Add override rules for findings from latest full scan of Wolfi packag…

…es (#606)

Signed-off-by: egibs <[email protected]>

Makefile

@@ -3,7 +3,7 @@
 
 
 SAMPLES_REPO ?= chainguard-dev/malcontent-samples
-SAMPLES_COMMIT ?= fa43e4419016b2a965bd08faae9f467ba9e28153
+SAMPLES_COMMIT ?= bd62e3dcd942c85b78969977e2a830c76d447d6f
 
 # BEGIN: lint-install ../malcontent
 # http://github.com/tinkerbell/lint-install

rules/false_positives/conda_build.yara

@@ -0,0 +1,14 @@
+rule conda_load_setup_py_data: override {
+  meta:
+    setuptools_eval = "low"
+    description     = "_load_setup_py_data.py"
+
+  strings:
+    $exec  = "exec(code, ns, ns)"
+    $func  = "load_setup_py_data"
+    $sbom1 = "# Copyright (C) 2014 Anaconda, Inc"
+    $sbom2 = "# SPDX-License-Identifier: BSD-3-Clause"
+
+  condition:
+    filesize < 8KB and all of them
+}

rules/false_positives/faker.yara

@@ -0,0 +1,26 @@
+rule faker_js: override {
+  meta:
+    description                = "faker.js"
+    common_username_block_list = "low"
+
+  strings:
+    $faker  = /[Ff]aker/
+    $method = /@method faker.\w{0,32}.\w{0,32}/
+    $module = "module['exports'] = faker"
+
+  condition:
+    filesize < 8MB and #faker > 128 and $method and $module
+}
+
+rule faker_min_js: override {
+  meta:
+    description                = "faker.min.js"
+    common_username_block_list = "low"
+
+  strings:
+    $faker  = "faker"
+    $method = /faker.\w{0,32}.\w{0,32}/
+
+  condition:
+    filesize < 2MB and $faker and #method > 4
+}

rules/false_positives/libgcj.yara

@@ -0,0 +1,16 @@
+rule libgcj_so: override {
+  meta:
+    description               = "libgcj.so"
+    malware_CobaltStrike_v3v4 = "medium"
+
+  strings:
+    $copyright1 = "# Copyright (C) 1991-2005 Unicode, Inc."
+    $copyright2 = "# Copyright (C) 2004  Free Software Foundation, Inc."
+    $copyright3 = "# Copyright (C) 2005  Free Software Foundation, Inc."
+    $copyright4 = "# Copyright (C) 2006, 2010  Free Software Foundation, Inc."
+    $java_lang  = /_\w{0,32}_java_lang_\w{0,32}/
+    $zn         = /_(ZN3|ZN4|ZN5)java\w{0,128}/
+
+  condition:
+    filesize <= 64MB and all of ($copyright*) and #java_lang > 1024 and #zn > 64000
+}

rules/false_positives/setuptools.yara

@@ -0,0 +1,50 @@
+rule test_pyprojecttoml: override {
+  meta:
+    description     = "namespaces.py, test_pyprojecttoml.py"
+    setuptools_eval = "low"
+
+  strings:
+    $example   = "EXAMPLE"
+    $func1     = "def create_example("
+    $func2     = "def verify_example("
+    $func3     = "def test_read_configuration("
+    $import    = "import setuptools"
+    $kv        = "\"pyproject.toml\": EXAMPLE"
+    $pyproject = "pyproject.toml"
+
+  condition:
+    filesize < 16KB and all of them
+}
+
+rule setuptools_namespaces: override {
+  meta:
+    description     = "namespaces.py"
+    setuptools_eval = "low"
+
+  strings:
+    $func1     = "def iter_namespace_pkgs("
+    $func2     = "def build_namespace_package("
+    $func3     = "def build_pep420_namespace_package("
+    $namespace = "namespace"
+    $pyproject = "pyproject.toml"
+    $tmpl1     = "tmpl = '__import__(\"pkg_resources\").declare_namespace(__name__)'"
+    $tmpl2     = "tmpl = '__path__ = __import__(\"pkgutil\").extend_path(__path__, __name__)'"
+
+  condition:
+    filesize < 4KB and all of ($func*) and #namespace > 0 and $pyproject and all of ($tmpl*)
+}
+
+rule numba_support: override {
+  meta:
+    description     = "support.py"
+    setuptools_eval = "low"
+
+  strings:
+    $comment    = "Assorted utilities for use in tests."
+    $gh_issue   = "numba#"
+    $import     = "from numba"
+    $repository = "https://github.com/numba/numba"
+
+  condition:
+    filesize < 64KB and all of them
+}

rules/false_positives/wordpress.yara

@@ -0,0 +1,15 @@
+rule module_audio_video_quicktime: override {
+  meta:
+    description         = "module.audio-video.quicktime.php"
+    bitwise_obfuscation = "medium"
+
+  strings:
+    $author             = "getID3() by James Heinrich <[email protected]>"
+    $filename           = "module.audio-video.quicktime.php"
+    $irregular_comments = /\/\/ (ALBum|ARTist|CaTeGory|CoMmenT|COMposer|CoPyRighT|COVeR|DESCription|GAPless|GENre|GRouPing|LYRics|PURchase|RaTiNG|SOrt|TRacK|ViDeo|WRiTer)/
+    $repository         = "https://github.com/JamesHeinrich/getID3"
+    $site               = "https://www.getid3.org"
+
+  condition:
+    filesize < 192KB and $author and $filename and $repository and $site and any of ($irregular*)
+}

rules/false_positives/yarn.yara

@@ -0,0 +1,14 @@
+rule yarn_package_json: override {
+  meta:
+    description                     = "package.json"
+    npm_preinstall_command_dev_null = "medium"
+
+  strings:
+    $bin         = "./bin/yarn.js"
+    $description = "📦🐈 Fast, reliable, and secure dependency management."
+    $name        = "yarn"
+    $repositort  = "yarnpkg/yarn"
+
+  condition:
+    filesize < 768 and all of them
+}

rules/impact/infection/infected.yara

@@ -1,6 +1,7 @@
 rule infected: medium {
   meta:
-    description                          = "References being 'infected'"
+    description = "References being 'infected'"
+
   strings:
     $ref  = "infected"
     $ref2 = "INFECTED"
@@ -11,7 +12,8 @@ rule infected: medium {
 
 rule infection: medium {
   meta:
-    description                          = "References 'infection'"
+    description = "References 'infection'"
+
   strings:
     $ref3 = "infection"
 
@@ -24,7 +26,8 @@ rule infected_with: high {
     description = "References 'infected with'"
 
   strings:
-    $ref      = /.{3,16} infected with .{3,16}/
+    $ref = /.{3,16} infected with .{3,16}/
+
   condition:
     filesize < 5MB and $ref
-}
+}

tests/javascript/clean/faker.js.simple

@@ -0,0 +1,37 @@
+# javascript/clean/faker.js: high
+3P/threat_hunting/3snake: medium
+anti-behavior/blocklist/user: low
+anti-static/base64/exec: high
+anti-static/base64/http_agent: high
+anti-static/obfuscation/obfuscate: low
+c2/addr/ip: medium
+credential/password: low
+crypto/blockchain: medium
+data/compression/bzip2: low
+data/compression/gzip: low
+data/embedded/base64_terms: medium
+data/embedded/base64_url: medium
+data/encoding/base64: low
+data/encoding/json_decode: low
+data/encoding/json_encode: low
+evasion/hidden_paths/x11: low
+exec/plugin: low
+exfil/office_file_ext: medium
+exfil/stealer/credit_card: medium
+fs/path/boot: medium
+fs/path/etc: low
+fs/path/home: medium
+fs/path/root: medium
+fs/path/usr_local: medium
+fs/path/var: low
+impact/infection/worm: medium
+impact/remote_access/trojan: medium
+net/download: medium
+net/http/fake_user_agent: high
+net/http/form_upload: medium
+net/http/post: medium
+net/remote_control/vnc: medium
+net/url/embedded: low
+net/url/encode: medium
+sus/exclamation: medium
+sus/leetspeak: medium

tests/javascript/clean/faker.min.js.simple

@@ -0,0 +1,31 @@
+# javascript/clean/faker.min.js: high
+3P/threat_hunting/3snake: medium
+anti-behavior/blocklist/user: low
+anti-static/obfuscation/obfuscate: low
+c2/addr/ip: medium
+credential/password: low
+crypto/blockchain: medium
+data/compression/bzip2: low
+data/compression/gzip: low
+data/encoding/json_decode: low
+data/encoding/json_encode: low
+evasion/hidden_paths/x11: low
+exec/plugin: low
+exfil/office_file_ext: medium
+exfil/stealer/credit_card: medium
+fs/path/boot: medium
+fs/path/etc: low
+fs/path/home: medium
+fs/path/root: medium
+fs/path/usr_local: medium
+fs/path/var: low
+impact/infection/worm: medium
+impact/remote_access/trojan: medium
+net/download: medium
+net/http/fake_user_agent: high
+net/http/form_upload: medium
+net/http/post: medium
+net/remote_control/vnc: medium
+net/url/embedded: low
+net/url/encode: medium
+sus/leetspeak: medium

tests/linux/clean/libgcj.so.17.0.0.simple

@@ -0,0 +1,88 @@
+# linux/clean/libgcj.so.17.0.0: high
+3P/JPCERT/cobaltstrike_v3v4: medium
+c2/addr/ip: medium
+credential/password: low
+credential/ssl/private_key: low
+crypto/aes: low
+crypto/tls: low
+crypto/uuid: medium
+data/compression/bzip2: low
+data/compression/gzip: low
+data/embedded/base64_terms: medium
+data/embedded/base64_url: medium
+data/embedded/html: medium
+data/embedded/pem_certificate: low
+data/encoding/base64: low
+data/hash/md5: low
+data/hash/sha1: low
+data/hash/sha256: low
+data/hash/whirlpool: medium
+discover/network/interface_list: medium
+discover/system/cpu_info: low
+discover/system/hostname_get: low
+discover/system/platform: low
+discover/user/HOME: low
+discover/user/USER: low
+evasion/hijack_execution/LD_LIBRARY_PATH: low
+exec/cmd: medium
+exec/conditional/LANG: low
+exec/dylib/address_check: low
+exec/dylib/iterate: low
+exec/dylib/symbol_address: medium
+exec/plugin: low
+exec/program: medium
+exec/program/background: low
+exec/shell/SHELL: low
+exfil/office_file_ext: medium
+fs/directory/create: low
+fs/directory/remove: low
+fs/file/delete: medium
+fs/file/times_set: medium
+fs/file/truncate: low
+fs/file/write: low
+fs/link_read: low
+fs/mounts_read: medium
+fs/path/dev: medium
+fs/path/etc: low
+fs/path/root: medium
+fs/path/usr_local: medium
+fs/path/var: low
+fs/permission/modify: medium
+fs/proc/arbitrary_pid: medium
+fs/proc/mounts: medium
+fs/proc/pid_exe: high
+fs/proc/stat: medium
+fs/tempdir: low
+fs/tempdir/TEMP: low
+fs/tempdir/TMPDIR: low
+hw/iokit_registry: low
+impact/remote_access/agent: medium
+lateral/scan/tool: medium
+net/dns/txt: low
+net/http/accept_encoding: low
+net/http/auth: low
+net/http/cookies: medium
+net/http/form_upload: medium
+net/http/post: medium
+net/http/proxy: low
+net/http/request: low
+net/ip: low
+net/ip/multicast_send: low
+net/ip/parse: medium
+net/ip/resolve: low
+net/ip/send_unicast: low
+net/ip/string: medium
+net/resolve/hostname: low
+net/socket/listen: medium
+net/socket/local_addr: low
+net/socket/receive: low
+net/socket/reuseport: medium
+net/socket/send: low
+net/url/embedded: low
+net/url/encode: medium
+net/url/parse: low
+process/multithreaded: low
+process/name_get: medium
+sus/exclamation: medium
+sus/intercept: medium
+sus/leetspeak: medium