diff --git a/pkg/action/scan.go b/pkg/action/scan.go
index e043f8c2a..473c443fa 100644
--- a/pkg/action/scan.go
+++ b/pkg/action/scan.go
@@ -126,7 +126,7 @@ func scanSinglePath(ctx context.Context, c malcontent.Config, path string, ruleF
return &malcontent.FileReport{Path: path, Error: fmt.Sprintf("scan: %v", err)}, nil
}
- fr, err := report.Generate(ctx, path, mrs, c, archiveRoot)
+ fr, err := report.Generate(ctx, path, mrs, c, archiveRoot, logger)
if err != nil {
return nil, err
}
diff --git a/pkg/report/report.go b/pkg/report/report.go
index abb6f0ec9..83349382e 100644
--- a/pkg/report/report.go
+++ b/pkg/report/report.go
@@ -342,7 +342,7 @@ func mungeDescription(s string) string {
}
//nolint:cyclop // ignore complexity of 44
-func Generate(ctx context.Context, path string, mrs yara.MatchRules, c malcontent.Config, expath string) (malcontent.FileReport, error) {
+func Generate(ctx context.Context, path string, mrs yara.MatchRules, c malcontent.Config, expath string, logger *clog.Logger) (malcontent.FileReport, error) {
ignoreTags := c.IgnoreTags
minScore := c.MinRisk
ignoreSelf := c.IgnoreSelf
@@ -451,7 +451,10 @@ func Generate(ctx context.Context, path string, mrs yara.MatchRules, c malconten
// If we find a match in the map for the metadata key, that's the rule to override
// Store this rule (the override) in the fr.Overrides behavior slice
- if _, exists := mrsMap[k]; exists && override {
+ // If an override rule is not overriding a valid rule, log an error
+ _, exists := mrsMap[k]
+ switch {
+ case exists && override:
var overrideSev int
if sev, ok := Levels[v]; ok {
overrideSev = sev
@@ -460,6 +463,9 @@ func Generate(ctx context.Context, path string, mrs yara.MatchRules, c malconten
b.RiskScore = overrideSev
b.Override = append(b.Override, k)
fr.Overrides = append(fr.Overrides, b)
+ case !exists && override:
+ logger.Errorf("Override %s matched with no overridden rule\n", m.Rule)
+ continue
}
switch k {
diff --git a/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff b/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff
index bc4c03afd..87ee8b60a 100644
--- a/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff
+++ b/tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff
@@ -16,7 +16,7 @@
| +MEDIUM | **[anti-static/obfuscation/js/char_codes](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/js/char_codes.yara#character_obfuscation)** | obfuscated javascript that relies on character manipulation | [charAt](https://github.com/search?q=charAt&type=code)
[charCodeAt](https://github.com/search?q=charCodeAt&type=code)
[const](https://github.com/search?q=const&type=code)
[fromCharCode](https://github.com/search?q=fromCharCode&type=code)
[function(](https://github.com/search?q=function%28&type=code)
[length](https://github.com/search?q=length&type=code)
[push](https://github.com/search?q=push&type=code)
[shift](https://github.com/search?q=shift&type=code)
[toString](https://github.com/search?q=toString&type=code)
[{return](https://github.com/search?q=%7Breturn&type=code) |
| +MEDIUM | **[c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#hardcoded_ip)** | hardcoded IP address | [114.243.154.69](https://github.com/search?q=114.243.154.69&type=code)
[13.182.181.343](https://github.com/search?q=13.182.181.343&type=code)
[13.23.32.42](https://github.com/search?q=13.23.32.42&type=code)
[14.22.33.243](https://github.com/search?q=14.22.33.243&type=code)
[14.52.54.92](https://github.com/search?q=14.52.54.92&type=code)
[146.288.257.686](https://github.com/search?q=146.288.257.686&type=code)
[15.15.34.34](https://github.com/search?q=15.15.34.34&type=code)
[15.21.28.36](https://github.com/search?q=15.21.28.36&type=code)
[15.34.34.56](https://github.com/search?q=15.34.34.56&type=code)
[153.41.153.567](https://github.com/search?q=153.41.153.567&type=code)
[156.153.41.153](https://github.com/search?q=156.153.41.153&type=code)
[172.14.22.33](https://github.com/search?q=172.14.22.33&type=code)
[178.311.311.743](https://github.com/search?q=178.311.311.743&type=code)
[181.132.465.255](https://github.com/search?q=181.132.465.255&type=code)
[198.172.14.22](https://github.com/search?q=198.172.14.22&type=code)
[21.28.36.36](https://github.com/search?q=21.28.36.36&type=code)
[21.507.477.106](https://github.com/search?q=21.507.477.106&type=code)
[22.33.243.463](https://github.com/search?q=22.33.243.463&type=code)
[23.32.42.47](https://github.com/search?q=23.32.42.47&type=code)
[24.26.45.35](https://github.com/search?q=24.26.45.35&type=code)
[243.427.41.993](https://github.com/search?q=243.427.41.993&type=code)
[25.27.52.74](https://github.com/search?q=25.27.52.74&type=code)
[25.34.35.14](https://github.com/search?q=25.34.35.14&type=code)
[26.45.35.92](https://github.com/search?q=26.45.35.92&type=code)
[26.45.64.83](https://github.com/search?q=26.45.64.83&type=code)
[26.47.64.85](https://github.com/search?q=26.47.64.85&type=code)
[27.52.74.77](https://github.com/search?q=27.52.74.77&type=code)
[288.146.686.257](https://github.com/search?q=288.146.686.257&type=code)
[288.257.686.318](https://github.com/search?q=288.257.686.318&type=code)
[294.169.558.47](https://github.com/search?q=294.169.558.47&type=code)
[311.178.743.311](https://github.com/search?q=311.178.743.311&type=code)
[311.311.743.384](https://github.com/search?q=311.311.743.384&type=code)
[325.737.732.76](https://github.com/search?q=325.737.732.76&type=code)
[335.749.748.752](https://github.com/search?q=335.749.748.752&type=code)
[347.763.768.74](https://github.com/search?q=347.763.768.74&type=code)
[407.325.737.732](https://github.com/search?q=407.325.737.732&type=code)
[414.335.749.748](https://github.com/search?q=414.335.749.748&type=code)
[422.347.763.768](https://github.com/search?q=422.347.763.768&type=code)
[427.41.993.498](https://github.com/search?q=427.41.993.498&type=code)
[486.21.507.477](https://github.com/search?q=486.21.507.477&type=code)
[515.24.49.525](https://github.com/search?q=515.24.49.525&type=code)
[52.14.93.54](https://github.com/search?q=52.14.93.54&type=code)
[585.33.579.602](https://github.com/search?q=585.33.579.602&type=code)
[65.65.98.98](https://github.com/search?q=65.65.98.98&type=code)
[652.193.936.325](https://github.com/search?q=652.193.936.325&type=code)
[662.198.172.14](https://github.com/search?q=662.198.172.14&type=code)
[678.243.427.41](https://github.com/search?q=678.243.427.41&type=code)
[732.76.734.734](https://github.com/search?q=732.76.734.734&type=code)
[737.325.76.732](https://github.com/search?q=737.325.76.732&type=code)
[737.732.76.157](https://github.com/search?q=737.732.76.157&type=code)
[751.338.748.752](https://github.com/search?q=751.338.748.752&type=code)
[76.732.734.734](https://github.com/search?q=76.732.734.734&type=code)
[78.24.65.51](https://github.com/search?q=78.24.65.51&type=code)
[83.26.47.64](https://github.com/search?q=83.26.47.64&type=code)
[88.39.55.87](https://github.com/search?q=88.39.55.87&type=code)
[92.97.47.52](https://github.com/search?q=92.97.47.52&type=code)
[942.12.872.258](https://github.com/search?q=942.12.872.258&type=code)
[97.47.52.84](https://github.com/search?q=97.47.52.84&type=code) |
| +MEDIUM | **[credential/keychain](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/keychain/keychain.yara#keychain)** | May access the macOS keychain | [keychain](https://github.com/search?q=keychain&type=code) |
-| +MEDIUM | **[crypto/blockchain](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/blockchain.yara#blockchain)** | Uses a blockchain | [blockchain](https://github.com/search?q=blockchain&type=code) |
+| +MEDIUM | **[crypto/blockchain](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/blockchain.yara#blockchain)** | blockchain | [blockchain](https://github.com/search?q=blockchain&type=code) |
| +MEDIUM | **[crypto/uuid](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/uuid.yara#random_uuid)** | generates a random UUID | [randomUUID](https://github.com/search?q=randomUUID&type=code) |
| +MEDIUM | **[data/embedded/base64_url](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-url.yara#contains_base64_url)** | Contains base64 url | [odHRwOi8v::$http](https://github.com/search?q=odHRwOi8v%3A%3A%24http&type=code) |
| +MEDIUM | **[discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#npm_uname)** | [get system identification](https://nodejs.org/api/process.html) | [process.platform](https://github.com/search?q=process.platform&type=code)
[process.versions](https://github.com/search?q=process.versions&type=code) |
diff --git a/tests/linux/clean/code-oss.md b/tests/linux/clean/code-oss.md
index eceb26b79..b93ce9cba 100644
--- a/tests/linux/clean/code-oss.md
+++ b/tests/linux/clean/code-oss.md
@@ -85,7 +85,7 @@
| MEDIUM | [sus/leetspeak](https://github.com/chainguard-dev/malcontent/blob/main/rules/sus/leetspeak.yara#one_three_three_seven) | References 1337 terminology' | [1337](https://github.com/search?q=1337&type=code) |
| LOW | [anti-static/obfuscation/obfuscate](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/obfuscation/obfuscate.yara#obfuscate) | Mentions the word obfuscate | [obfuscate_location_parse_error](https://github.com/search?q=obfuscate_location_parse_error&type=code)
[obfuscated_field_name](https://github.com/search?q=obfuscated_field_name&type=code)
[obfuscated_file_util](https://github.com/search?q=obfuscated_file_util&type=code)
[obfuscated_name](https://github.com/search?q=obfuscated_name&type=code) |
| LOW | [credential/password](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password.yara#password) | references a 'password' | [AccountPasswordsConsent](https://github.com/search?q=AccountPasswordsConsent&type=code)
[ChromePasswordManagerClient](https://github.com/search?q=ChromePasswordManagerClient&type=code)
[GaiaPasswordCaptured](https://github.com/search?q=GaiaPasswordCaptured&type=code)
[GaiaPasswordReuse](https://github.com/search?q=GaiaPasswordReuse&type=code)
[Invalid password pattern](https://github.com/search?q=Invalid+password+pattern&type=code)
[PasswordH](https://github.com/search?q=PasswordH&type=code)
[PasswordIssues](https://github.com/search?q=PasswordIssues&type=code)
[PasswordReuseDetected](https://github.com/search?q=PasswordReuseDetected&type=code)
[PasswordReuseLookup](https://github.com/search?q=PasswordReuseLookup&type=code)
[PasswordReveal](https://github.com/search?q=PasswordReveal&type=code)
[PasswordSpecificsData](https://github.com/search?q=PasswordSpecificsData&type=code)
[SetPasswordFunc](https://github.com/search?q=SetPasswordFunc&type=code)
[Username and password are expected to](https://github.com/search?q=Username+and+password+are+expected+to&type=code)
[a username and password](https://github.com/search?q=a+username+and+password&type=code)
[accessibilityPasswordValuesEnabled](https://github.com/search?q=accessibilityPasswordValuesEnabled&type=code)
[and password fields set](https://github.com/search?q=and+password+fields+set&type=code)
[bPassword](https://github.com/search?q=bPassword&type=code)
[challengePassword](https://github.com/search?q=challengePassword&type=code)
[const has_password](https://github.com/search?q=const+has_password&type=code)
[current-password](https://github.com/search?q=current-password&type=code)
[gaia_password_reuse](https://github.com/search?q=gaia_password_reuse&type=code)
[generated a new password](https://github.com/search?q=generated+a+new+password&type=code)
[get password](https://github.com/search?q=get+password&type=code)
[getPasswordComplete](https://github.com/search?q=getPasswordComplete&type=code)
[have-a-username-password-port](https://github.com/search?q=have-a-username-password-port&type=code)
[have-username-password-port](https://github.com/search?q=have-username-password-port&type=code)
[id-PasswordBasedMAC](https://github.com/search?q=id-PasswordBasedMAC&type=code)
[keyring_delete_password](https://github.com/search?q=keyring_delete_password&type=code)
[keyring_find_password_sync](https://github.com/search?q=keyring_find_password_sync&type=code)
[keyring_free_password](https://github.com/search?q=keyring_free_password&type=code)
[keyring_store_password_sync](https://github.com/search?q=keyring_store_password_sync&type=code)
[like a password](https://github.com/search?q=like+a+password&type=code)
[new-password](https://github.com/search?q=new-password&type=code)
[or PasswordCredentialData](https://github.com/search?q=or+PasswordCredentialData&type=code)
[password based MAC](https://github.com/search?q=password+based+MAC&type=code)
[password is too large](https://github.com/search?q=password+is+too+large&type=code)
[password text](https://github.com/search?q=password+text&type=code)
[password-change](https://github.com/search?q=password-change&type=code)
[password-protection](https://github.com/search?q=password-protection&type=code)
[password-reveal](https://github.com/search?q=password-reveal&type=code)
[password-store](https://github.com/search?q=password-store&type=code)
[passwordChar](https://github.com/search?q=passwordChar&type=code)
[passwordDialogTitle](https://github.com/search?q=passwordDialogTitle&type=code)
[passwordEchoEnabled](https://github.com/search?q=passwordEchoEnabled&type=code)
[passwordEdit](https://github.com/search?q=passwordEdit&type=code)
[passwordInvalid](https://github.com/search?q=passwordInvalid&type=code)
[passwordPrompt](https://github.com/search?q=passwordPrompt&type=code)
[passwordSubmit](https://github.com/search?q=passwordSubmit&type=code)
[password_specifics](https://github.com/search?q=password_specifics&type=code)
[readPassword](https://github.com/search?q=readPassword&type=code)
[secret_password_clear_sync](https://github.com/search?q=secret_password_clear_sync&type=code)
[secret_password_store_sync](https://github.com/search?q=secret_password_store_sync&type=code)
[set password](https://github.com/search?q=set+password&type=code)
[such as passwords](https://github.com/search?q=such+as+passwords&type=code)
[to deserialize password_string](https://github.com/search?q=to+deserialize+password_string&type=code)
[userPassword](https://github.com/search?q=userPassword&type=code)
[username or password](https://github.com/search?q=username+or+password&type=code)
[writePassword](https://github.com/search?q=writePassword&type=code) |
-| LOW | [credential/password/finder](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password_finder.yara#gnome_keyring_sync) | looks up passwords via gnome_keyring | [gnome_keyring_find_password_sync](https://github.com/search?q=gnome_keyring_find_password_sync&type=code) |
+| LOW | [credential/password/finder](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/password/password_finder.yara#gnome_keyring_sync) | gnome keyring sync | [gnome_keyring_find_password_sync](https://github.com/search?q=gnome_keyring_find_password_sync&type=code) |
| LOW | [credential/ssl/private_key](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/ssl/private_key.yara#private_key_val) | References private keys | [PRIVATE_KEY](https://github.com/search?q=PRIVATE_KEY&type=code)
[privateKey](https://github.com/search?q=privateKey&type=code)
[private_key](https://github.com/search?q=private_key&type=code) |
| LOW | [crypto/aes](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/aes.yara#crypto_aes) | Supports AES (Advanced Encryption Standard) | [AES](https://github.com/search?q=AES&type=code)
[crypto/aes](https://github.com/search?q=crypto%2Faes&type=code) |
| LOW | [crypto/ecdsa](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/ecdsa.yara#crypto_ecdsa) | Uses the Go crypto/ecdsa library | [crypto/ecdsa](https://github.com/search?q=crypto%2Fecdsa&type=code) |
diff --git a/tests/linux/clean/trufflehog.md b/tests/linux/clean/trufflehog.md
index 34b852bfa..22b20c8e0 100644
--- a/tests/linux/clean/trufflehog.md
+++ b/tests/linux/clean/trufflehog.md
@@ -33,7 +33,7 @@
| MEDIUM | [credential/clipboard](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/clipboard.yara#nspasteboard) | [access clipboard contents](https://www.sentinelone.com/blog/session-cookies-keychains-ssh-keys-and-more-7-kinds-of-data-malware-steals-from-macos-users/) | [atotto/clipboard](https://github.com/search?q=atotto%2Fclipboard&type=code) |
| MEDIUM | [credential/cloud/g](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/cloud/gcloud.yara#gcloud_config_value) | Access gcloud configuration files | [.config/gcloud](https://github.com/search?q=.config%2Fgcloud&type=code)
[application_default_credentials.json](https://github.com/search?q=application_default_credentials.json&type=code) |
| MEDIUM | [credential/keychain](https://github.com/chainguard-dev/malcontent/blob/main/rules/credential/keychain/keychain.yara#keychain) | May access the macOS keychain | [Keychain](https://github.com/search?q=Keychain&type=code)
[keychain](https://github.com/search?q=keychain&type=code) |
-| MEDIUM | [crypto/blockchain](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/blockchain.yara#blockchain) | Uses a blockchain | [blockchain](https://github.com/search?q=blockchain&type=code) |
+| MEDIUM | [crypto/blockchain](https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/blockchain.yara#blockchain) | blockchain | [blockchain](https://github.com/search?q=blockchain&type=code) |
| MEDIUM | [data/compression/xz](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/xz.yara#xz_lib) | uses xz library | [ulikunitz/xz](https://github.com/search?q=ulikunitz%2Fxz&type=code) |
| MEDIUM | [data/embedded/base64_terms](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-terms.yara#contains_base64) | Contains base64 CERTIFICATE | [DRVJUSUZJQ0FUR::$CERTIFICATE](https://github.com/search?q=DRVJUSUZJQ0FUR%3A%3A%24CERTIFICATE&type=code)
[Q0VSVElGSUNBVE::$CERTIFICATE](https://github.com/search?q=Q0VSVElGSUNBVE%3A%3A%24CERTIFICATE&type=code)
[ZGlyZWN0b3J5::$directory](https://github.com/search?q=ZGlyZWN0b3J5%3A%3A%24directory&type=code) |
| MEDIUM | [data/embedded/base64_url](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-base64-url.yara#contains_base64_url) | Contains base64 url | [aHR0cDovL::$http](https://github.com/search?q=aHR0cDovL%3A%3A%24http&type=code)
[h0dHA6Ly::$http](https://github.com/search?q=h0dHA6Ly%3A%3A%24http&type=code)
[odHRwOi8v::$http](https://github.com/search?q=odHRwOi8v%3A%3A%24http&type=code)
[odHRwczovL::$https](https://github.com/search?q=odHRwczovL%3A%3A%24https&type=code) |