Scan non executable files, fix severity (#117)

* Fix severity in scans

* Scan non executable files

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: ramanan-ravi

config.yaml

@@ -1,6 +1,6 @@
 # Iac Scanner Configuration File
 
-exclude_extensions: [ ".log", ".jpg", ".jpeg", ".png", ".gif", ".bmp", ".tiff", ".tif", ".psd", ".xcf", ".zip", ".tar.gz",".gz",".so", ".0", ".1", ".2", ".3",".4",".5",".6",".7",".8",".9", ".ttf", ".lock", ".yar", ".log", ".chk", ".sdb", ".jdb", ".pat", ".jrs", ".dit", ".pol", ".mdb", ".dns", ".admx", ".adml", ".adm", ".edb", ".db", ".evtx"]
+exclude_extensions: [ ".log", ".jpg", ".jpeg", ".png", ".gif", ".bmp", ".tiff", ".tif", ".psd", ".xcf",".so", ".0", ".1", ".2", ".3",".4",".5",".6",".7",".8",".9", ".ttf", ".lock", ".yar", ".log", ".chk", ".sdb", ".jdb", ".pat", ".jrs", ".dit", ".pol", ".mdb", ".dns", ".admx", ".adml", ".adm", ".edb", ".db", ".evtx"]
 exclude_paths: ["/var/lib/docker", "/var/lib/containerd", "/dev", "/proc", "/usr/lib", "/sys", "/boot", "/run"]
 max_file_size: 1073741824
-skip_non_executable: true
+skip_non_executable: false

main.go

@@ -61,7 +61,6 @@ var (
 
 func main() {
 	log.SetOutput(os.Stderr)
-	log.SetLevel(log.InfoLevel)
 	log.SetReportCaller(true)
 	log.SetFormatter(&log.TextFormatter{
 		DisableColors: false,
@@ -72,15 +71,23 @@ func main() {
 		},
 	})
 
-	log.Infof("version: %s", version)
-
 	ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt)
 	defer cancel()
 
 	opts, err := config.ParseOptions()
 	if err != nil {
 		log.Fatalf("main: failed to parse options: %v", err)
 	}
+
+	level, err := log.ParseLevel(*opts.LogLevel)
+	if err != nil {
+		log.Warnf("Invalid log level '%s', defaulting to 'info': %v", *opts.LogLevel, err)
+		level = log.InfoLevel
+	}
+	log.SetLevel(level)
+
+	log.Infof("version: %s", version)
+
 	config, err := cfg.ParseConfig(*opts.ConfigPath)
 	if err != nil {
 		log.Fatalf("main: failed to parse config: %v", err)

pkg/config/options.go

@@ -47,10 +47,12 @@ type Options struct {
 	Product              *string
 	Version              *string
 	License              *string
+	LogLevel             *string
 }
 
 func ParseOptions() (*Options, error) {
 	options := &Options{
+		LogLevel:             flag.String("log-level", "info", "Log levels are one of error, warn, info, debug. Only levels higher than the log-level are displayed"),
 		RulesPath:            flag.String("rules-path", "/home/deepfence/usr", "All .yar and .yara files in the given directory will be compiled"),
 		FailOnCompileWarning: flag.Bool("fail-on-rule-compile-warn", false, "Fail if yara rule compilation has warnings"),
 		Threads:              flag.Int("threads", 0, "Number of concurrent threads (default number of logical CPUs)"),

pkg/scan/process_image.go

@@ -33,6 +33,22 @@ type manifestItem struct {
 	LayerIds []string `json:",omitempty"`
 }
 
+var (
+	severityToScore = map[string]float64{
+		"critical": 10.0,
+		"high":     8.0,
+		"medium":   5.0,
+		"low":      2.0,
+	}
+)
+
+func getSeverityScore(severity string) float64 {
+	if score, ok := severityToScore[severity]; ok {
+		return score
+	}
+	return 0.0
+}
+
 func calculateSeverity(lenMatch int, severity string, severityScore float64) (string, float64) {
 
 	updatedSeverity := "low"
@@ -223,13 +239,17 @@ func ScanFile(s *Scanner, fileName string, f io.ReadSeeker, fsize int, iocs *[]o
 			class := "Undefined"
 			m.MetaRules = make(map[string]string)
 			for _, c := range m.Meta {
-				var metaSplit = strings.Split(c, " : ")
+				var metaSplit = strings.Split(c, " = ")
 				if len(metaSplit) > 1 {
 
 					m.MetaRules[metaSplit[0]] = strings.ReplaceAll(metaSplit[1], "\n", "")
 					if metaSplit[0] == "description" {
 						str := []string{"The file has a rule match that ", strings.ReplaceAll(metaSplit[1], "\n", "") + "."}
 						summary += strings.Join(str, " ")
+					} else if metaSplit[0] == "sev" {
+						// If severity is present in the rule, set that
+						m.FileSeverity = strings.TrimSpace(strings.ReplaceAll(metaSplit[1], "\n", ""))
+						m.FileSevScore = getSeverityScore(m.FileSeverity)
 					} else {
 						if metaSplit[0] == "info" {
 							class = strings.TrimSpace(strings.ReplaceAll(metaSplit[1], "\n", ""))