Add overrides for buildah, Kibana, pydevd, and tileserver-gl (chaingu…

…ard-dev#629) * 2024-11-15 false-positive reduction Signed-off-by: egibs <[email protected]> * Bump commit Signed-off-by: egibs <[email protected]> * Address PR comments Signed-off-by: egibs <[email protected]> * Ignore timeout for integration tests Signed-off-by: egibs <[email protected]> * Refresh test data; dramatically speed up tests Signed-off-by: egibs <[email protected]> --------- Signed-off-by: egibs <[email protected]>
egibs · Nov 15, 2024 · 683bd2d · 683bd2d
1 parent ae10a42
commit 683bd2d
Show file tree

Hide file tree

Showing 9 changed files with 279 additions and 7 deletions.
diff --git a/Makefile b/Makefile
@@ -3,7 +3,7 @@
 
 
 SAMPLES_REPO ?= chainguard-dev/malcontent-samples
-SAMPLES_COMMIT ?= e5bfacbe59bd9b7889609bf24bd96ed2fb08c784
+SAMPLES_COMMIT ?= 4b70b17db7e2219552be9b4a05e8d8b3ffe09146
 
 # BEGIN: lint-install ../malcontent
 # http://github.com/tinkerbell/lint-install
@@ -105,7 +105,7 @@ test:
 # integration tests only
 .PHONY: integration
 integration: out/$(SAMPLES_REPO)/.decompressed-$(SAMPLES_COMMIT)
-	go test ./tests/...
+	go test -timeout 0 ./tests/...
 
 .PHONY: bench
 bench:

diff --git a/rules/false_positives/buildah.yara b/rules/false_positives/buildah.yara
@@ -0,0 +1,13 @@
+rule buildah_dev_shm: override {
+  meta:
+    description    = "buildah"
+    dev_shm_hidden = "low"
+
+  strings:
+    $buildah = /[Bb]uildah/
+    $dev_shm = "/dev/shm/.rootfs"
+    $repo    = "github.com/containers/buildah"
+
+  condition:
+    filesize < 40MB and #buildah > 2000 and $dev_shm and $repo
+}
diff --git a/rules/false_positives/kibana.yara b/rules/false_positives/kibana.yara
@@ -15,16 +15,17 @@ rule kibana_powershell_evasion_rule: override {
 rule security_solution_plugin: override {
   meta:
     linux_rootkit_terms = "low"
-    description         = "securitySolution.chunk.9.js"
+    description         = "securitySolution.chunk.9.js, securitySolution.chunk.22.js"
 
   strings:
     $license           = "Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V."
     $license2          = "Licensed under the Elastic License 2.0"
+    $jsonp             = "window.securitySolution_bundle_jsonpfunction"
     $security_solution = "securitySolution"
     $xpac              = "xpac"
 
   condition:
-    filesize < 5MB and all of them
+    filesize < 5MB and all of ($license*) and $security_solution and ($jsonp or $xpac)
 }
 
 rule security_detection_engine: override {

diff --git a/rules/false_positives/setuptools.yara b/rules/false_positives/setuptools.yara
@@ -48,3 +48,18 @@ rule numba_support: override {
   condition:
     filesize < 64KB and all of them
 }
+
+rule setup_pydevd_cython: override {
+  meta:
+    description     = "setup_pydevd_cython.py"
+    setuptools_eval = "low"
+
+  strings:
+    $example = "python setup_pydevd_cython build_ext --inplace"
+    $header  = "A simpler setup version just to compile the speedup module."
+    $import  = "from setuptools import setup"
+    $pydevd  = "pydevd"
+
+  condition:
+    filesize < 16KB and all of them
+}
diff --git a/tests/javascript/clean/http2wrapper.js.simple b/tests/javascript/clean/http2wrapper.js.simple
@@ -0,0 +1,8 @@
+# javascript/clean/http2wrapper.js: medium
+data/embedded/base64_terms: medium
+data/embedded/base64_url: medium
+data/encoding/base64: low
+impact/remote_access/agent: medium
+net/http/2: low
+net/socket/connect: medium
+net/url/embedded: low
diff --git a/tests/linux/clean/buildah.simple b/tests/linux/clean/buildah.simple
@@ -0,0 +1,145 @@
+# linux/clean/buildah: medium
+3P/threat_hunting/metasploit: medium
+c2/addr/http_dynamic: medium
+c2/addr/ip: medium
+c2/discovery/ip_dns_resolver: medium
+collect/archives/zip: medium
+collect/databases/sqlite: medium
+credential/keychain: medium
+credential/password: low
+credential/sniffer/bpf: medium
+credential/ssl/private_key: low
+crypto/aes: low
+crypto/ecdsa: low
+crypto/ed25519: low
+crypto/tls: low
+data/compression/bzip2: low
+data/compression/lzma: low
+data/compression/xz: medium
+data/compression/zstd: low
+data/embedded/html: medium
+data/embedded/zstd: medium
+data/encoding/base64: low
+data/encoding/json: low
+data/encoding/json_decode: low
+data/hash/blake2b: low
+data/hash/md5: low
+discover/network/mac_address: medium
+discover/process/name: medium
+discover/system/cpu: low
+discover/system/hostname: low
+discover/system/platform: low
+discover/system/sysinfo: medium
+discover/user/HOME: low
+discover/user/USER: low
+evasion/bypass_security/linux/iptables: medium
+evasion/file/location/dev_mqueue: medium
+evasion/file/location/dev_shm: medium
+evasion/file/location/var_run: medium
+evasion/file/prefix: medium
+evasion/file/prefix/dev: low
+exec/cmd: medium
+exec/dylib/symbol_address: medium
+exec/plugin: low
+exec/program: medium
+exec/reconfigure/hostname_set: low
+exec/shell/SHELL: low
+exec/shell/TERM: low
+exec/shell/background_sleep: medium
+exec/shell/exec: medium
+exec/system_controls/apparmor: medium
+fs/directory/create: low
+fs/directory/list: low
+fs/directory/remove: low
+fs/event_monitoring: low
+fs/fifo_create: low
+fs/file/create: medium
+fs/file/delete: low
+fs/file/delete_forcibly: low
+fs/file/read: low
+fs/file/rename: low
+fs/file/times_set: medium
+fs/file/truncate: low
+fs/file/write: low
+fs/link_create: low
+fs/link_read: low
+fs/lock_update: low
+fs/loopback: medium
+fs/mount: low
+fs/node_create: low
+fs/path/etc: low
+fs/path/etc_hosts: medium
+fs/path/etc_resolv.conf: low
+fs/path/home_config: low
+fs/path/lib_dynamic: medium
+fs/path/relative: medium
+fs/path/tmp: medium
+fs/path/users: medium
+fs/path/usr_bin: low
+fs/path/usr_local: medium
+fs/path/usr_sbin: low
+fs/path/var: low
+fs/permission/chown: medium
+fs/permission/modify: medium
+fs/proc/arbitrary_pid: medium
+fs/proc/self_cgroup: medium
+fs/proc/self_cmdline: medium
+fs/proc/self_exe: medium
+fs/proc/self_mountinfo: medium
+fs/tempdir: low
+fs/tempdir/TEMP: low
+fs/tempdir/TMPDIR: low
+fs/tempdir/create: low
+fs/unmount: low
+fs/watch: low
+hw/dev/block_ice: medium
+impact/degrade/linux_paths: medium
+impact/remote_access/iptables: medium
+mem/anonymous_file: medium
+net/dns: low
+net/dns/reverse: medium
+net/dns/servers: low
+net/dns/txt: low
+net/download: medium
+net/http/2: low
+net/http/accept_encoding: low
+net/http/auth: low
+net/http/content_length_0: medium
+net/http/cookies: medium
+net/http/form_upload: medium
+net/http/oauth2: low
+net/http/post: medium
+net/http/proxy: low
+net/http/request: low
+net/ip/icmp: medium
+net/ip/parse: medium
+net/resolve/hostname: low
+net/resolve/hostport_parse: low
+net/socket/listen: medium
+net/socket/local_addr: low
+net/socket/peer_address: low
+net/socket/receive: low
+net/socket/send: low
+net/tcp/connect: medium
+net/tcp/grpc: low
+net/tcp/ssh: medium
+net/udp/receive: low
+net/udp/send: low
+net/url/embedded: low
+net/url/encode: medium
+net/url/parse: low
+net/url/request: medium
+os/fd/sendfile: low
+os/kernel/kcore: low
+os/kernel/key_management: low
+os/kernel/netlink: low
+os/kernel/seccomp: low
+persist/pid_file: medium
+process/chroot: low
+process/groupid_set: low
+process/groups_set: low
+process/multithreaded: low
+process/unshare: low
+process/userid_set: low
+sus/exclamation: medium
+sus/intercept: medium
diff --git a/tests/linux/clean/kibana/securitySolution.chunk.22.js.simple b/tests/linux/clean/kibana/securitySolution.chunk.22.js.simple
@@ -0,0 +1,79 @@
+# linux/clean/kibana/securitySolution.chunk.22.js: critical
+3P/threat_hunting/: medium
+3P/threat_hunting/arsenal: medium
+3P/threat_hunting/backdoor: medium
+3P/threat_hunting/beef: medium
+3P/threat_hunting/blackshades: medium
+3P/threat_hunting/burpsuite: medium
+3P/threat_hunting/dbc2: medium
+3P/threat_hunting/earth_lusca_operations: medium
+3P/threat_hunting/generate_macro: medium
+3P/threat_hunting/github_username: medium
+3P/threat_hunting/heartbleed: medium
+3P/threat_hunting/impacket: medium
+3P/threat_hunting/keylogger: medium
+3P/threat_hunting/kubesploit: medium
+3P/threat_hunting/localtunnel: medium
+3P/threat_hunting/localtunnels: medium
+3P/threat_hunting/merlin_agent_dll: medium
+3P/threat_hunting/metasploit: medium
+3P/threat_hunting/metasploitcoop: medium
+3P/threat_hunting/openvas: medium
+3P/threat_hunting/owasp: medium
+3P/threat_hunting/phishery: medium
+3P/threat_hunting/powershell_scripts_for: medium
+3P/threat_hunting/powersploit: medium
+3P/threat_hunting/pupy: medium
+3P/threat_hunting/pwdump: medium
+3P/threat_hunting/rapid7: medium
+3P/threat_hunting/routersploit: medium
+3P/threat_hunting/seclists: medium
+3P/threat_hunting/sqlmap: medium
+3P/threat_hunting/sqlninja: medium
+3P/threat_hunting/thc_hydra: medium
+3P/threat_hunting/torproject: medium
+3P/threat_hunting/traitor: medium
+3P/threat_hunting/wpscan: medium
+c2/addr/url: high
+c2/discovery/dyndns: medium
+c2/tool_transfer/download: high
+c2/tool_transfer/dropper: medium
+c2/tool_transfer/exe_url: high
+c2/tool_transfer/grayware: high
+collect/databases/mysql: medium
+credential/keylogger: medium
+credential/password: low
+crypto/blockchain: medium
+data/encoding/json_decode: low
+evasion/file/prefix: medium
+evasion/rootkit/refs: medium
+exec/plugin: low
+exec/shell/power: medium
+exfil/upload: medium
+fs/lock_update: low
+fs/path/dev: medium
+impact/cryptojacking/monero_pool: medium
+impact/ddos: medium
+impact/exploit: medium
+impact/exploit/cve: medium
+impact/exploit/known_s: medium
+impact/infection/infected: medium
+impact/infection/worm: medium
+impact/remote_access/backdoor: medium
+impact/remote_access/iptables: medium
+impact/remote_access/reverse_shell: high
+impact/remote_access/trojan: medium
+impact/rootkit: low
+lateral/scan/brute_force: low
+net/dns/txt: low
+net/download: medium
+net/tcp/sftp: medium
+net/url/embedded: medium
+net/url/parse: low
+persist/daemon: medium
+process/chroot: low
+sec-tool/net/masscan: high
+sec-tool/net/nmap: medium
+sec-tool/pentest/metasploit_ref: medium
+sus/leetspeak: medium
+sus/malicious: medium
diff --git a/tests/python/clean/pydevd/setup_pydevd_cython.py.simple b/tests/python/clean/pydevd/setup_pydevd_cython.py.simple
@@ -0,0 +1,11 @@
+# python/clean/pydevd/setup_pydevd_cython.py: medium
+discover/system/platform: medium
+exec/remote_commands/code_eval: medium
+fs/directory/list: low
+fs/file/delete: low
+fs/file/open: low
+fs/file/read: low
+fs/file/write: low
+impact/remote_access/py_setuptools: low
+os/fd/read: low
+os/fd/write: low
diff --git a/tests/samples_test.go b/tests/samples_test.go
@@ -50,7 +50,6 @@ func init() {
 }
 
 func TestJSON(t *testing.T) {
-	t.Parallel()
 	ctx := slogtest.Context(t)
 	clog.FromContext(ctx).With("test", "TestJSON")
 
@@ -78,6 +77,7 @@ func TestJSON(t *testing.T) {
 		}
 
 		t.Run(name, func(t *testing.T) {
+			t.Parallel()
 			td, err := fs.ReadFile(fileSystem, jsonPath)
 			if err != nil {
 				t.Fatalf("testdata read failed: %v", err)
@@ -121,7 +121,6 @@ func TestJSON(t *testing.T) {
 }
 
 func TestSimple(t *testing.T) {
-	t.Parallel()
 	ctx := slogtest.Context(t)
 	clog.FromContext(ctx).With("test", "simple")
 
@@ -140,6 +139,7 @@ func TestSimple(t *testing.T) {
 		testPath := path
 
 		t.Run(name, func(t *testing.T) {
+			t.Parallel()
 			binPath := name
 			binDir := filepath.Dir(binPath)
 			if _, err := os.Stat(binPath); err != nil {
@@ -427,7 +427,6 @@ func testInputs(path string) string {
 }
 
 func TestMarkdown(t *testing.T) {
-	t.Parallel()
 	ctx := slogtest.Context(t)
 	clog.FromContext(ctx).With("test", "TestMarkDown")
 
@@ -444,6 +443,7 @@ func TestMarkdown(t *testing.T) {
 
 		name := strings.ReplaceAll(path, ".md", "")
 		t.Run(name, func(t *testing.T) {
+			t.Parallel()
 			binPath := name
 			binDir := filepath.Dir(binPath)
 			if _, err := os.Stat(binPath); err != nil {