Replace empty match strings with the matched patterns

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

Author: egibs

pkg/action/testdata/scan_archive

@@ -415,6 +415,9 @@
                 {
                     "Description": "Zstandard: fast real-time compression algorithm",
                     "MatchStrings": [
+                        "$magic_bytes",
+                        "$decompress",
+                        "$ref",
                         "zstd"
                     ],
                     "RiskScore": 1,
@@ -458,6 +461,9 @@
                 },
                 {
                     "Description": "Contains compressed content in ZStandard format",
+                    "MatchStrings": [
+                        "$ref"
+                    ],
                     "RiskScore": 2,
                     "RiskLevel": "MEDIUM",
                     "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-zstd.yara#embedded_zstd",

pkg/render/markdown.go

@@ -38,7 +38,7 @@ func mdRisk(score int, level string) string {
 func matchFragmentLink(s string) string {
 	// it's probably the name of a matched YARA field, for example, if it's xor'ed data
 	if strings.HasPrefix(s, "$") {
-		return s
+		return fmt.Sprintf("\\%s", s)
 	}
 
 	if strings.HasPrefix(s, "https:") || strings.HasPrefix(s, "http://") {

pkg/report/report.go

@@ -448,7 +448,7 @@ func Generate(ctx context.Context, path string, mrs *yarax.ScanResults, c malcon
 			matches = append(matches, p.Matches()...)
 		}
 
-		processor := newMatchProcessor(fc, matches)
+		processor := newMatchProcessor(fc, matches, m.Patterns())
 		matchedStrings := processor.process()
 
 		b := &malcontent.Behavior{

pkg/report/strings.go

@@ -1,6 +1,7 @@
 package report
 
 import (
+	"slices"
 	"sync"
 
 	yarax "github.com/VirusTotal/yara-x/go"
@@ -49,16 +50,18 @@ var BufferPool = sync.Pool{
 }
 
 type matchProcessor struct {
-	fc      []byte
-	pool    *StringPool
-	matches []yarax.Match
+	fc       []byte
+	pool     *StringPool
+	matches  []yarax.Match
+	patterns []yarax.Pattern
 }
 
-func newMatchProcessor(fc []byte, matches []yarax.Match) *matchProcessor {
+func newMatchProcessor(fc []byte, matches []yarax.Match, mp []yarax.Pattern) *matchProcessor {
 	return &matchProcessor{
-		fc:      fc,
-		pool:    NewStringPool(len(matches)),
-		matches: matches,
+		fc:       fc,
+		pool:     NewStringPool(len(matches)),
+		matches:  matches,
+		patterns: mp,
 	}
 }
 
@@ -113,9 +116,17 @@ func (mp *matchProcessor) process() []string {
 			}
 
 			matchBytes := mp.fc[o : o+l]
+
+			var str string
 			if !containsUnprintable(matchBytes) {
-				str := mp.pool.Intern(string(matchBytes))
+				str = mp.pool.Intern(string(matchBytes))
 				*result = append(*result, str)
+			} else {
+				patterns := make([]string, 0, len(mp.patterns))
+				for _, p := range mp.patterns {
+					patterns = append(patterns, p.Identifier())
+				}
+				*result = append(*result, slices.Compact(patterns)...)
 			}
 		}
 	}

tests/linux/2024.kubo_injector/injector.json

@@ -14,6 +14,9 @@
             "Behaviors": [
                 {
                     "Description": "multiple ELF binaries within an ELF binary",
+                    "MatchStrings": [
+                        "$elf_head"
+                    ],
                     "RiskScore": 2,
                     "RiskLevel": "MEDIUM",
                     "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf",

tests/linux/2024.vncjew/__min__c.json

@@ -179,6 +179,10 @@
                 },
                 {
                     "Description": "RC4 key scheduling algorithm",
+                    "MatchStrings": [
+                        "$cmp_e_x_256",
+                        "$cmp_r_x_256"
+                    ],
                     "RiskScore": 1,
                     "RiskLevel": "LOW",
                     "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/crypto/rc4.yara#rc4_ksa",
@@ -918,6 +922,9 @@
                 },
                 {
                     "Description": "multiple ELF binaries within an ELF binary",
+                    "MatchStrings": [
+                        "$elf_head"
+                    ],
                     "RiskScore": 2,
                     "RiskLevel": "MEDIUM",
                     "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf",

tests/linux/clean/code-oss.md

@@ -2,7 +2,7 @@
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
 |--|--|--|--|
-| MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | |
+| MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | \$elf_head |
 | MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [local_ip](https://github.com/search?q=local_ip&type=code)<br>[use_port](https://github.com/search?q=use_port&type=code)<br>[Port](https://github.com/search?q=Port&type=code)<br>[IP](https://github.com/search?q=IP&type=code)<br>[Ip](https://github.com/search?q=Ip&type=code) |
 | MEDIUM | [c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID) | contains a client ID | [clientID](https://github.com/search?q=clientID&type=code) |
 | MEDIUM | [c2/tool_transfer/os](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/tool_transfer/os.yara#multiple_os_ref) | references multiple operating systems | [https://](https://)<br>[Windows](https://github.com/search?q=Windows&type=code)<br>[http://](http://)<br>[Darwin](https://github.com/search?q=Darwin&type=code)<br>[Linux](https://github.com/search?q=Linux&type=code)<br>[macOS](https://github.com/search?q=macOS&type=code) |
@@ -11,7 +11,7 @@
 | MEDIUM | [data/base64/decode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-decode.yara#py_base64_decode) | decode base64 strings | [py_base64_decode::base64_decode](https://github.com/search?q=py_base64_decode%3A%3Abase64_decode&type=code) |
 | MEDIUM | [data/base64/encode](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/base64/base64-encode.yara#py_base64_encode) | encode base64 strings | [py_base64_encode::base64_encode](https://github.com/search?q=py_base64_encode%3A%3Abase64_encode&type=code) |
 | MEDIUM | [data/embedded/html](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-html.yara#html) | Contains HTML content | [<html>](https://github.com/search?q=%3Chtml%3E&type=code) |
-| MEDIUM | [data/embedded/zstd](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-zstd.yara#embedded_zstd) | [Contains compressed content in ZStandard format](https://github.com/facebook/zstd) | |
+| MEDIUM | [data/embedded/zstd](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/embedded/embedded-zstd.yara#embedded_zstd) | [Contains compressed content in ZStandard format](https://github.com/facebook/zstd) | \$ref |
 | MEDIUM | [discover/network/interface_list](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/network/interface-list.yara#bsd_ifaddrs) | list network interfaces | [freeifaddrs](https://github.com/search?q=freeifaddrs&type=code)<br>[getifaddrs](https://github.com/search?q=getifaddrs&type=code) |
 | MEDIUM | [discover/processes/list](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/processes/list.yara#ps_exec) | executes ps(1) for a list of processes | [ps ax](https://github.com/search?q=ps+ax&type=code)<br>[#!](https://github.com/search?q=%23%21&type=code) |
 | MEDIUM | [discover/system/platform](https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/system/platform.yara#uname_a) | gets full system identification | [uname -a](https://github.com/search?q=uname+-a&type=code) |
@@ -42,7 +42,7 @@
 | MEDIUM | [net/http/cookies](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/cookies.yara#http_cookie) | [access HTTP resources using cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies) | [Cookie](https://github.com/search?q=Cookie&type=code)<br>[HTTP](https://github.com/search?q=HTTP&type=code) |
 | MEDIUM | [net/http/form_upload](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/form-upload.yara#http_form_upload) | upload content via HTTP form | [application/x-www-form-urlencoded](https://github.com/search?q=application%2Fx-www-form-urlencoded&type=code)<br>[POST](https://github.com/search?q=POST&type=code)<br>[post](https://github.com/search?q=post&type=code) |
 | MEDIUM | [net/http/post](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/http/post.yara#http_post) | submits content to websites | [Content-Type: application/dns](https://github.com/search?q=Content-Type%3A+application%2Fdns&type=code)<br>[Content-Type: application/x](https://github.com/search?q=Content-Type%3A+application%2Fx&type=code)<br>[HTTP](https://github.com/search?q=HTTP&type=code)<br>[POST](https://github.com/search?q=POST&type=code)<br>[http](https://github.com/search?q=http&type=code) |
-| MEDIUM | [net/ip/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#host_port_ref) | connects to an arbitrary hostname:port | |
+| MEDIUM | [net/ip/host_port](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/host_port.yara#host_port_ref) | connects to an arbitrary hostname:port | \$host_port |
 | MEDIUM | [net/ip/parse](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-parse.yara#inet_pton) | parses IP address (IPv4 or IPv6) | [inet_pton](https://github.com/search?q=inet_pton&type=code) |
 | MEDIUM | [net/ip/string](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/ip/ip-string.yara#inet_ntoa) | [converts IP address from byte to string](https://linux.die.net/man/3/inet_ntoa) | [inet_ntop](https://github.com/search?q=inet_ntop&type=code) |
 | MEDIUM | [net/proxy/socks5](https://github.com/chainguard-dev/malcontent/blob/main/rules/net/proxy/socks5.yara#socks5) | Supports SOCK5 proxies | [SOCKS5](https://github.com/search?q=SOCKS5&type=code)<br>[socks5](https://github.com/search?q=socks5&type=code) |
@@ -66,7 +66,7 @@
 | LOW | [data/compression/gzip](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/gzip.yara#gzip) | [works with gzip files](https://www.gnu.org/software/gzip/) | [gzip](https://github.com/search?q=gzip&type=code) |
 | LOW | [data/compression/lzma](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/lzma.yara#lzma) | [works with lzma files](https://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm) | [lzma](https://github.com/search?q=lzma&type=code) |
 | LOW | [data/compression/zlib](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zlib.yara#zlib) | uses zlib | [zlib](https://github.com/search?q=zlib&type=code) |
-| LOW | [data/compression/zstd](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zstd.yara#zstd) | Zstandard: fast real-time compression algorithm | [ZSTD_decompressStream](https://github.com/search?q=ZSTD_decompressStream&type=code)<br>[zstd](https://github.com/search?q=zstd&type=code) |
+| LOW | [data/compression/zstd](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/zstd.yara#zstd) | Zstandard: fast real-time compression algorithm | [ZSTD_decompressStream](https://github.com/search?q=ZSTD_decompressStream&type=code)<br>\$magic_bytes<br>\$decompress<br>\$ref<br>[zstd](https://github.com/search?q=zstd&type=code) |
 | LOW | [data/encoding/base64](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/encoding/base64.yara#b64) | Supports base64 encoded strings | [base64](https://github.com/search?q=base64&type=code) |
 | LOW | [data/hash/md5](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/md5.yara#MD5) | Uses the MD5 signature format | [MD5_Update](https://github.com/search?q=MD5_Update&type=code)<br>[MD5_Final](https://github.com/search?q=MD5_Final&type=code)<br>[MD5_Init](https://github.com/search?q=MD5_Init&type=code) |
 | LOW | [data/hash/sha256](https://github.com/chainguard-dev/malcontent/blob/main/rules/data/hash/sha256.yara#SHA256) | Uses the SHA256 signature format | [SHA256_](https://github.com/search?q=SHA256_&type=code) |

tests/linux/clean/cpack.md

@@ -2,7 +2,7 @@
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
 |--|--|--|--|
-| MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | |
+| MEDIUM | [anti-static/elf/multiple](https://github.com/chainguard-dev/malcontent/blob/main/rules/anti-static/elf/multiple.yara#multiple_elf) | multiple ELF binaries within an ELF binary | \$elf_head |
 | MEDIUM | [c2/addr/ip](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/ip.yara#ip_port_mention) | mentions an IP and port | [curlopt_port](https://github.com/search?q=curlopt_port&type=code)<br>[primary_port](https://github.com/search?q=primary_port&type=code)<br>[client_port](https://github.com/search?q=client_port&type=code)<br>[config_port](https://github.com/search?q=config_port&type=code)<br>[defaultPort](https://github.com/search?q=defaultPort&type=code)<br>[domain_port](https://github.com/search?q=domain_port&type=code)<br>[internal_ip](https://github.com/search?q=internal_ip&type=code)<br>[lnormhet_ip](https://github.com/search?q=lnormhet_ip&type=code)<br>[radius_port](https://github.com/search?q=radius_port&type=code)<br>[server_port](https://github.com/search?q=server_port&type=code)<br>[validate_ip](https://github.com/search?q=validate_ip&type=code)<br>[ereghet_ip](https://github.com/search?q=ereghet_ip&type=code)<br>[gomphet_ip](https://github.com/search?q=gomphet_ip&type=code)<br>[ipproto_ip](https://github.com/search?q=ipproto_ip&type=code)<br>[lloghet_ip](https://github.com/search?q=lloghet_ip&type=code)<br>[local_port](https://github.com/search?q=local_port&type=code)<br>[primary_ip](https://github.com/search?q=primary_ip&type=code)<br>[serverPort](https://github.com/search?q=serverPort&type=code)<br>[socketPort](https://github.com/search?q=socketPort&type=code)<br>[weibhet_ip](https://github.com/search?q=weibhet_ip&type=code)<br>[client_ip](https://github.com/search?q=client_ip&type=code)<br>[framed_ip](https://github.com/search?q=framed_ip&type=code)<br>[gamhet_ip](https://github.com/search?q=gamhet_ip&type=code)<br>[http_port](https://github.com/search?q=http_port&type=code)<br>[open_port](https://github.com/search?q=open_port&type=code)<br>[proxyPort](https://github.com/search?q=proxyPort&type=code)<br>[bindPort](https://github.com/search?q=bindPort&type=code)<br>[ftp_port](https://github.com/search?q=ftp_port&type=code)<br>[get_port](https://github.com/search?q=get_port&type=code)<br>[lat_port](https://github.com/search?q=lat_port&type=code)<br>[local_ip](https://github.com/search?q=local_ip&type=code)<br>[login_ip](https://github.com/search?q=login_ip&type=code)<br>[nas_port](https://github.com/search?q=nas_port&type=code)<br>[sam_port](https://github.com/search?q=sam_port&type=code)<br>[tcp_port](https://github.com/search?q=tcp_port&type=code)<br>[url_port](https://github.com/search?q=url_port&type=code)<br>[getPort](https://github.com/search?q=getPort&type=code)<br>[host_ip](https://github.com/search?q=host_ip&type=code)<br>[is_port](https://github.com/search?q=is_port&type=code)<br>[pg_port](https://github.com/search?q=pg_port&type=code)<br>[setPort](https://github.com/search?q=setPort&type=code)<br>[uriPort](https://github.com/search?q=uriPort&type=code)<br>[nas_ip](https://github.com/search?q=nas_ip&type=code)<br>[blIp](https://github.com/search?q=blIp&type=code)<br>[eIp](https://github.com/search?q=eIp&type=code)<br>[mIp](https://github.com/search?q=mIp&type=code)<br>[xIp](https://github.com/search?q=xIp&type=code)<br>[IP](https://github.com/search?q=IP&type=code) |
 | MEDIUM | [c2/addr/server](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/addr/server.yara#server_address) | references a 'server address', possible C2 client | [inet_server_addr](https://github.com/search?q=inet_server_addr&type=code) |
 | MEDIUM | [c2/client](https://github.com/chainguard-dev/malcontent/blob/main/rules/c2/client.yara#clientID) | contains a client ID | [client_id](https://github.com/search?q=client_id&type=code) |