From d3138e7597d1a8943c6ed1d7a1ec2c041f6bb3c5 Mon Sep 17 00:00:00 2001 From: Cameron Dunn Date: Wed, 27 Dec 2023 13:28:54 -0800 Subject: [PATCH 01/11] change file --- discovery-rules/attachment_suspicious_macro.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/discovery-rules/attachment_suspicious_macro.yml b/discovery-rules/attachment_suspicious_macro.yml index 104e5592972..e55a52d7bdc 100644 --- a/discovery-rules/attachment_suspicious_macro.yml +++ b/discovery-rules/attachment_suspicious_macro.yml @@ -20,6 +20,7 @@ source: | "xlt", "xltm" ) + and ml.macro_classifier(.).malicious and ml.macro_classifier(.).confidence in ("low", "medium", "high") ) From d3c72ba1f975443e47f0c25ce2532f8cba40d6ed Mon Sep 17 00:00:00 2001 From: Cameron Dunn Date: Wed, 27 Dec 2023 14:13:33 -0800 Subject: [PATCH 02/11] See how duplicate checks behave --- .github/workflows/test-duplicate-check.yml | 63 ++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 .github/workflows/test-duplicate-check.yml diff --git a/.github/workflows/test-duplicate-check.yml b/.github/workflows/test-duplicate-check.yml new file mode 100644 index 00000000000..68a06d827e4 --- /dev/null +++ b/.github/workflows/test-duplicate-check.yml @@ -0,0 +1,63 @@ +name: Testing + +on: + push: + branches: [ "**" ] + + +jobs: + tests: + name: Testing + runs-on: ubuntu-20.04 + permissions: + contents: write + issues: read + pull-requests: read + checks: write + + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + ref: ${{ github.head_ref }} + depth: 0 + + - name: Get the head SHA + id: get_head + if: ${{ always() }} + run: echo "##[set-output name=HEAD;]$(git rev-parse HEAD)" + + - name: "Create a check run" + uses: actions/github-script@v6 + id: create_check + env: + sha: '${{ steps.get_head.outputs.HEAD }}' + owner: 'sublime-security' + repo: 'sublime-rules' + with: + github-token: '${{ inputs.check_token }}' + debug: ${{ secrets.ACTIONS_STEP_DEBUG || false }} + retries: 3 + # Default includes 422 which GitHub returns when it doesn't know about the head_sha we set the status for. + # This occurs when the previous push succeeds, but the checks/pull request component of GitHub isn't yet aware + # of the new commit. This isn't the common case, but it comes up enough to be annoying. + retry-exempt-status-codes: 400, 401, 403, 404 + script: | + // any JavaScript code can go here, you can use Node JS APIs too. + // Docs: https://docs.github.com/en/rest/checks/runs#create-a-check-run + // Rest: https://octokit.github.io/rest.js/v18#checks-create + const response = await github.rest.checks.create({ + owner: "sublime-security", + repo: "sublime-rules", + head_sha: process.env.sha, + name: "MQL Mimic Tests", + status: "in_progress", + output: { + title: "MQL Mimic Tests", + summary: "MQL Mimic tests are Running", + text: "MQL Mimic tests are Running. URL: " + process.env.run_url, + }, + }); + + return response["data"]["id"] + From 4f1b61303891543b781f15b4c22e5b8051aa7189 Mon Sep 17 00:00:00 2001 From: Cameron Dunn Date: Wed, 27 Dec 2023 14:14:30 -0800 Subject: [PATCH 03/11] default token --- .github/workflows/test-duplicate-check.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/test-duplicate-check.yml b/.github/workflows/test-duplicate-check.yml index 68a06d827e4..34e58aef300 100644 --- a/.github/workflows/test-duplicate-check.yml +++ b/.github/workflows/test-duplicate-check.yml @@ -35,7 +35,6 @@ jobs: owner: 'sublime-security' repo: 'sublime-rules' with: - github-token: '${{ inputs.check_token }}' debug: ${{ secrets.ACTIONS_STEP_DEBUG || false }} retries: 3 # Default includes 422 which GitHub returns when it doesn't know about the head_sha we set the status for. From f22a9b9ef394f678a6e4b7a1f4a3ade23d9a9ac6 Mon Sep 17 00:00:00 2001 From: Cameron Dunn Date: Wed, 27 Dec 2023 14:24:54 -0800 Subject: [PATCH 04/11] bump From 47042464176d8f7e1a13f1c7f151280f709b7eda Mon Sep 17 00:00:00 2001 From: Cameron Dunn Date: Wed, 27 Dec 2023 14:44:29 -0800 Subject: [PATCH 05/11] Use fork to ignore certain IDs --- .github/workflows/rule-validate.yml | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/.github/workflows/rule-validate.yml b/.github/workflows/rule-validate.yml index 5e6ba64af2a..e8f10306af2 100644 --- a/.github/workflows/rule-validate.yml +++ b/.github/workflows/rule-validate.yml @@ -295,6 +295,24 @@ jobs: // MQL Mimic will handle duplicates gracefully, no need to handle here. return allEMLsToSkip.join(" ") + - name: "Find Existing MQL Mimic Test Results" + uses: actions/github-script@v6 + id: find_mql_mimic_results + with: + debug: ${{ secrets.ACTIONS_STEP_DEBUG || false }} + env: + sha: '${{ steps.get_head.outputs.HEAD }}' + script: | + const result = await client.rest.checks.listForRef({ + check_name: "MQL Mimic Tests", + owner: "sublime-security", + repo: "sublime-rules" + ref: process.env.sha + }) + + let existingRuns = result.data.check_runs.map((r) => r.id) + console.log(existingRuns) + return existingRuns - name: "Trigger MQL Mimic Tests" env: @@ -314,12 +332,12 @@ jobs: -d "$body" - name: Wait for MQL Mimic check to be completed - uses: fountainhead/action-wait-for-check@v1.1.0 - id: wait-for-build + uses: sublime-security/action-wait-for-check@v1.1.0 # Wait for results so that the token remains valid while the test suite is executing and posting a check here. with: token: ${{ secrets.GITHUB_TOKEN }} checkName: "MQL Mimic Tests" ref: ${{ steps.get_head.outputs.HEAD }} timeoutSeconds: 3600 + ignoreIDs: ${{ steps.find_mql_mimic_results.outputs.result }} From 660f5607f5537fb82fe655648d2f759bfd47471f Mon Sep 17 00:00:00 2001 From: Cameron Dunn Date: Wed, 27 Dec 2023 14:45:19 -0800 Subject: [PATCH 06/11] @master --- .github/workflows/rule-validate.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/rule-validate.yml b/.github/workflows/rule-validate.yml index e8f10306af2..3a4185e1831 100644 --- a/.github/workflows/rule-validate.yml +++ b/.github/workflows/rule-validate.yml @@ -332,7 +332,7 @@ jobs: -d "$body" - name: Wait for MQL Mimic check to be completed - uses: sublime-security/action-wait-for-check@v1.1.0 + uses: sublime-security/action-wait-for-check@master # Wait for results so that the token remains valid while the test suite is executing and posting a check here. with: token: ${{ secrets.GITHUB_TOKEN }} From 912b017b868edc4dc3718b9df1297952558c6695 Mon Sep 17 00:00:00 2001 From: Cameron Dunn Date: Wed, 27 Dec 2023 14:57:01 -0800 Subject: [PATCH 07/11] move env --- .github/workflows/rule-validate.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/rule-validate.yml b/.github/workflows/rule-validate.yml index 3a4185e1831..c6b1e516454 100644 --- a/.github/workflows/rule-validate.yml +++ b/.github/workflows/rule-validate.yml @@ -298,10 +298,10 @@ jobs: - name: "Find Existing MQL Mimic Test Results" uses: actions/github-script@v6 id: find_mql_mimic_results + env: + sha: '${{ steps.get_head.outputs.HEAD }}' with: debug: ${{ secrets.ACTIONS_STEP_DEBUG || false }} - env: - sha: '${{ steps.get_head.outputs.HEAD }}' script: | const result = await client.rest.checks.listForRef({ check_name: "MQL Mimic Tests", From 02d1aeda9df4945b71b9dc16242d3f72f09e0015 Mon Sep 17 00:00:00 2001 From: Cameron Dunn Date: Wed, 27 Dec 2023 15:02:42 -0800 Subject: [PATCH 08/11] , --- .github/workflows/rule-validate.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/rule-validate.yml b/.github/workflows/rule-validate.yml index c6b1e516454..90851b9a827 100644 --- a/.github/workflows/rule-validate.yml +++ b/.github/workflows/rule-validate.yml @@ -306,7 +306,7 @@ jobs: const result = await client.rest.checks.listForRef({ check_name: "MQL Mimic Tests", owner: "sublime-security", - repo: "sublime-rules" + repo: "sublime-rules", ref: process.env.sha }) From a824e5a8502d2c788d99bb7a2a8240195da039d1 Mon Sep 17 00:00:00 2001 From: Cameron Dunn Date: Wed, 27 Dec 2023 15:24:29 -0800 Subject: [PATCH 09/11] fix copy paste --- .github/workflows/rule-validate.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/rule-validate.yml b/.github/workflows/rule-validate.yml index 90851b9a827..e621c799b07 100644 --- a/.github/workflows/rule-validate.yml +++ b/.github/workflows/rule-validate.yml @@ -303,7 +303,7 @@ jobs: with: debug: ${{ secrets.ACTIONS_STEP_DEBUG || false }} script: | - const result = await client.rest.checks.listForRef({ + const result = await github.rest.checks.listForRef({ check_name: "MQL Mimic Tests", owner: "sublime-security", repo: "sublime-rules", From 77d748806bda70aecff5bb0d6bc2c7b96e8d60f7 Mon Sep 17 00:00:00 2001 From: Cameron Dunn Date: Wed, 27 Dec 2023 16:11:36 -0800 Subject: [PATCH 10/11] delete testing workflow --- .github/workflows/test-duplicate-check.yml | 62 ---------------------- 1 file changed, 62 deletions(-) delete mode 100644 .github/workflows/test-duplicate-check.yml diff --git a/.github/workflows/test-duplicate-check.yml b/.github/workflows/test-duplicate-check.yml deleted file mode 100644 index 34e58aef300..00000000000 --- a/.github/workflows/test-duplicate-check.yml +++ /dev/null @@ -1,62 +0,0 @@ -name: Testing - -on: - push: - branches: [ "**" ] - - -jobs: - tests: - name: Testing - runs-on: ubuntu-20.04 - permissions: - contents: write - issues: read - pull-requests: read - checks: write - - steps: - - name: Checkout - uses: actions/checkout@v4 - with: - ref: ${{ github.head_ref }} - depth: 0 - - - name: Get the head SHA - id: get_head - if: ${{ always() }} - run: echo "##[set-output name=HEAD;]$(git rev-parse HEAD)" - - - name: "Create a check run" - uses: actions/github-script@v6 - id: create_check - env: - sha: '${{ steps.get_head.outputs.HEAD }}' - owner: 'sublime-security' - repo: 'sublime-rules' - with: - debug: ${{ secrets.ACTIONS_STEP_DEBUG || false }} - retries: 3 - # Default includes 422 which GitHub returns when it doesn't know about the head_sha we set the status for. - # This occurs when the previous push succeeds, but the checks/pull request component of GitHub isn't yet aware - # of the new commit. This isn't the common case, but it comes up enough to be annoying. - retry-exempt-status-codes: 400, 401, 403, 404 - script: | - // any JavaScript code can go here, you can use Node JS APIs too. - // Docs: https://docs.github.com/en/rest/checks/runs#create-a-check-run - // Rest: https://octokit.github.io/rest.js/v18#checks-create - const response = await github.rest.checks.create({ - owner: "sublime-security", - repo: "sublime-rules", - head_sha: process.env.sha, - name: "MQL Mimic Tests", - status: "in_progress", - output: { - title: "MQL Mimic Tests", - summary: "MQL Mimic tests are Running", - text: "MQL Mimic tests are Running. URL: " + process.env.run_url, - }, - }); - - return response["data"]["id"] - From 0b0bbe1520e47d34da4d98b45f862bcb058ed76e Mon Sep 17 00:00:00 2001 From: Cameron Dunn Date: Wed, 27 Dec 2023 16:33:09 -0800 Subject: [PATCH 11/11] Refactor to fix comment checking out main --- .github/workflows/rule-validate.yml | 78 ++++++++++++++++------------- 1 file changed, 43 insertions(+), 35 deletions(-) diff --git a/.github/workflows/rule-validate.yml b/.github/workflows/rule-validate.yml index e621c799b07..ecff93e8c0e 100644 --- a/.github/workflows/rule-validate.yml +++ b/.github/workflows/rule-validate.yml @@ -35,21 +35,43 @@ jobs: uses: alessbell/pull-request-comment-branch@v1.1 # Fork of xt0rted/pull-request-comment-branch, see https://github.com/xt0rted/pull-request-comment-branch/issues/322 id: comment_branch - - name: Checkout (from comment) - uses: actions/checkout@v3 - if: github.event_name == 'issue_comment' - with: - repository: ${{ steps.comment_branch.outputs.head_owner }}/${{ steps.comment_branch.outputs.head_repo }} - ref: ${{ steps.comment_branch.outputs.head_ref }} - fetch-depth: 0 + - name: Get Refs + id: get_refs + run: | + head_ref="${{ github.head_ref }}" + repo="${{ github.repository }}" + # Either of these must be set in block below + run_all="" + base_ref="" + + if [[ "${{ github.event_name }}" == 'pull_request_target' ]]; then + # Detect changes based on whatever we're merging into. + base_ref="${{ github.base_ref }}" + repo="${{ github.event.pull_request.head.repo.full_name }}" + elif [[ "${{ github.event_name }}" == 'push' ]]; then + # Detect changes based on the previous commit + base_ref="$(git rev-parse HEAD^)" + elif [[ "${{ github.event_name }}" == 'workflow_dispatch' ]]; then + # Run on a target, so run for all rules. + run_all="true" + elif [[ "${{ github.event_name }}" == 'issue_comment' ]]; then + # Rely on comment_branch to figure out the head and base + base_ref="${{ steps.comment_branch.outputs.base_ref }}" + head_ref="${{ steps.comment_branch.outputs.head_ref }}" + repo="${{ steps.comment_branch.outputs.head_owner }}/${{ steps.comment_branch.outputs.head_repo }}" + fi + + echo "##[set-output name=head_ref;]$head_ref" + echo "##[set-output name=repo;]$repo" + echo "##[set-output name=run_all;]$run_all" + echo "##[set-output name=base_ref;]$base_ref" - name: Checkout - uses: actions/checkout@v4 - if: github.event_name != 'issue_comment' + uses: actions/checkout@v3 with: - ref: ${{ github.head_ref }} - repository: ${{ github.event.pull_request.head.repo.full_name }} - depth: 0 + repository: ${{ steps.get_refs.outputs.repo }} + ref: ${{ steps.get_refs.outputs.head_ref }} + fetch-depth: 0 - uses: actions/setup-python@v4 with: @@ -112,7 +134,9 @@ jobs: git config user.email 'hello@sublimesecurity.com' git add **/*.yml git commit -m "Auto add rule ID" - git push origin ${{ github.head_ref }} + # This will only work when running for a pull_request_target, but rather than filter we'll let this expose + # any issues. + git push origin ${{ steps.get_refs.outputs.head_ref }} - name: Get the head SHA id: get_head @@ -162,33 +186,17 @@ jobs: files: "detection-rules/**" recover_deleted_files: true - - name: Get base ref - id: get_base_ref - run: | - if [[ "${{ github.event_name }}" == 'pull_request_target' ]]; then - # Detect changes based on whatever we're merging into. - echo "##[set-output name=ref;]${{ github.base_ref }}" - elif [[ "${{ github.event_name }}" == 'push' ]]; then - # Detect changes based on the previous commit - echo "##[set-output name=ref;]$(git rev-parse HEAD^)" - elif [[ "${{ github.event_name }}" == 'workflow_dispatch' ]]; then - # Run on a target, so run for all rules. - echo "##[set-output name=run_all;]true" - elif [[ "${{ github.event_name }}" == 'issue_comment' ]]; then - echo "##[set-output name=ref;]${{ steps.comment_branch.outputs.base_ref }}" - fi - - name: Checkout base uses: actions/checkout@v4 - if: ${{ steps.get_base_ref.outputs.run_all != 'true' }} + if: ${{ steps.get_refs.outputs.run_all != 'true' }} with: - ref: ${{ steps.get_base_ref.outputs.ref }} + ref: ${{ steps.get_refs.outputs.head_ref }} repository: sublime-security/sublime-rules depth: 0 path: sr-main - name: Rename files in sr-main based on rule id - if: ${{ steps.get_base_ref.outputs.run_all != 'true' }} + if: ${{ steps.get_refs.outputs.run_all != 'true' }} run: | cd sr-main/detection-rules @@ -205,7 +213,7 @@ jobs: for file in detection-rules/*.yml; do rule_id=$(yq '.id' $file) - if [[ "${{ steps.get_base_ref.outputs.run_all }}" == "true" ]]; then + if [[ "${{ steps.get_refs.outputs.run_all }}" == "true" ]]; then altered_rule_ids=$(echo "$rule_id"" ""$altered_rule_ids") continue fi @@ -317,8 +325,8 @@ jobs: - name: "Trigger MQL Mimic Tests" env: trigger_url: '${{ secrets.MQL_MOCK_TRIGGER }}' - branch: ${{ github.event_name == 'pull_request_target' && github.head_ref || github.ref }} - repo: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name || github.repository }} + branch: '${{ steps.get_refs.outputs.head_ref }}' + repo: '${{ steps.get_refs.outputs.repo }}' token: '${{ secrets.GITHUB_TOKEN }}' sha: '${{ steps.get_head.outputs.HEAD }}' only_rule_ids: '${{ steps.find_ids.outputs.rule_ids }}'