Add file type support for report generation (#898)

* Add file type support for report generation

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* More rules

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Tweak Discord rule

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Fix up tests

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Fix up Windows samples

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Run make yara-x-fmt

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Fix merge conflict artifacts

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Remove JSON from map

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Fix test

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Use kind.Ext instead of kind.MIME

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Fix Slack test

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Fix up rename reporting

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Add more file types to explicit_rename

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Fix up remaining PHP filetypes

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Remove redundant programkind condition

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Add more file types to rules

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Loosen up execution policy rules

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* More rule tweaks

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Signed-off-by: Evan Gibler <20933572+egibs@users.noreply.github.com>

Author: egibs

pkg/action/scan.go

@@ -159,7 +159,7 @@ func scanSinglePath(ctx context.Context, c malcontent.Config, path string, ruleF
 		return fr, nil
 	}
 
-	fr, err := report.Generate(ctx, path, mrs, c, archiveRoot, logger, fc)
+	fr, err := report.Generate(ctx, path, mrs, c, archiveRoot, logger, fc, kind)
 	if err != nil {
 		return nil, NewFileReportError(err, path, TypeGenerateError)
 	}

pkg/action/testdata/scan_archive

@@ -79,15 +79,31 @@
             ],
             "Behaviors": [
                 {
-                    "Description": "exhibits random behavior",
-                    "MatchStrings": [
-                        "math/rand"
-                    ],
-                    "RiskScore": 2,
-                    "RiskLevel": "MEDIUM",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/random_behavior.yara#go_rand",
+                    "Description": "uses a random number generator",
+                    "MatchStrings": [
+                        "getrandomUnsupported",
+                        "nonZeroRandomBytes",
+                        "startupRandomData",
+                        "readRandomUint32",
+                        "rand_getrandom",
+                        "portRandomizer",
+                        "random_vectors",
+                        "getRandomData",
+                        "extendRandom",
+                        "altGetRandom",
+                        "randomOrder",
+                        "randomPoint",
+                        "urandom_dev",
+                        "randomEnum",
+                        "nextRandom",
+                        "randomized",
+                        "randomsbom"
+                    ],
+                    "RiskScore": 1,
+                    "RiskLevel": "LOW",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-behavior/random_behavior.yara#random",
                     "ID": "anti-behavior/random_behavior",
-                    "RuleName": "go_rand"
+                    "RuleName": "random"
                 },
                 {
                     "Description": "Contains a table that may be used for XOR decryption",
@@ -173,6 +189,17 @@
                     "ID": "c2/client",
                     "RuleName": "clientID"
                 },
+                {
+                    "Description": "contains Cloudflare DNS resolver IP",
+                    "MatchStrings": [
+                        "1.1.1.1"
+                    ],
+                    "RiskScore": 2,
+                    "RiskLevel": "MEDIUM",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/discovery/ip-dns_resolver.yara#cloudflare_dns_ip",
+                    "ID": "c2/discovery/ip_dns_resolver",
+                    "RuleName": "cloudflare_dns_ip"
+                },
                 {
                     "Description": "references a specific architecture",
                     "MatchStrings": [
@@ -1071,7 +1098,8 @@
                 {
                     "Description": "renames files",
                     "MatchStrings": [
-                        "os.rename"
+                        "os.rename",
+                        "os.Rename"
                     ],
                     "RiskScore": 1,
                     "RiskLevel": "LOW",
@@ -1080,15 +1108,15 @@
                     "RuleName": "explicit_rename"
                 },
                 {
-                    "Description": "access filesystem metadata",
+                    "Description": "access filesystem information",
                     "MatchStrings": [
-                        "fs.statDirEntry"
+                        "_stat"
                     ],
-                    "RiskScore": 1,
-                    "RiskLevel": "LOW",
-                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-stat.yara#npm_stat",
+                    "RiskScore": 0,
+                    "RiskLevel": "NONE",
+                    "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-stat.yara#stat",
                     "ID": "fs/file/stat",
-                    "RuleName": "npm_stat"
+                    "RuleName": "stat"
                 },
                 {
                     "Description": "forcibly synchronizes file state to disk",

pkg/programkind/programkind.go

@@ -71,13 +71,19 @@ var supportedKind = map[string]string{
 	"h":       "text/x-h",
 	"hh":      "text/x-h",
 	"html":    "",
+	"jar":     "application/java-archive",
 	"java":    "text/x-java",
 	"js":      "application/javascript",
+	"ko":      "application/x-object",
 	"lnk":     "application/x-ms-shortcut",
 	"lua":     "text/x-lua",
+	"M":       "text/x-objectivec",
+	"m":       "text/x-objectivec",
 	"macho":   "application/x-mach-binary",
+	"mm":      "text/x-objectivec",
 	"md":      "",
 	"o":       "application/octet-stream",
+	"pe":      "application/vnd.microsoft.portable-executable",
 	"php":     "text/x-php",
 	"pl":      "text/x-perl",
 	"pm":      "text/x-script.perl-module",
@@ -209,7 +215,7 @@ func makeFileType(path string, ext string, mime string) *FileType {
 		return Path(".elf")
 	}
 
-	if strings.Contains(mime, "application") || strings.Contains(mime, "text/x-") || strings.Contains(mime, "text/x-") || strings.Contains(mime, "executable") {
+	if strings.Contains(mime, "application") || strings.Contains(mime, "text/x-") || strings.Contains(mime, "executable") {
 		return &FileType{
 			Ext:  ext,
 			MIME: mime,

pkg/report/report.go

@@ -17,6 +17,7 @@ import (
 
 	"github.com/chainguard-dev/clog"
 	"github.com/chainguard-dev/malcontent/pkg/malcontent"
+	"github.com/chainguard-dev/malcontent/pkg/programkind"
 
 	yarax "github.com/VirusTotal/yara-x/go"
 )
@@ -364,8 +365,20 @@ func TrimPrefixes(path string, prefixes []string) string {
 	return path
 }
 
+// fileMatchesRules checks the scanned file's type against a rule's defined filetypes.
+func fileMatchesRule(meta []yarax.Metadata, ext string) bool {
+	for _, m := range meta {
+		if m.Identifier() == "filetypes" {
+			filetypes := strings.Split(fmt.Sprintf("%s", m.Value()), ",")
+			return slices.Contains(filetypes, ext)
+		}
+	}
+	// Rules without filetype metadata are universal
+	return true
+}
+
 //nolint:cyclop // ignore complexity of 64
-func Generate(ctx context.Context, path string, mrs *yarax.ScanResults, c malcontent.Config, expath string, _ *clog.Logger, fc []byte) (*malcontent.FileReport, error) {
+func Generate(ctx context.Context, path string, mrs *yarax.ScanResults, c malcontent.Config, expath string, _ *clog.Logger, fc []byte, kind *programkind.FileType) (*malcontent.FileReport, error) {
 	if ctx.Err() != nil {
 		return &malcontent.FileReport{}, ctx.Err()
 	}
@@ -425,6 +438,10 @@ func Generate(ctx context.Context, path string, mrs *yarax.ScanResults, c malcon
 			ignoreMalcontent = true
 		}
 
+		if !fileMatchesRule(m.Metadata(), kind.Ext) {
+			continue
+		}
+
 		override := slices.Contains(m.Tags(), "override")
 
 		risk = behaviorRisk(m.Namespace(), m.Identifier(), m.Tags())

rules/anti-behavior/LD_DEBUG.yara

@@ -1,6 +1,7 @@
 rule env_LD_DEBUG: medium {
   meta:
     description = "may check if dynamic linker debugging is enabled"
+    filetypes   = "elf,macho"
 
   strings:
     $val = "LD_DEBUG" fullword

rules/anti-behavior/LD_PROFILE.yara

@@ -1,6 +1,7 @@
 rule env_LD_PROFILE: medium {
   meta:
     description = "may check if dynamic linker profiling is enabled"
+    filetypes   = "elf,macho"
 
   strings:
     $val = "LD_PROFILE" fullword

rules/anti-behavior/anti-debugger.yara

@@ -1,6 +1,7 @@
 rule win_debugger_present: medium windows {
   meta:
     description = "Detects if process is being executed within a debugger"
+    filetypes   = "exe,pe,ps1"
 
   strings:
     $debug_idp = "IsDebuggerPresent"
@@ -13,6 +14,7 @@ rule win_debugger_present: medium windows {
 rule win_debugger_or_vm: medium windows {
   meta:
     description = "Detects if process is being executed within a debugger or VM"
+    filetypes   = "exe,pe,ps1"
 
   strings:
     $cpu_pfp   = "IsProcessorFeaturePresent"
@@ -27,6 +29,7 @@ rule win_debugger_or_vm: medium windows {
 rule multiple_linux_methods: high linux {
   meta:
     description = "possible debugger detection across multiple methods"
+    filetypes   = "elf"
 
   strings:
     $ld_profile    = "LD_PROFILE" fullword

rules/anti-behavior/process-check.yara

@@ -1,6 +1,7 @@
 rule activity_monitor_checker: high macos {
   meta:
     description = "checks if 'Activity Monitor' is running"
+    filetypes   = "macho"
 
   strings:
     $ps             = "ps" fullword
@@ -16,6 +17,7 @@ rule activity_monitor_checker: high macos {
 rule linux_monitors: high linux {
   meta:
     description = "checks if various process monitors are running"
+    filetypes   = "elf"
 
   strings:
     $pgrep = "pgrep" fullword
@@ -45,6 +47,7 @@ rule linux_monitors: high linux {
 rule anti_rootkit_hunter: high linux {
   meta:
     description = "checks if rootkit detectors are running"
+    filetypes   = "elf"
 
   strings:
     $proc       = "/proc/"

rules/anti-behavior/random_behavior.yara

@@ -20,6 +20,7 @@ private rule random_behavior_pythonSetup {
 rule setuptools_random: critical {
   meta:
     description = "Python library installer that exhibits random behavior"
+    filetypes   = "py"
 
   strings:
     $ref              = "import random"
@@ -32,6 +33,7 @@ rule setuptools_random: critical {
 rule java_random: low {
   meta:
     description = "exhibits random behavior"
+    filetypes   = "java"
 
   strings:
     $ref = "java/util/Random"
@@ -43,6 +45,7 @@ rule java_random: low {
 rule go_rand: medium {
   meta:
     description = "exhibits random behavior"
+    filetypes   = "go"
 
   strings:
     $ref = "math/rand"
@@ -54,6 +57,7 @@ rule go_rand: medium {
 rule rand_call: medium {
   meta:
     description = "exhibits random behavior"
+    filetypes   = "c,pl,php"
 
   strings:
     $ref = "rand()"

rules/anti-static/base64/eval.yara

@@ -3,6 +3,7 @@ import "math"
 rule eval_base64: high {
   meta:
     description = "Evaluates base64 content"
+    filetypes   = "js,ts"
 
   strings:
     $eval = /eval\(.{0,256}base64/
@@ -14,6 +15,7 @@ rule eval_base64: high {
 rule ruby_eval_base64_decode: critical {
   meta:
     description = "Evaluates base64 content"
+    filetypes   = "rb"
 
   strings:
     $eval_base64_decode = "eval(Base64."
@@ -25,6 +27,7 @@ rule ruby_eval_base64_decode: critical {
 rule ruby_eval_near_enough: high {
   meta:
     description = "Evaluates base64 content"
+    filetypes   = "rb"
 
   strings:
     $eval   = "eval("
@@ -37,6 +40,7 @@ rule ruby_eval_near_enough: high {
 rule ruby_eval2_near_enough: high {
   meta:
     description = "Evaluates base64 content"
+    filetypes   = "rb"
 
   strings:
     $eval   = "eval("
@@ -49,6 +53,7 @@ rule ruby_eval2_near_enough: high {
 rule python_exec_near_enough_base64: high {
   meta:
     description = "Likely executes base64 content"
+    filetypes   = "py"
 
   strings:
     $exec   = "exec("
@@ -61,6 +66,7 @@ rule python_exec_near_enough_base64: high {
 rule python_base64_exec: critical {
   meta:
     description = "executes compressed base64 content"
+    filetypes   = "py"
 
   strings:
     $dec_b64decode_exec = /.{0,8}\.decompress\(.{0,96}\.b64decode\(.{0,64}\Wexec\(.{0,16}/