiled regular expression patterns. func filterMap(om *orderedmap.OrderedMap[string, *malcontent.FileReport], ps []*regexp.Regexp, c chan<- *orderedmap.Pair[string, *malcontent.FileReport], wg *sync.WaitGroup) { defer wg.Done() diff --git a/test_data/linux/2023.FreeDownloadManager/freedownloadmanager.sdiff b/test_data/linux/2023.FreeDownloadManager/freedownloadmanager.sdiff index a6a60c09e..c5fa915f4 100644 --- a/test_data/linux/2023.FreeDownloadManager/freedownloadmanager.sdiff +++ b/test_data/linux/2023.FreeDownloadManager/freedownloadmanager.sdiff @@ -1,19 +1,34 @@ -*** changed: linux/2023.FreeDownloadManager/freedownloadmanager_infected_postinst +--- missing: freedownloadmanager_clear_postinst +-data/embedded/pgp_key +-exec/install_additional/add_apt_key +-exec/shell/ignore_output +-fs/path/etc +-fs/path/usr_bin +-net/download +-net/url/embedded +++++ added: freedownloadmanager_infected_postinst +3P/threat_hunting/touch +anti-static/base64/exec +anti-static/base64/http_agent +data/base64/external +data/embedded/base64_terms +data/embedded/base64_url ++data/embedded/pgp_key +data/encoding/base64 +evasion/hidden_files/var_tmp ++exec/install_additional/add_apt_key +exec/shell/exec ++exec/shell/ignore_output +fs/directory/create +fs/file/delete_forcibly +fs/file/make_executable +fs/file/times_set ++fs/path/etc +fs/path/tmp ++fs/path/usr_bin +fs/path/var +fs/permission/modify ++net/download ++net/url/embedded +persist/cron/echo_tab +persist/cron/tab diff --git a/test_data/linux/2024.sbcl.market/sbcl.sdiff b/test_data/linux/2024.sbcl.market/sbcl.sdiff index 2f69d0d75..07252357a 100644 --- a/test_data/linux/2024.sbcl.market/sbcl.sdiff +++ b/test_data/linux/2024.sbcl.market/sbcl.sdiff @@ -1,4 +1,43 @@ -*** changed: linux/2024.sbcl.market/sbcl.dirty +--- missing: sbcl.clean +-data/compression/zstd +-discover/user/HOME +-discover/user/USER +-evasion/hidden_files/var_tmp +-exec/dylib/address_check +-exec/dylib/symbol_address +-exec/program +-exec/program/background +-exec/shell/echo +-fs/file/delete +-fs/file/truncate +-fs/link_read +-fs/path/dev +-fs/path/tmp +-fs/path/var +-fs/permission/modify +-fs/proc/self_exe +-fs/symlink_resolve +-net/url/embedded +++++ added: sbcl.dirty +anti-static/packer/high_entropy ++data/compression/zstd +data/embedded/zstd ++discover/user/HOME ++discover/user/USER ++evasion/hidden_files/var_tmp ++exec/dylib/address_check ++exec/dylib/symbol_address ++exec/program ++exec/program/background ++exec/shell/echo ++fs/file/delete ++fs/file/truncate ++fs/link_read ++fs/path/dev ++fs/path/tmp ++fs/path/var ++fs/permission/modify ++fs/proc/self_exe ++fs/symlink_resolve +net/dns/txt ++net/url/embedded diff --git a/test_data/linux/clean/aws-c-io/aws-c-io.sdiff b/test_data/linux/clean/aws-c-io/aws-c-io.sdiff index aade5d31b..d4ad5f296 100644 --- a/test_data/linux/clean/aws-c-io/aws-c-io.sdiff +++ b/test_data/linux/clean/aws-c-io/aws-c-io.sdiff @@ -1 +1 @@ -*** changed: linux/clean/aws-c-io/aws-c-io-0.14.11-r0.spdx.json +>>> moved: aws-c-io-0.14.10-r0.spdx.json -> linux/clean/aws-c-io/aws-c-io-0.14.11-r0.spdx.json (score: 0.979310) diff --git a/test_data/macOS/2023.3CX/libffmpeg.change_decrease.mdiff b/test_data/macOS/2023.3CX/libffmpeg.change_decrease.mdiff index a25b5ba03860db357e282305f39b26060d7d5023..25cab4d325a965528512660473b47a46a7e5cb2d 100644 GIT binary patch delta 3223 zcmbuAO>7%Q6vt)9`7#OlQk>dJ+)1sZiBo%(I5da^+9)4NAffqiKfnaD_DwT zoW{sVzzqbF%^Z7ZBOw9DC;|y2xFCc$<;o3lM?eqUIPhj?*Y>(j8iXa=Gw;3G_uKbo z=KuM(uHV0QPlZBg31>0E(hDdnr}p-88s3jevQ7$7sQ?y~`0L?=GFseTi?1y%tnVI6 zrz5?RNJJqe8usM~g@@0?E<~kwjf$YiPIogBC!C zV8+=5|7NXdDHfscZFZl$J2&s?g3hZF>^W;g+dRYOPOfuuvefk%j?^qlFKxu8q-~J#~Fq!Foh zVGoQPh`KDMvY19gGHblW5%jQuN&V^kBr9JZ95A>kaGI!kK}hRZB$az$+~KQ4MR*j) z&%F(HUdUD-B;q~;+0im|{&;D;)r^Zy1JB3wQSh0T1YZcHY&J($CC9BwcAUJnuC&q8 zrl&oxXWe%V`@5n!BlR{(#CC)?cXnSqvm9n~0{&|J|)(xfbAmgRVBk=>ty({nGOxd=KG! z6e>deBwq{nUO1enRS&1Iyj<(zC+JLJF>j%87#?|+wul$d7J77N4?5-_dTb73Pf#D-6KA#bCx9Fi%yPNWIDc*0~xZo}n?2Kg;r8a^z>Hse#t` z8fXox$Ch_+@I0kCa_u(%51pB0C^ZKXncHjq)?IjGzP+jvW1q3%s)--0s_IxB4F5OH zDVI>4ESJ8?^OLfU52JycN@wO&=E#A z&d!;bE&x>d{fn#6?1fb*$`on>+UL|Ez&>Qy$bsz;9j73zI()Xo6rL2MYI$p}Q#<}i zNs2L1s1qcBJ791D2b@EC?200XmDjT(NSJNGaxl=>SdY>jkh&rW5es-W-^ diff --git a/test_data/macOS/2023.3CX/libffmpeg.change_increase.mdiff b/test_data/macOS/2023.3CX/libffmpeg.change_increase.mdiff index 87749b643dd3d63576b3532ceff1763a1915f8b1..9cc63d76bc60a259930f5c48a28e5d746e92e754 100644 GIT binary patch delta 3140 zcmbuB%TF6u6vky^z_>hY2ron763W|V!YfF5w6(C?pqhk-5mnsCj6D|^#h#hYToYVb zYT9KN71mvL5qZ&V6=YRa)W@dku2uUdWZz99RqD3q-kE{H7y_y#@SSt6=X~>>bAR?1 zKe~SU!96=XjG{P;36^f5teoE2$!U0ZS}MRAC0{*zRz@qa=uBcHE`(E9SmN2O1r zr9Yx{+_gv#T@iR+q4(<&bwyv1KCJ(m-fcL5zcPYr6gEGLiYO_GL=@7Zfp5+W63(a+ zef_YDZbzp+bR^7tnCJ0yLDa=zt&lRKDKk0&H#1krj3a~Sva)N?vMbY)bnb-;gDuVg zrsdEMy)ozMatPZo1WhD+0?BDK(9{W%CVL$*Qw1bbY!{u04fYoiTOu9rU>z$NjGoA3 zPgW4W#f<9{KRhm53nRwI{6$@8pkrkA1Bk)@k=X@1UJh+DIZmJCoF-<7pyQlMa7xT% zuwe-FRd19Y40KM3yI3KnB)*(L2>du!VjxjLV>~m){BR}d-@SwMxv$BWH?W@K889Ks zs`fZcP%shp2+;&hHHd9P|EZ{1m2FD#O*66J+eKvL(>a+KD5EL_q#>fBCpc}$1RHe5 zm23nn?j;hd%mF&J(AIP(t-qUGeXx;Wksh`fB?S%Ng@M2mJjp7sb z7NjQW?~C4REMV1!d}g#R(ri7N(mlMlNk@%ydo!3Kwb73F8671>r zn$UAD?*r~%+d#Av@Mno%DTfm7(xD%k+)>%O{(W;}73;6nVm*C%eYA8qbusA!?q4oV zdM<-L4ZcO6j<#34!fj9Ig`oFWgPw|O(?I~od9VjF>cET|xVIeWs@#}c_cUD*@=&#O z*!u>~2i!mZ56*j-BoOIyLyx*EUoI|syf)4m+k^H+HQV8Mb9n<-1H5bNyDGq24!r~Q z>uJkoYvsl5_dRV@1h?tle-YhHL4lz+Gds&bfYi<}O+{0Y-*MjHYw*rB?0UIMDAVX+jZf9j=Iv{OfV^32rGB7eTE;B<|FOx1589bk%AWcO? zNmWfC;)aqS@SmHJAVX3~R7pcYOkD~JBO@aqGB6-+Wp^NAWoTh`X>W3K3JQE6ARtmn zQ%jQ(6$}cvu{f`1d|+C3A5@`HUzU&166Xvq){M46|y2b_lZ@ Ik7Wn}3It3t*#H0l diff --git a/test_data/macOS/2023.3CX/libffmpeg.change_unrelated.mdiff b/test_data/macOS/2023.3CX/libffmpeg.change_unrelated.mdiff index d7de1e6b9..5553b1d69 100644 --- a/test_data/macOS/2023.3CX/libffmpeg.change_unrelated.mdiff +++ b/test_data/macOS/2023.3CX/libffmpeg.change_unrelated.mdiff @@ -1,23 +1,23 @@ -## Changed: macOS/clean/ls [🟡 MEDIUM → 🟢 LOW] +## Deleted: libffmpeg.dylib [🟡 MEDIUM] -### 2 new behaviors +| RISK | KEY | DESCRIPTION | EVIDENCE | +|---------|------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------| +| -MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode) | decode base64 strings | [base64_decode](https://github.com/search?q=base64_decode&type=code) | +| -MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/%sXXXXXX](https://github.com/search?q=%2Ftmp%2F%25sXXXXXX&type=code) | +| -MEDIUM | [impact/remote_access/agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/agent.yara#agent) | references an 'agent' | [user_agent](https://github.com/search?q=user_agent&type=code) | +| -MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | +| -LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code) | +| -LOW | [data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64) | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) | +| -LOW | [exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM) | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) | +| -LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [mkdir](https://github.com/search?q=mkdir&type=code) | +| -LOW | [net/url/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/parse.yara#url_handle) | Handles URL strings | [URLContext](https://github.com/search?q=URLContext&type=code) | +| -LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | -| RISK | KEY | DESCRIPTION | EVIDENCE | -|------|------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| +LOW | **[fs/directory/traverse](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-traverse.yara#fts)** | traverse filesystem hierarchy | [_fts_children](https://github.com/search?q=_fts_children&type=code)
[_fts_close](https://github.com/search?q=_fts_close&type=code)
[_fts_open](https://github.com/search?q=_fts_open&type=code)
[_fts_read](https://github.com/search?q=_fts_read&type=code)
[_fts_set](https://github.com/search?q=_fts_set&type=code) | -| +LOW | **[fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink)** | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) | +## Added: ls [🟢 LOW] -### 9 removed behaviors - -| RISK | KEY | DESCRIPTION | EVIDENCE | -|---------|------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------| -| -MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode) | decode base64 strings | [base64_decode](https://github.com/search?q=base64_decode&type=code) | -| -MEDIUM | [fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path) | path reference within /tmp | [/tmp/%sXXXXXX](https://github.com/search?q=%2Ftmp%2F%25sXXXXXX&type=code) | -| -MEDIUM | [impact/remote_access/agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/agent.yara#agent) | references an 'agent' | [user_agent](https://github.com/search?q=user_agent&type=code) | -| -MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | -| -LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code) | -| -LOW | [data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64) | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) | -| -LOW | [fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir) | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [mkdir](https://github.com/search?q=mkdir&type=code) | -| -LOW | [net/url/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/parse.yara#url_handle) | Handles URL strings | [URLContext](https://github.com/search?q=URLContext&type=code) | -| -LOW | [process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create) | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | +| RISK | KEY | DESCRIPTION | EVIDENCE | +|------|------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| +LOW | **[exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM)** | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) | +| +LOW | **[fs/directory/traverse](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-traverse.yara#fts)** | traverse filesystem hierarchy | [_fts_children](https://github.com/search?q=_fts_children&type=code)
[_fts_close](https://github.com/search?q=_fts_close&type=code)
[_fts_open](https://github.com/search?q=_fts_open&type=code)
[_fts_read](https://github.com/search?q=_fts_read&type=code)
[_fts_set](https://github.com/search?q=_fts_set&type=code) | +| +LOW | **[fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink)** | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) | diff --git a/test_data/macOS/2023.3CX/libffmpeg.decrease.mdiff b/test_data/macOS/2023.3CX/libffmpeg.decrease.mdiff index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..25cab4d325a965528512660473b47a46a7e5cb2d 100644 GIT binary patch literal 39788 zcmeHQOLOBk65jJ%w>Fo(pyGJvkx-N++w-VRc0IPH#u-1RY)>+&REkBBkj0oH8G`g< z%70?ddr0j+%um>_0g8kqN|r1?swwOCR;XlX7VT^hwlzb@`B?$tw+ zcX~~JzAc+x2NmVQY5=gojK1%IxA)J@_oncUt+p+=*>uibE>4m#vZDyMoD(+;<6oY1 zlOz(aO!L@Fx@o)SggtYQhmGcWoyrDwlE&PS9NK=^HdmX@OZUagm+iHcmusE%=k^M> z*BWlS-fq0GU#xbVMzh{rU$e~%JGRYZ9#}oww@|qS&QTopJi&1*ZZvD4SlVfY3TEF4~`hM0HPk7 zje4VL)|+OtPK`H28b$tv;dE^;FbZJ|pWCi5lF;y+Fz_713mne{d-LfxtbM^gTGsbz z;Ds@Jvd7PpI1Jd~g-Cc$Je~F(bIHC6qm_TQV{@zkd66xv?ge8*c_m{3E%D__t2z@~3@{A0pRI_y&}&>1F~yjb7t6ZL2D}&qMKB_ZL8 zgbxKnMRN#01bU4Za39c8K#1stVbTpF9^2@rMi?B2UT|zUb}zC4jt1c1S3B@NabZY^ z2|LM|4ZH-xi2n5e?$}8J9Lu2PjUUFI9k2t`QGzajjdMrA#&IQn-u7gFPa}72~)(kfUiuxR{ z{e-iR`v*Xc6Mk_P#x8rjtD0f1)#{I#!Muc}0_Z|+&SOEutQWdo$Kx@x1E5Wp$Gigt zFvkvpFkw;b1qt1jv|y_##OeN4%e3N!=H^A4$D3W=F_&WQczDZ$yY)Iw6K=f;V~0O^ zs$7!+{K%U|uo150U#p8s1B;}AGT7+*?xu3VwVqK7N^+W{8*@9sD>mUiIr?q0v&J3g zdE4QQ)#qz`z3r~ln;4ALam#M<=1OyYwcc?%O*JB*VS!O^8qNB0qYjV2^a9s&=>0Ct zIEBZcu%p>9cGgC~LxTS6qwl|p{+Afc4MPtaz03f&?bXOL$3YC*Y59luh16z=g2%vI-59 zUZh(7-B%V>G^OzY8xTdg8@N#Z1}-XxV@d^9WVfk-5!kTto;O5-p5d5y@tb%X#}-D? zW5&L6*ngbbv1_>e)WlE$qx}Tb3PNZsu6n;Y%oxm#f;oYMy+ocy=GTZ!^8O9 zNz9n{LO9j7C^ngkBpEK(@k8fiaydydT<(}-jz}bd-MeBQS0fze zfvRmk@vh>KlMR=T96uCSRIg}8N@98|nB3}!NQTSB80JncMij%Pm|S4t~j0AvhK!Fhc_|yRooXP||{Nw_pj?rc5oR zM#v32K&qQ}9Q*2irGa@gFajI=)TVc|+4Wp3ELw6|BKuPM=uVFx6F4gbaWC*z@*FFx zIGWJP!WzK5K%w)>oC|X5t^kAa(hmQE z&gI)_;B<>oid+Z5T&*jxS|V7OCQ+&dCiq^Eo+Egc*D&zHgiK&IP3dUfm`uYmUhg|v zW=-Q=XGEHZAqOLtY*VTEau-F>XeF;FX;tb^sDX0W5MA#3rX9DvB(~!V3cf-QbKx+b zT0!djrO)FGeh0zHm^x^FRo0Rhl_`6P{78Q z%i>G+9Y%_$=2)HQ7_i)Es4%a_*UQZoqP z@GwZBSr~l*rRZp*1Ctd~t{2Q&-DF{I^jEa(8mk^RDniAq(!e+kjKD_eBI!*;Z;WTG za6{HHV@JjyrSE76Olq*llF8$7jeS7(0UJeVOM!qIZ0D{Qe20*sfx}e-JqnF58zn)XrPj#tprk<6 z(I1YfRC2~B(M;Yqm7sjaS7}mfDY{*z}1VTi3 zeamps<4<0>|2nsQ_kt)Y;J6L-S3D48xMVV3SeV`?sMQ!G!=A|JR8-mThu@~Y|sWhWXtmcf&HcN zyfNm|*%)G(!G>@x`r*27etIWo`%svwfCXs}S#l6rp2@CnN#2}L!bT!9{$clg%t%-^xJw&Q@mykr4Emy7C`N?n4nbE9 z6PxV&4Xia5Y%80#m%LQ*Ie2J<6%>4K9dt3`gvkgz9~x8X4%_FSd`)Y2#q`ySW`>jkxyrPkgL z+Xwr5yRE&WdF7iR`V~K+Wn*=p;{{P@Kp}k%UB?LutBH+gdis=Mjmkn$D`*VcOPZ!q0FRO%v$*r zDaep#oE(tU_7UyY^Q{0GLCm8rH%MCJ)JE1|WX!oUhXgGftNy(E6Ghee2OsF_+g)g2 z1U9gNB!68a$tJRe&O5a+z%l1-DBcQ4dMCJl4J1M5Qfx%-V+;hg0tY6HP-Lx(H8#mj zj+ROBN?|+44M|b~N3ON%;*K;>1{;(B&PwGm8l_L|^v(tlgP0kLnSuzJJnkA0QKpbf zhGSg(3vx9mi{UA!jVZQ!>IoX7P}K~P8@Af!R>ojq?*TThk%(_$n^Ot)d1+t-Hu6m* zwAmv<3ejvWc1{2pVr%r-Dk#Z9!!0@lXck04=fXH7-;jcXlmuse)-<)zvlI4&pW}cN zpTClU9Z!pfOus|rEzWON8>+03TU!Os{f;5x$^)5E-xc{x z8YqPg3I~tucud~b>75P2ikz1M2z<4=SRnLgf`@TUx@2!9FCnAJA9}2Y-b%p6-XTKd zCxe9~(I7%jilWpe<&ZxwU-`|9=agZJLm;V+)3pTe z*-;lq4V6B_)1$~JYb5o|SSwJ`tDNRlj?VRg4oTX|L}iD4e%dT(;Z)FwMjgI}?XD>u zha%5C$y=IV6iuE+iZQC4>o!`ZD?{lYN44O<%<|l7IU0;DR)ND@7O4tr8YqJeaS>oK zrQZQ9S~#5_Fb0{*b5ayk3|2H-H@#FxtK}>N?SQ44x;T9mhb=OSG-GX^oN*kWf-@25 z_y)j?T$oh}M>Sn6(j{OcZxxPk8ap$cqs1__1`;X=EVt)0*i&#*)Z@9G+1?diO~H$3 zHBO79?@E@LG%x}iS>G~yDbA*l2aLJAJmzqEH=~rN0*y#jk@bw(Ktsk-_E%CeMw*u~ zX&D81hX*RIEmYcaSP-x=C}AmZ=b$l2TXoHu`anfIvj#37Jz82~8#vs+eZ_pQ-Rblq zeq57hMzf#)`2F|)F?EW{FOP6SJv-Pwd?z33nJXGD@UHdK@U3fnhe+4?Y_$$I54PVQ zZSU`0r#SWM8~n6>*xqXGZMJTZC7pj`^gqQ_|IR)Ay)QxTtKO;AOfT=Rv(t($*|TT& ze_GMAXL!c%=MW;iG1XS9MLi;D#9EZ~^tSUa!ypqs_mx%|)>`bO$0ODnpJuYuHJjc$ z9?w|0$SQxOG~|7yrG&L;@?gSYtGOpy(A}jMI%2JSEtQgV&1s+kUdkpiVW7Rv|aG<2!t)Az1Yp2~WIbFxpB1+~7F{eCwy)~I(- Rp3-*b78|6!3#(y9@&6(WDmMTC literal 0 HcmV?d00001 diff --git a/test_data/macOS/2023.3CX/libffmpeg.dirty.mdiff b/test_data/macOS/2023.3CX/libffmpeg.dirty.mdiff index 87749b643dd3d63576b3532ceff1763a1915f8b1..9cc63d76bc60a259930f5c48a28e5d746e92e754 100644 GIT binary patch delta 3140 zcmbuB%TF6u6vky^z_>hY2ron763W|V!YfF5w6(C?pqhk-5mnsCj6D|^#h#hYToYVb zYT9KN71mvL5qZ&V6=YRa)W@dku2uUdWZz99RqD3q-kE{H7y_y#@SSt6=X~>>bAR?1 zKe~SU!96=XjG{P;36^f5teoE2$!U0ZS}MRAC0{*zRz@qa=uBcHE`(E9SmN2O1r zr9Yx{+_gv#T@iR+q4(<&bwyv1KCJ(m-fcL5zcPYr6gEGLiYO_GL=@7Zfp5+W63(a+ zef_YDZbzp+bR^7tnCJ0yLDa=zt&lRKDKk0&H#1krj3a~Sva)N?vMbY)bnb-;gDuVg zrsdEMy)ozMatPZo1WhD+0?BDK(9{W%CVL$*Qw1bbY!{u04fYoiTOu9rU>z$NjGoA3 zPgW4W#f<9{KRhm53nRwI{6$@8pkrkA1Bk)@k=X@1UJh+DIZmJCoF-<7pyQlMa7xT% zuwe-FRd19Y40KM3yI3KnB)*(L2>du!VjxjLV>~m){BR}d-@SwMxv$BWH?W@K889Ks zs`fZcP%shp2+;&hHHd9P|EZ{1m2FD#O*66J+eKvL(>a+KD5EL_q#>fBCpc}$1RHe5 zm23nn?j;hd%mF&J(AIP(t-qUGeXx;Wksh`fB?S%Ng@M2mJjp7sb z7NjQW?~C4REMV1!d}g#R(ri7N(mlMlNk@%ydo!3Kwb73F8671>r zn$UAD?*r~%+d#Av@Mno%DTfm7(xD%k+)>%O{(W;}73;6nVm*C%eYA8qbusA!?q4oV zdM<-L4ZcO6j<#34!fj9Ig`oFWgPw|O(?I~od9VjF>cET|xVIeWs@#}c_cUD*@=&#O z*!u>~2i!mZ56*j-BoOIyLyx*EUoI|syf)4m+k^H+HQV8Mb9n<-1H5bNyDGq24!r~Q z>uJkoYvsl5_dRV@1h?tle-YhHL4lz+Gds&bfYi<}O+{0Y-*MjHYw*rB?0UIMDAVX+jZf9j=Iv{OfV^32rGB7eTE;B<|FOx1589bk%AWcO? zNmWfC;)aqS@SmHJAVX3~R7pcYOkD~JBO@aqGB6-+Wp^NAWoTh`X>W3K3JQE6ARtmn zQ%jQ(6$}cvu{f`1d|+C3A5@`HUzU&166Xvq){M46|y2b_lZ@ Ik7Wn}3It3t*#H0l diff --git a/test_data/macOS/2023.3CX/libffmpeg.increase.mdiff b/test_data/macOS/2023.3CX/libffmpeg.increase.mdiff index 87749b643dd3d63576b3532ceff1763a1915f8b1..9cc63d76bc60a259930f5c48a28e5d746e92e754 100644 GIT binary patch delta 3140 zcmbuB%TF6u6vky^z_>hY2ron763W|V!YfF5w6(C?pqhk-5mnsCj6D|^#h#hYToYVb zYT9KN71mvL5qZ&V6=YRa)W@dku2uUdWZz99RqD3q-kE{H7y_y#@SSt6=X~>>bAR?1 zKe~SU!96=XjG{P;36^f5teoE2$!U0ZS}MRAC0{*zRz@qa=uBcHE`(E9SmN2O1r zr9Yx{+_gv#T@iR+q4(<&bwyv1KCJ(m-fcL5zcPYr6gEGLiYO_GL=@7Zfp5+W63(a+ zef_YDZbzp+bR^7tnCJ0yLDa=zt&lRKDKk0&H#1krj3a~Sva)N?vMbY)bnb-;gDuVg zrsdEMy)ozMatPZo1WhD+0?BDK(9{W%CVL$*Qw1bbY!{u04fYoiTOu9rU>z$NjGoA3 zPgW4W#f<9{KRhm53nRwI{6$@8pkrkA1Bk)@k=X@1UJh+DIZmJCoF-<7pyQlMa7xT% zuwe-FRd19Y40KM3yI3KnB)*(L2>du!VjxjLV>~m){BR}d-@SwMxv$BWH?W@K889Ks zs`fZcP%shp2+;&hHHd9P|EZ{1m2FD#O*66J+eKvL(>a+KD5EL_q#>fBCpc}$1RHe5 zm23nn?j;hd%mF&J(AIP(t-qUGeXx;Wksh`fB?S%Ng@M2mJjp7sb z7NjQW?~C4REMV1!d}g#R(ri7N(mlMlNk@%ydo!3Kwb73F8671>r zn$UAD?*r~%+d#Av@Mno%DTfm7(xD%k+)>%O{(W;}73;6nVm*C%eYA8qbusA!?q4oV zdM<-L4ZcO6j<#34!fj9Ig`oFWgPw|O(?I~od9VjF>cET|xVIeWs@#}c_cUD*@=&#O z*!u>~2i!mZ56*j-BoOIyLyx*EUoI|syf)4m+k^H+HQV8Mb9n<-1H5bNyDGq24!r~Q z>uJkoYvsl5_dRV@1h?tle-YhHL4lz+Gds&bfYi<}O+{0Y-*MjHYw*rB?0UIMDAVX+jZf9j=Iv{OfV^32rGB7eTE;B<|FOx1589bk%AWcO? zNmWfC;)aqS@SmHJAVX3~R7pcYOkD~JBO@aqGB6-+Wp^NAWoTh`X>W3K3JQE6ARtmn zQ%jQ(6$}cvu{f`1d|+C3A5@`HUzU&166Xvq){M46|y2b_lZ@ Ik7Wn}3It3t*#H0l diff --git a/test_data/macOS/2023.3CX/libffmpeg.increase_unrelated.mdiff b/test_data/macOS/2023.3CX/libffmpeg.increase_unrelated.mdiff index e88e500e7..7224f0c19 100644 --- a/test_data/macOS/2023.3CX/libffmpeg.increase_unrelated.mdiff +++ b/test_data/macOS/2023.3CX/libffmpeg.increase_unrelated.mdiff @@ -1,23 +1,23 @@ -## Changed: macOS/2023.3CX/libffmpeg.dylib [🟢 LOW → 🟡 MEDIUM] +## Deleted: ls [🟢 LOW] -### 9 new behaviors +| RISK | KEY | DESCRIPTION | EVIDENCE | +|------|--------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| -LOW | [exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM) | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) | +| -LOW | [fs/directory/traverse](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-traverse.yara#fts) | traverse filesystem hierarchy | [_fts_children](https://github.com/search?q=_fts_children&type=code)
[_fts_close](https://github.com/search?q=_fts_close&type=code)
[_fts_open](https://github.com/search?q=_fts_open&type=code)
[_fts_read](https://github.com/search?q=_fts_read&type=code)
[_fts_set](https://github.com/search?q=_fts_set&type=code) | +| -LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) | -| RISK | KEY | DESCRIPTION | EVIDENCE | -|---------|----------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------| -| +MEDIUM | **[data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode)** | decode base64 strings | [base64_decode](https://github.com/search?q=base64_decode&type=code) | -| +MEDIUM | **[fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path)** | path reference within /tmp | [/tmp/%sXXXXXX](https://github.com/search?q=%2Ftmp%2F%25sXXXXXX&type=code) | -| +MEDIUM | **[impact/remote_access/agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/agent.yara#agent)** | references an 'agent' | [user_agent](https://github.com/search?q=user_agent&type=code) | -| +MEDIUM | **[net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post)** | submits content to websites | [HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | -| +LOW | **[crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes)** | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code) | -| +LOW | **[data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64)** | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) | -| +LOW | **[fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir)** | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [mkdir](https://github.com/search?q=mkdir&type=code) | -| +LOW | **[net/url/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/parse.yara#url_handle)** | Handles URL strings | [URLContext](https://github.com/search?q=URLContext&type=code) | -| +LOW | **[process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create)** | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | +## Added: libffmpeg.dylib [🟡 MEDIUM] -### 2 removed behaviors - -| RISK | KEY | DESCRIPTION | EVIDENCE | -|------|--------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| -LOW | [fs/directory/traverse](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-traverse.yara#fts) | traverse filesystem hierarchy | [_fts_children](https://github.com/search?q=_fts_children&type=code)
[_fts_close](https://github.com/search?q=_fts_close&type=code)
[_fts_open](https://github.com/search?q=_fts_open&type=code)
[_fts_read](https://github.com/search?q=_fts_read&type=code)
[_fts_set](https://github.com/search?q=_fts_set&type=code) | -| -LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) | +| RISK | KEY | DESCRIPTION | EVIDENCE | +|---------|----------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------| +| +MEDIUM | **[data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode)** | decode base64 strings | [base64_decode](https://github.com/search?q=base64_decode&type=code) | +| +MEDIUM | **[fs/path/tmp](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/tmp.yara#tmp_path)** | path reference within /tmp | [/tmp/%sXXXXXX](https://github.com/search?q=%2Ftmp%2F%25sXXXXXX&type=code) | +| +MEDIUM | **[impact/remote_access/agent](https://github.com/chainguard-dev/malcontent/blob/main/rules/impact/remote_access/agent.yara#agent)** | references an 'agent' | [user_agent](https://github.com/search?q=user_agent&type=code) | +| +MEDIUM | **[net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post)** | submits content to websites | [HTTP](https://github.com/search?q=HTTP&type=code)
[POST](https://github.com/search?q=POST&type=code)
[http](https://github.com/search?q=http&type=code) | +| +LOW | **[crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes)** | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code) | +| +LOW | **[data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64)** | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) | +| +LOW | **[exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM)** | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) | +| +LOW | **[fs/directory/create](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-create.yara#mkdir)** | [creates directories](https://man7.org/linux/man-pages/man2/mkdir.2.html) | [mkdir](https://github.com/search?q=mkdir&type=code) | +| +LOW | **[net/url/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/parse.yara#url_handle)** | Handles URL strings | [URLContext](https://github.com/search?q=URLContext&type=code) | +| +LOW | **[process/multithreaded](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create)** | [creates pthreads](https://man7.org/linux/man-pages/man3/pthread_create.3.html) | [pthread_create](https://github.com/search?q=pthread_create&type=code) | diff --git a/test_data/macOS/clean/ls.mdiff b/test_data/macOS/clean/ls.mdiff index aab82ef3e..7d8202b53 100644 --- a/test_data/macOS/clean/ls.mdiff +++ b/test_data/macOS/clean/ls.mdiff @@ -1,16 +1,18 @@ -## Changed: macOS/clean/ls [🟡 MEDIUM → 🟢 LOW] +## Deleted: ls.x86_64 [🟡 MEDIUM] -### 1 new behaviors +| RISK | KEY | DESCRIPTION | EVIDENCE | +|---------|--------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| -MEDIUM | [process/name_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/name-set.yara#__progname) | [get or set the current process name](https://stackoverflow.com/questions/273691/using-progname-instead-of-argv0) | [__progname](https://github.com/search?q=__progname&type=code) | +| -LOW | [discover/system/hostname_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname-get.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | +| -LOW | [exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM) | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) | +| -LOW | [fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink) | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) | +| -LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://gnu.org/licenses/gpl.html](https://gnu.org/licenses/gpl.html)
[https://translationproject.org/team/](https://translationproject.org/team/)
[https://wiki.xiph.org/MIME_Types_and_File_Extensions](https://wiki.xiph.org/MIME_Types_and_File_Extensions)
[https://www.gnu.org/software/coreutils/](https://www.gnu.org/software/coreutils/) | -| RISK | KEY | DESCRIPTION | EVIDENCE | -|------|------------------------------------------------------------------------------------------------------------------------------------|-------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| +LOW | **[fs/directory/traverse](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-traverse.yara#fts)** | traverse filesystem hierarchy | [_fts_children](https://github.com/search?q=_fts_children&type=code)
[_fts_close](https://github.com/search?q=_fts_close&type=code)
[_fts_open](https://github.com/search?q=_fts_open&type=code)
[_fts_read](https://github.com/search?q=_fts_read&type=code)
[_fts_set](https://github.com/search?q=_fts_set&type=code) | +## Added: ls [🟢 LOW] -### 3 removed behaviors - -| RISK | KEY | DESCRIPTION | EVIDENCE | -|---------|--------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| -MEDIUM | [process/name_set](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/name-set.yara#__progname) | [get or set the current process name](https://stackoverflow.com/questions/273691/using-progname-instead-of-argv0) | [__progname](https://github.com/search?q=__progname&type=code) | -| -LOW | [discover/system/hostname_get](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/hostname-get.yara#gethostname) | [get computer host name](https://man7.org/linux/man-pages/man2/sethostname.2.html) | [gethostname](https://github.com/search?q=gethostname&type=code) | -| -LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#https_url) | contains embedded HTTPS URLs | [https://gnu.org/licenses/gpl.html](https://gnu.org/licenses/gpl.html)
[https://translationproject.org/team/](https://translationproject.org/team/)
[https://wiki.xiph.org/MIME_Types_and_File_Extensions](https://wiki.xiph.org/MIME_Types_and_File_Extensions)
[https://www.gnu.org/software/coreutils/](https://www.gnu.org/software/coreutils/) | +| RISK | KEY | DESCRIPTION | EVIDENCE | +|------|------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| +LOW | **[exec/shell/TERM](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/TERM.yara#TERM)** | [Look up or override terminal settings](https://www.gnu.org/software/gettext/manual/html_node/The-TERM-variable.html) | [TERM](https://github.com/search?q=TERM&type=code) | +| +LOW | **[fs/directory/traverse](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/directory/directory-traverse.yara#fts)** | traverse filesystem hierarchy | [_fts_children](https://github.com/search?q=_fts_children&type=code)
[_fts_close](https://github.com/search?q=_fts_close&type=code)
[_fts_open](https://github.com/search?q=_fts_open&type=code)
[_fts_read](https://github.com/search?q=_fts_read&type=code)
[_fts_set](https://github.com/search?q=_fts_set&type=code) | +| +LOW | **[fs/link_read](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/link-read.yara#readlink)** | [read value of a symbolic link](https://man7.org/linux/man-pages/man2/readlink.2.html) | [readlink](https://github.com/search?q=readlink&type=code) | diff --git a/test_data/macOS/clean/ls.sdiff.level_2 b/test_data/macOS/clean/ls.sdiff.level_2 index db7b91c5d..fa0ab56fa 100644 --- a/test_data/macOS/clean/ls.sdiff.level_2 +++ b/test_data/macOS/clean/ls.sdiff.level_2 @@ -1,2 +1,3 @@ -*** changed: macOS/clean/ls +--- missing: ls.x86_64 -process/name_set +++++ added: ls diff --git a/test_data/macOS/clean/ls.sdiff.trigger_2 b/test_data/macOS/clean/ls.sdiff.trigger_2 index f700d8f2d..f4840559b 100644 --- a/test_data/macOS/clean/ls.sdiff.trigger_2 +++ b/test_data/macOS/clean/ls.sdiff.trigger_2 @@ -1,5 +1,10 @@ -*** changed: macOS/clean/ls +--- missing: ls.x86_64 -discover/system/hostname_get -+fs/directory/traverse +-exec/shell/TERM +-fs/link_read -net/url/embedded -process/name_set +++++ added: ls ++exec/shell/TERM ++fs/directory/traverse ++fs/link_read diff --git a/test_data/macOS/clean/ls.sdiff.trigger_3 b/test_data/macOS/clean/ls.sdiff.trigger_3 index e69de29bb..f4840559b 100644 --- a/test_data/macOS/clean/ls.sdiff.trigger_3 +++ b/test_data/macOS/clean/ls.sdiff.trigger_3 @@ -0,0 +1,10 @@ +--- missing: ls.x86_64 +-discover/system/hostname_get +-exec/shell/TERM +-fs/link_read +-net/url/embedded +-process/name_set +++++ added: ls ++exec/shell/TERM ++fs/directory/traverse ++fs/link_read