Skip to content

Commit 408a462

Browse files
Scan non executable files, fix severity (#117)
* Fix severity in scans * Scan non executable files Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
1 parent db83d96 commit 408a462

File tree

4 files changed

+35
-6
lines changed

4 files changed

+35
-6
lines changed

config.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
# Iac Scanner Configuration File
22

3-
exclude_extensions: [ ".log", ".jpg", ".jpeg", ".png", ".gif", ".bmp", ".tiff", ".tif", ".psd", ".xcf", ".zip", ".tar.gz",".gz",".so", ".0", ".1", ".2", ".3",".4",".5",".6",".7",".8",".9", ".ttf", ".lock", ".yar", ".log", ".chk", ".sdb", ".jdb", ".pat", ".jrs", ".dit", ".pol", ".mdb", ".dns", ".admx", ".adml", ".adm", ".edb", ".db", ".evtx"]
3+
exclude_extensions: [ ".log", ".jpg", ".jpeg", ".png", ".gif", ".bmp", ".tiff", ".tif", ".psd", ".xcf",".so", ".0", ".1", ".2", ".3",".4",".5",".6",".7",".8",".9", ".ttf", ".lock", ".yar", ".log", ".chk", ".sdb", ".jdb", ".pat", ".jrs", ".dit", ".pol", ".mdb", ".dns", ".admx", ".adml", ".adm", ".edb", ".db", ".evtx"]
44
exclude_paths: ["/var/lib/docker", "/var/lib/containerd", "/dev", "/proc", "/usr/lib", "/sys", "/boot", "/run"]
55
max_file_size: 1073741824
6-
skip_non_executable: true
6+
skip_non_executable: false

main.go

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -61,7 +61,6 @@ var (
6161

6262
func main() {
6363
log.SetOutput(os.Stderr)
64-
log.SetLevel(log.InfoLevel)
6564
log.SetReportCaller(true)
6665
log.SetFormatter(&log.TextFormatter{
6766
DisableColors: false,
@@ -72,15 +71,23 @@ func main() {
7271
},
7372
})
7473

75-
log.Infof("version: %s", version)
76-
7774
ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt)
7875
defer cancel()
7976

8077
opts, err := config.ParseOptions()
8178
if err != nil {
8279
log.Fatalf("main: failed to parse options: %v", err)
8380
}
81+
82+
level, err := log.ParseLevel(*opts.LogLevel)
83+
if err != nil {
84+
log.Warnf("Invalid log level '%s', defaulting to 'info': %v", *opts.LogLevel, err)
85+
level = log.InfoLevel
86+
}
87+
log.SetLevel(level)
88+
89+
log.Infof("version: %s", version)
90+
8491
config, err := cfg.ParseConfig(*opts.ConfigPath)
8592
if err != nil {
8693
log.Fatalf("main: failed to parse config: %v", err)

pkg/config/options.go

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -47,10 +47,12 @@ type Options struct {
4747
Product *string
4848
Version *string
4949
License *string
50+
LogLevel *string
5051
}
5152

5253
func ParseOptions() (*Options, error) {
5354
options := &Options{
55+
LogLevel: flag.String("log-level", "info", "Log levels are one of error, warn, info, debug. Only levels higher than the log-level are displayed"),
5456
RulesPath: flag.String("rules-path", "/home/deepfence/usr", "All .yar and .yara files in the given directory will be compiled"),
5557
FailOnCompileWarning: flag.Bool("fail-on-rule-compile-warn", false, "Fail if yara rule compilation has warnings"),
5658
Threads: flag.Int("threads", 0, "Number of concurrent threads (default number of logical CPUs)"),

pkg/scan/process_image.go

Lines changed: 21 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,22 @@ type manifestItem struct {
3333
LayerIds []string `json:",omitempty"`
3434
}
3535

36+
var (
37+
severityToScore = map[string]float64{
38+
"critical": 10.0,
39+
"high": 8.0,
40+
"medium": 5.0,
41+
"low": 2.0,
42+
}
43+
)
44+
45+
func getSeverityScore(severity string) float64 {
46+
if score, ok := severityToScore[severity]; ok {
47+
return score
48+
}
49+
return 0.0
50+
}
51+
3652
func calculateSeverity(lenMatch int, severity string, severityScore float64) (string, float64) {
3753

3854
updatedSeverity := "low"
@@ -223,13 +239,17 @@ func ScanFile(s *Scanner, fileName string, f io.ReadSeeker, fsize int, iocs *[]o
223239
class := "Undefined"
224240
m.MetaRules = make(map[string]string)
225241
for _, c := range m.Meta {
226-
var metaSplit = strings.Split(c, " : ")
242+
var metaSplit = strings.Split(c, " = ")
227243
if len(metaSplit) > 1 {
228244

229245
m.MetaRules[metaSplit[0]] = strings.ReplaceAll(metaSplit[1], "\n", "")
230246
if metaSplit[0] == "description" {
231247
str := []string{"The file has a rule match that ", strings.ReplaceAll(metaSplit[1], "\n", "") + "."}
232248
summary += strings.Join(str, " ")
249+
} else if metaSplit[0] == "sev" {
250+
// If severity is present in the rule, set that
251+
m.FileSeverity = strings.TrimSpace(strings.ReplaceAll(metaSplit[1], "\n", ""))
252+
m.FileSevScore = getSeverityScore(m.FileSeverity)
233253
} else {
234254
if metaSplit[0] == "info" {
235255
class = strings.TrimSpace(strings.ReplaceAll(metaSplit[1], "\n", ""))

0 commit comments

Comments
 (0)