Make diff behave like diff(1); report consistent behaviors (chainguar…

…d-dev#628) * Make diff behave like diff(1); report consistent behaviors Signed-off-by: egibs <[email protected]> * Remove NoDiff field from Behavior struct; remove ~ from consistent behaviors Signed-off-by: egibs <[email protected]> * Remove redundant fmt.Sprintf Signed-off-by: egibs <[email protected]> * Handle archives like directories since we scan the extracted tmp dir Signed-off-by: egibs <[email protected]> * Small tweaks Signed-off-by: egibs <[email protected]> * Correctly handle file moves for .so/.spdx.json files Signed-off-by: egibs <[email protected]> --------- Signed-off-by: egibs <[email protected]>
egibs · Nov 15, 2024 · ae10a42 · ae10a42
1 parent 24b63d1
commit ae10a42
Show file tree

Hide file tree

Showing 20 changed files with 342 additions and 258 deletions.
diff --git a/pkg/action/diff.go b/pkg/action/diff.go
diff --git a/pkg/render/markdown.go b/pkg/render/markdown.go
@@ -82,31 +82,65 @@ func (r Markdown) Full(ctx context.Context, rep *malcontent.Report) error {
 		}
 		added := 0
 		removed := 0
+		noDiff := 0
 		for _, b := range modified.Value.Behaviors {
 			if b.DiffAdded {
 				added++
 			}
 			if b.DiffRemoved {
 				removed++
 			}
+			if !b.DiffAdded && !b.DiffRemoved {
+				noDiff++
+			}
 		}
 
 		// We split the added/removed up in Markdown to address readability feedback. Unfortunately,
 		// this means we hide "existing" behaviors, which causes context to suffer. We should evaluate an
 		// improved rendering, similar to the "terminal" refresh, that includes everything.
+		var count int
+		var qual string
 		if added > 0 {
+			count = added
+			noun := "behavior"
+			qual = "new"
+			if count > 1 {
+				noun = "behaviors"
+			}
 			markdownTable(ctx, modified.Value, r.w, tableConfig{
-				Title:        fmt.Sprintf("### %d new behaviors", added),
+				Title:        fmt.Sprintf("### %d %s %s", count, qual, noun),
 				SkipRemoved:  true,
 				SkipExisting: true,
+				SkipNoDiff:   true,
 			})
 		}
 
 		if removed > 0 {
+			count = removed
+			noun := "behavior"
+			qual = "removed"
+			if count > 1 {
+				noun = "behaviors"
+			}
 			markdownTable(ctx, modified.Value, r.w, tableConfig{
-				Title:        fmt.Sprintf("### %d removed behaviors", removed),
+				Title:        fmt.Sprintf("### %d %s %s", count, qual, noun),
 				SkipAdded:    true,
 				SkipExisting: true,
+				SkipNoDiff:   true,
+			})
+		}
+
+		if noDiff > 0 {
+			count = noDiff
+			noun := "behavior"
+			qual = "consistent"
+			if count > 1 {
+				noun = "behaviors"
+			}
+			markdownTable(ctx, modified.Value, r.w, tableConfig{
+				Title:       fmt.Sprintf("### %d %s %s", count, qual, noun),
+				SkipAdded:   true,
+				SkipRemoved: true,
 			})
 		}
 	}
@@ -121,7 +155,6 @@ func markdownTable(_ context.Context, fr *malcontent.FileReport, w io.Writer, rc
 	}
 
 	if fr.Skipped != "" {
-		// fmt.Printf("%s - skipped: %s\n", path, fr.Skipped)
 		return
 	}
 
@@ -195,6 +228,11 @@ func markdownTable(_ context.Context, fr *malcontent.FileReport, w io.Writer, rc
 			}
 			risk = fmt.Sprintf("-%s", risk)
 		}
+		if (!k.Behavior.DiffRemoved && !k.Behavior.DiffAdded) || rc.NoDiff {
+			if rc.SkipNoDiff {
+				continue
+			}
+		}
 
 		key := fmt.Sprintf("[%s](%s)", k.Key, k.Behavior.RuleURL)
 		if strings.HasPrefix(risk, "+") {

diff --git a/pkg/render/simple.go b/pkg/render/simple.go
@@ -104,6 +104,9 @@ func (r Simple) Full(_ context.Context, rep *malcontent.Report) error {
 			if b.DiffAdded {
 				fmt.Fprintf(r.w, "+%s\n", b.ID)
 			}
+			if !b.DiffRemoved && !b.DiffAdded {
+				fmt.Fprintf(r.w, "%s\n", b.ID)
+			}
 		}
 	}
 

diff --git a/pkg/render/terminal.go b/pkg/render/terminal.go
@@ -26,7 +26,9 @@ type tableConfig struct {
 	ShowTitle    bool
 	DiffRemoved  bool
 	DiffAdded    bool
+	NoDiff       bool
 	SkipAdded    bool
+	SkipNoDiff   bool
 	SkipRemoved  bool
 	SkipExisting bool
 }
@@ -319,6 +321,13 @@ func renderFileSummary(_ context.Context, fr *malcontent.FileReport, w io.Writer
 					content = fmt.Sprintf("%s%s%s %s %s", prefix, indent, bullet, rest, desc)
 					e = ""
 				}
+
+				if !b.DiffAdded && !b.DiffRemoved {
+					prefix = "   "
+					pc = color.New(color.FgHiCyan)
+					content = fmt.Sprintf("%s%s%s %s %s", prefix, indent, bullet, rest, desc)
+					e = ""
+				}
 			}
 
 			// no evidence to give

diff --git a/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff b/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff
diff --git a/tests/linux/2023.FreeDownloadManager/freedownloadmanager.sdiff b/tests/linux/2023.FreeDownloadManager/freedownloadmanager.sdiff
@@ -1,37 +1,29 @@
---- missing: freedownloadmanager_clear_postinst
--data/embedded/pgp_key
--exec/install_additional/add_apt_key
--exec/shell/ignore_output
--fs/path/etc
--fs/path/usr_bin
--net/download
--net/url/embedded
-++++ added: freedownloadmanager_infected_postinst
+*** changed: linux/2023.FreeDownloadManager/freedownloadmanager_infected_postinst
 +3P/threat_hunting/touch
 +anti-static/base64/exec
 +anti-static/base64/http_agent
 +data/base64/external
 +data/embedded/base64_elf
 +data/embedded/base64_terms
 +data/embedded/base64_url
-+data/embedded/pgp_key
+data/embedded/pgp_key
 +data/encoding/base64
 +evasion/file/location/var_tmp
-+exec/install_additional/add_apt_key
+exec/install_additional/add_apt_key
 +exec/shell/exec
-+exec/shell/ignore_output
+exec/shell/ignore_output
 +fs/directory/create
 +fs/file/delete_forcibly
 +fs/file/make_executable
 +fs/file/times_set
-+fs/path/etc
+fs/path/etc
 +fs/path/tmp
-+fs/path/usr_bin
+fs/path/usr_bin
 +fs/path/var
 +fs/permission/modify
 +impact/remote_access/botnet
-+net/download
-+net/url/embedded
+net/download
+net/url/embedded
 +persist/cron/etc_d
 +persist/cron/tab
 +sus/geopolitics
diff --git a/tests/linux/2024.sbcl.market/sbcl.sdiff b/tests/linux/2024.sbcl.market/sbcl.sdiff
@@ -1,44 +1,24 @@
---- missing: sbcl.clean
--crypto/rc4
--data/compression/zstd
--discover/user/HOME
--discover/user/USER
--evasion/file/location/var_tmp
--exec/dylib/address_check
--exec/dylib/symbol_address
--exec/program
--exec/program/background
--exec/shell/echo
--fs/file/delete
--fs/file/truncate
--fs/link_read
--fs/path/dev
--fs/path/tmp
--fs/path/var
--fs/permission/modify
--fs/proc/self_exe
--fs/symlink_resolve
--net/url/embedded
-++++ added: sbcl.dirty
+*** changed: linux/2024.sbcl.market/sbcl.dirty
 +anti-static/elf/entropy
-+data/compression/zstd
+-crypto/rc4
+data/compression/zstd
 +data/embedded/zstd
-+discover/user/HOME
-+discover/user/USER
-+evasion/file/location/var_tmp
-+exec/dylib/address_check
-+exec/dylib/symbol_address
-+exec/program
-+exec/program/background
-+exec/shell/echo
-+fs/file/delete
-+fs/file/truncate
-+fs/link_read
-+fs/path/dev
-+fs/path/tmp
-+fs/path/var
-+fs/permission/modify
-+fs/proc/self_exe
-+fs/symlink_resolve
+discover/user/HOME
+discover/user/USER
+evasion/file/location/var_tmp
+exec/dylib/address_check
+exec/dylib/symbol_address
+exec/program
+exec/program/background
+exec/shell/echo
+fs/file/delete
+fs/file/truncate
+fs/link_read
+fs/path/dev
+fs/path/tmp
+fs/path/var
+fs/permission/modify
+fs/proc/self_exe
+fs/symlink_resolve
 +net/dns/txt
-+net/url/embedded
+net/url/embedded
diff --git a/tests/linux/clean/aws-c-io/aws-c-io.sdiff b/tests/linux/clean/aws-c-io/aws-c-io.sdiff
@@ -1 +1,3 @@
->>> moved: linux/clean/aws-c-io/aws-c-io-0.14.10-r0.spdx.json -> linux/clean/aws-c-io/aws-c-io-0.14.11-r0.spdx.json (score: 0.979310)
+>>> moved: linux/clean/aws-c-io/aws-c-io-0.14.10-r0.spdx.json -> linux/clean/aws-c-io/aws-c-io-0.14.11-r0.spdx.json (score: 0.988000)
+net/download
+net/url/embedded
diff --git a/tests/macOS/2023.3CX/libffmpeg.change_decrease.mdiff b/tests/macOS/2023.3CX/libffmpeg.change_decrease.mdiff
diff --git a/tests/macOS/2023.3CX/libffmpeg.change_increase.mdiff b/tests/macOS/2023.3CX/libffmpeg.change_increase.mdiff