Fix QuantityIncreasesRisk edge case with only high behaviors present (#1055)

egibs · web-flow · commit d1e719d2eb42 · 2025-07-23T19:50:17.000-07:00
Signed-off-by: egibs &lt;20933572+egibs@users.noreply.github.com&gt;
diff --git a/pkg/action/scan.go b/pkg/action/scan.go
@@ -174,15 +174,15 @@ func scanSinglePath(ctx context.Context, c malcontent.Config, path string, ruleF
 	// This is a short-circuit that avoids any report generation logic
 	risk := report.HighestMatchRisk(mrs)
 	threshold := max(3, c.MinFileRisk, c.MinRisk)
-	if c.Scan && risk < threshold {
+	if c.Scan && risk < threshold && !c.QuantityIncreasesRisk {
 		fr := &malcontent.FileReport{Skipped: "overall risk too low for scan", Path: path}
 		if isArchive {
 			os.RemoveAll(path)
 		}
 		return fr, nil
 	}
 
-	fr, err := report.Generate(ctx, path, mrs, c, archiveRoot, logger, fc, kind)
+	fr, err := report.Generate(ctx, path, mrs, c, archiveRoot, logger, fc, kind, risk)
 	if err != nil {
 		return nil, NewFileReportError(err, path, TypeGenerateError)
 	}
diff --git a/pkg/report/report.go b/pkg/report/report.go
@@ -377,7 +377,7 @@ func fileMatchesRule(meta []yarax.Metadata, ext string) bool {
 	return true
 }
 
-func Generate(ctx context.Context, path string, mrs *yarax.ScanResults, c malcontent.Config, expath string, _ *clog.Logger, fc []byte, kind *programkind.FileType) (*malcontent.FileReport, error) {
+func Generate(ctx context.Context, path string, mrs *yarax.ScanResults, c malcontent.Config, expath string, _ *clog.Logger, fc []byte, kind *programkind.FileType, highestRisk int) (*malcontent.FileReport, error) {
 	if ctx.Err() != nil {
 		return &malcontent.FileReport{}, ctx.Err()
 	}
@@ -408,7 +408,6 @@ func Generate(ctx context.Context, path string, mrs *yarax.ScanResults, c malcon
 	risk := 0
 	riskCounts := make(map[int]int, 0)
 
-	highestRisk := HighestMatchRisk(mrs)
 	// Store match rules in a map for future override operations
 	mrsMap := createMatchRulesMap(mrs, matchCount)
 
@@ -435,9 +434,9 @@ func Generate(ctx context.Context, path string, mrs *yarax.ScanResults, c malcon
 		switch {
 		case risk == -1:
 			continue
-		case risk < minScore && !ignoreMalcontent && !override:
+		case !c.Scan && risk < minScore && !ignoreMalcontent && !override:
 			continue
-		case c.Scan && risk < highestRisk && !ignoreMalcontent && !override:
+		case c.Scan && risk < highestRisk && !c.QuantityIncreasesRisk && !ignoreMalcontent && !override:
 			continue
 		}
 
@@ -483,13 +482,15 @@ func Generate(ctx context.Context, path string, mrs *yarax.ScanResults, c malcon
 	}
 
 	// Update the behaviors to account for overrides
-	fr.Behaviors = handleOverrides(fr.Behaviors, fr.Overrides, minScore)
+	fr.Behaviors = handleOverrides(fr.Behaviors, fr.Overrides, minScore, c.Scan, c.QuantityIncreasesRisk)
 
 	// Adjust the overall risk if we deviated from overallRiskScore
 	// Scans will still need to drop <= medium results
-	newRisk := highestBehaviorRisk(fr)
-	if overallRiskScore != newRisk {
-		overallRiskScore = newRisk
+	overallRiskScore = highestBehaviorRisk(fr)
+
+	// If something has a lot of high, it's probably critical
+	if c.QuantityIncreasesRisk && upgradeRisk(ctx, overallRiskScore, riskCounts, size) {
+		overallRiskScore = CRITICAL
 	}
 
 	if c.Scan && overallRiskScore < HIGH {
@@ -503,11 +504,6 @@ func Generate(ctx context.Context, path string, mrs *yarax.ScanResults, c malcon
 		fr.Skipped = "ignoring malcontent binary"
 	}
 
-	// If something has a lot of high, it's probably critical
-	if c.QuantityIncreasesRisk && upgradeRisk(ctx, overallRiskScore, riskCounts, size) {
-		overallRiskScore = 4
-	}
-
 	slices.Sort(pledges)
 	slices.Sort(syscalls)
 	slices.Sort(caps)
@@ -732,8 +728,6 @@ func upgradeRisk(ctx context.Context, riskScore int, riskCounts map[int]int, siz
 		upgrade = true
 	case highCount > 6:
 		upgrade = true
-	case !upgrade:
-		upgrade = false
 	}
 
 	clog.DebugContextf(ctx, "upgrading risk: high=%d, size=%d", highCount, size)
@@ -779,7 +773,7 @@ func highestBehaviorRisk(fr *malcontent.FileReport) int {
 }
 
 // handleOverrides modifies the behavior slice based on the contents of the override slice.
-func handleOverrides(original, override []*malcontent.Behavior, minScore int) []*malcontent.Behavior {
+func handleOverrides(original, override []*malcontent.Behavior, minScore int, scan, quantityIncreasesRisk bool) []*malcontent.Behavior {
 	behaviorMap := make(map[string]*malcontent.Behavior, len(original))
 	for _, b := range original {
 		behaviorMap[b.RuleName] = b
@@ -798,6 +792,11 @@ func handleOverrides(original, override []*malcontent.Behavior, minScore int) []
 
 	modified := make([]*malcontent.Behavior, 0, len(behaviorMap))
 	for _, b := range behaviorMap {
+		// if running a scan and using quantityIncreasesRisk,
+		// append every behavior so we can handle filtering correctly
+		if scan && quantityIncreasesRisk && b.RiskScore >= HIGH {
+			modified = append(modified, b)
+		}
 		if b.RiskScore >= minScore {
 			modified = append(modified, b)
 		}

Original file line number	Diff line number	Diff line change
`@@ -174,15 +174,15 @@ func scanSinglePath(ctx context.Context, c malcontent.Config, path string, ruleF`
`174`	`174`	`// This is a short-circuit that avoids any report generation logic`
`175`	`175`	`risk := report.HighestMatchRisk(mrs)`
`176`	`176`	`threshold := max(3, c.MinFileRisk, c.MinRisk)`
`177`		`- if c.Scan && risk < threshold {`
	`177`	`+ if c.Scan && risk < threshold && !c.QuantityIncreasesRisk {`
`178`	`178`	`fr := &malcontent.FileReport{Skipped: "overall risk too low for scan", Path: path}`
`179`	`179`	`if isArchive {`
`180`	`180`	`os.RemoveAll(path)`
`181`	`181`	`}`
`182`	`182`	`return fr, nil`
`183`	`183`	`}`
`184`	`184`
`185`		`- fr, err := report.Generate(ctx, path, mrs, c, archiveRoot, logger, fc, kind)`
	`185`	`+ fr, err := report.Generate(ctx, path, mrs, c, archiveRoot, logger, fc, kind, risk)`
`186`	`186`	`if err != nil {`
`187`	`187`	`return nil, NewFileReportError(err, path, TypeGenerateError)`
`188`	`188`	`}`