Correctly calculate statistics when running scans (#649)

Signed-off-by: egibs <[email protected]>
chainguard-dev · Nov 19, 2024 · 5855d35 · 5855d35
1 parent caa8692
commit 5855d35
Show file tree

Hide file tree

Showing 7 changed files with 41 additions and 25 deletions.
diff --git a/pkg/action/scan.go b/pkg/action/scan.go
@@ -343,7 +343,7 @@ func recursiveScan(ctx context.Context, c malcontent.Config) (*malcontent.Report
 					if k, ok := key.(string); ok {
 						if fr, ok := value.(*malcontent.FileReport); ok {
 							if len(c.TrimPrefixes) > 0 {
-								path = report.TrimPrefixes(k, c.TrimPrefixes)
+								k = report.TrimPrefixes(k, c.TrimPrefixes)
 							}
 							r.Files.Store(k, fr)
 							if c.Renderer != nil && r.Diff == nil && fr.RiskScore >= c.MinFileRisk {
@@ -562,7 +562,7 @@ func Scan(ctx context.Context, c malcontent.Config) (*malcontent.Report, error)
 		return true
 	})
 	if c.Stats {
-		err = render.Statistics(r)
+		err = render.Statistics(&c, r)
 		if err != nil {
 			return r, fmt.Errorf("stats: %w", err)
 		}

diff --git a/pkg/render/markdown.go b/pkg/render/markdown.go
@@ -44,7 +44,7 @@ func matchFragmentLink(s string) string {
 func (r Markdown) Scanning(_ context.Context, _ string) {}
 
 func (r Markdown) File(ctx context.Context, fr *malcontent.FileReport) error {
-	if len(fr.Behaviors) > 0 {
+	if fr.Skipped == "" && len(fr.Behaviors) > 0 {
 		markdownTable(ctx, fr, r.w, tableConfig{Title: fmt.Sprintf("## %s [%s]", fr.Path, mdRisk(fr.RiskScore, fr.RiskLevel))})
 	}
 	return nil

diff --git a/pkg/render/stats.go b/pkg/render/stats.go
@@ -19,22 +19,34 @@ func smLength(m *sync.Map) int {
 	return length
 }
 
-func riskStatistics(files *sync.Map) ([]malcontent.IntMetric, int, int) {
+func riskStatistics(c *malcontent.Config, files *sync.Map) ([]malcontent.IntMetric, int, int, int) {
 	length := smLength(files)
 
 	riskMap := make(map[int][]string, length)
 	riskStats := make(map[int]float64, length)
 
-	// as opposed to skipped files
 	processedFiles := 0
+	skippedFiles := 0
 	files.Range(func(key, value any) bool {
 		if key == nil || value == nil {
 			return true
 		}
 		processedFiles++
+
 		if fr, ok := value.(*malcontent.FileReport); ok {
-			if fr.Skipped == "" {
-				riskMap[fr.RiskScore] = append(riskMap[fr.RiskScore], fr.Path)
+			switch {
+			case c.Scan:
+				if fr.RiskScore >= 3 {
+					riskMap[fr.RiskScore] = append(riskMap[fr.RiskScore], fr.Path)
+				} else {
+					skippedFiles++
+				}
+			default:
+				if fr.Skipped == "" {
+					riskMap[fr.RiskScore] = append(riskMap[fr.RiskScore], fr.Path)
+				} else {
+					skippedFiles++
+				}
 			}
 		}
 		for riskLevel := range riskMap {
@@ -52,16 +64,16 @@ func riskStatistics(files *sync.Map) ([]malcontent.IntMetric, int, int) {
 		return t
 	}
 	for k, v := range riskStats {
-		stats = append(stats, malcontent.IntMetric{Key: k, Value: v, Count: len(riskMap[k]), Total: total()})
+		stats = append(stats, malcontent.IntMetric{Key: k, Value: v, Count: len(riskMap[k]), Total: processedFiles})
 	}
 	sort.Slice(stats, func(i, j int) bool {
 		return stats[i].Value > stats[j].Value
 	})
 
-	return stats, total(), processedFiles
+	return stats, total(), processedFiles, skippedFiles
 }
 
-func pkgStatistics(files *sync.Map) ([]malcontent.StrMetric, int, int) {
+func pkgStatistics(_ *malcontent.Config, files *sync.Map) ([]malcontent.StrMetric, int, int) {
 	length := smLength(files)
 	numBehaviors := 0
 	pkgMap := make(map[string]int, length)
@@ -71,9 +83,11 @@ func pkgStatistics(files *sync.Map) ([]malcontent.StrMetric, int, int) {
 			return true
 		}
 		if fr, ok := value.(*malcontent.FileReport); ok {
-			for _, b := range fr.Behaviors {
-				numBehaviors++
-				pkgMap[b.ID]++
+			if fr.Skipped == "" {
+				for _, b := range fr.Behaviors {
+					numBehaviors++
+					pkgMap[b.ID]++
+				}
 			}
 		}
 		return true
@@ -102,18 +116,16 @@ func pkgStatistics(files *sync.Map) ([]malcontent.StrMetric, int, int) {
 	return stats, width, numBehaviors
 }
 
-func Statistics(r *malcontent.Report) error {
-	riskStats, totalRisks, totalFilesProcessed := riskStatistics(&r.Files)
-	pkgStats, width, totalBehaviors := pkgStatistics(&r.Files)
-
-	length := smLength(&r.Files)
+func Statistics(c *malcontent.Config, r *malcontent.Report) error {
+	riskStats, totalRisks, processedFiles, skippedFiles := riskStatistics(c, &r.Files)
+	pkgStats, width, totalBehaviors := pkgStatistics(c, &r.Files)
 
 	statsSymbol := "📊"
 	riskSymbol := "⚠️ "
 	pkgSymbol := "📦"
 	fmt.Printf("%s Statistics\n", statsSymbol)
 	fmt.Println("---")
-	fmt.Printf("\033[1;37m%-15s \033[1;37m%s\033[0m\n", "Files Scanned", fmt.Sprintf("%d (%d skipped)", totalFilesProcessed, length-totalFilesProcessed))
+	fmt.Printf("\033[1;37m%-15s \033[1;37m%s\033[0m\n", "Files Scanned", fmt.Sprintf("%d (%d skipped)", processedFiles, skippedFiles))
 	fmt.Printf("\033[1;37m%-15s \033[1;37m%s\033[0m\n", "Total Risks", fmt.Sprintf("%d", totalRisks))
 	fmt.Println("---")
 	fmt.Printf("%s Risk Level Percentage\n", riskSymbol)

diff --git a/pkg/render/strings.go b/pkg/render/strings.go
@@ -78,7 +78,7 @@ func (r StringMatches) Scanning(_ context.Context, path string) {
 }
 
 func (r StringMatches) File(_ context.Context, fr *malcontent.FileReport) error {
-	if len(fr.Behaviors) == 0 {
+	if fr.Skipped != "" || len(fr.Behaviors) == 0 {
 		return nil
 	}
 

diff --git a/pkg/render/terminal.go b/pkg/render/terminal.go
@@ -80,7 +80,7 @@ func (r Terminal) Scanning(_ context.Context, path string) {
 }
 
 func (r Terminal) File(ctx context.Context, fr *malcontent.FileReport) error {
-	if len(fr.Behaviors) > 0 {
+	if fr.Skipped == "" && len(fr.Behaviors) > 0 {
 		renderFileSummary(ctx, fr, r.w,
 			tableConfig{
 				Title: fmt.Sprintf("%s %s", fr.Path, darkBrackets(riskInColor(fr.RiskLevel))),
@@ -226,6 +226,10 @@ func renderFileSummary(_ context.Context, fr *malcontent.FileReport, w io.Writer
 	previousNsRiskScore := map[string]int{}
 	diffMode := false
 
+	if fr.Skipped != "" {
+		return
+	}
+
 	for _, b := range fr.Behaviors {
 		ns, _ := splitRuleID(b.ID)
 

diff --git a/pkg/render/terminal_brief.go b/pkg/render/terminal_brief.go
@@ -33,7 +33,7 @@ func (r TerminalBrief) Scanning(_ context.Context, path string) {
 }
 
 func (r TerminalBrief) File(_ context.Context, fr *malcontent.FileReport) error {
-	if len(fr.Behaviors) == 0 {
+	if fr.Skipped != "" || len(fr.Behaviors) == 0 {
 		return nil
 	}
 

diff --git a/pkg/report/report.go b/pkg/report/report.go
@@ -406,7 +406,7 @@ func Generate(ctx context.Context, path string, mrs yara.MatchRules, c malconten
 	if c.Scan {
 		highestRisk = highestMatchRisk(mrs)
 		if highestRisk < 3 {
-			return malcontent.FileReport{}, nil
+			fr.Skipped = "overall risk too low for scan"
 		}
 	}
 
@@ -592,14 +592,14 @@ func Generate(ctx context.Context, path string, mrs yara.MatchRules, c malconten
 	}
 
 	if c.Scan && overallRiskScore < HIGH {
-		return malcontent.FileReport{}, nil
+		fr.Skipped = "overall risk too low for scan"
 	}
 
 	// Check for both the full and shortened variants of malcontent
 	isMalBinary := (filepath.Base(path) == NAME || filepath.Base(path) == "mal")
 
 	if all(ignoreSelf, fr.IsMalcontent, ignoreMalcontent, isMalBinary) {
-		return malcontent.FileReport{}, nil
+		fr.Skipped = "ignoring malcontent binary"
 	}
 
 	// If something has a lot of high, it's probably critical