Follow-up FPR for a handful of packages (#1073)

egibs · web-flow · commit 5365c348bd26 · 2025-08-04T14:31:59.000-07:00
Signed-off-by: egibs &lt;20933572+egibs@users.noreply.github.com&gt;
diff --git a/rules/anti-static/obfuscation/bitwise.yara b/rules/anti-static/obfuscation/bitwise.yara
@@ -141,6 +141,7 @@ rule unsigned_bitwise_math_excess: high {
     $not_elastic1 = "/*! Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one or more contributor license agreements."
     $not_elastic2 = "* Licensed under the Elastic License 2.0; you may not use this file except in compliance with the Elastic License 2.0. */"
     $not_webpack  = "webpack-api-runtime.js" fullword
+    $not_wso2is   = "(self.webpackChunk_wso2is_console=self.webpackChunk_wso2is_console||[])"
 
   condition:
     filesize < 5MB and $function and $charAt and (#left > 50 or #right > 50) and none of ($not*)
diff --git a/rules/anti-static/obfuscation/url.yara b/rules/anti-static/obfuscation/url.yara
@@ -1,6 +1,6 @@
 import "math"
 
-rule decode_url_component_char_code: high {
+rule decode_url_component_char_code: medium {
   meta:
     description = "decodes obfuscated URL components"
     filetypes   = "js,ts"
diff --git a/rules/evasion/rootkit/userspace.yara b/rules/evasion/rootkit/userspace.yara
@@ -58,7 +58,7 @@ rule readdir_dlsym_interceptor: high {
     $f_readlink_maybe_not_needed = "readlink"
     $f_proc                      = "/proc"
 
-    $not_j9   = "j9port_" fullword
+    $not_j9   = "j9port_"
     $not_sbcl = "SBCL_HOME" fullword
 
   condition:
diff --git a/rules/false_positives/fastfetch.yara b/rules/false_positives/fastfetch.yara
@@ -5,8 +5,9 @@ rule fastfetch_override: override {
     proc_d_exe_high = "medium"
 
   strings:
-    $repo = "https://github.com/fastfetch-cli/fastfetch"
+    $fastfetch = "fastfetch/packages/%s.txt"
+    $repo      = "https://github.com/fastfetch-cli/fastfetch"
 
   condition:
-    $repo
+    any of them
 }
diff --git a/rules/false_positives/nextcloud.yara b/rules/false_positives/nextcloud.yara
@@ -2,6 +2,7 @@ rule vimeo_psalm_md_php_override: override {
   meta:
     description                         = "Psalm MD files with PHP code excerpts"
     SIGNATURE_BASE_WEBSHELL_PHP_Dynamic = "harmless"
+    SIGNATURE_BASE_WEBSHELL_PHP_Generic = "harmless"
     remote_eval_close                   = "harmless"
 
   strings:
diff --git a/rules/false_positives/pouchdb.yara b/rules/false_positives/pouchdb.yara
@@ -0,0 +1,17 @@
+rule pouchdb_override: override {
+  meta:
+    description                  = "pouchdb.min.js"
+    unsigned_bitwise_math_excess = "medium"
+    js_many_parseInt             = "medium"
+
+  strings:
+    $comment_1 = "// PouchDB 8.0.1"
+    $comment_2 = "// "
+    $comment_3 = "// (c) 2012-2023 Dale Harvey and the PouchDB team"
+    $comment_4 = "// PouchDB may be freely distributed under the Apache license, version 2.0."
+    $comment_5 = "// For all details and documentation:"
+    $comment_6 = "// http://pouchdb.com"
+
+  condition:
+    all of them
+}
diff --git a/tests/npm/2024.testerrrrrrrrrr/init.js.simple b/tests/npm/2024.testerrrrrrrrrr/init.js.simple
@@ -3,7 +3,7 @@ anti-static/obfuscation/bool: medium
 anti-static/obfuscation/hex: medium
 anti-static/obfuscation/js: high
 anti-static/obfuscation/math: medium
-anti-static/obfuscation/url: high
+anti-static/obfuscation/url: medium
 c2/addr/server: medium
 data/encoding/int: medium
 data/encoding/url: medium
