v1.5.1

Rule Improvements

• Remove 'threat_hunting' ruleset by @tstromberg in #645

Full Changelog: v1.5.0...v1.5.1

v1.5.0

Tool Improvements

• Display scan results as soon as results are generated by @egibs in #617
• Properly render hits and misses by @egibs in #624
• Better handling of diffs between archives by @egibs in #626
• Make diff behave like diff(1); report consistent behaviors by @egibs in #628

Rule Improvements

• Consolidate language-specific obfuscation rules by @tstromberg in #607
• Improve results scanning for Linux malware by @tstromberg in #608
• Update third-party rules as of 2024-11-11 by @octo-sts in #614
• Improve Linux binary detection, particularly for rootkits by @tstromberg in #615
• Improve MalwareBazaar coverage (elf, python, javascript) by @tstromberg in #616
• Update third-party rules as of 2024-11-14 by @octo-sts in #621
  Rule tuning based on initial Melofee analysis by @tstromberg in #622
• remove hashes from rules by @tstromberg in #625
• Add overrides for buildah, Kibana, pydevd, and tileserver-gl by @egibs in #629
• Improve detection of machO backdoors & stealers by @tstromberg in #631
• Improve Python detection for EvilDojo666 attack by @tstromberg in #635
• Update third-party rules as of 2024-11-18 by @octo-sts in #641
• Address yara-x compile findings by @egibs in #640
• Teach malcontent about more Python maliciousness by @tstromberg in #639

Developer Improvements

• Bump Go to 1.23.3; update Go packages + golangci-lint by @egibs in #610
• More coverage improvements for MalwareBazaar by @tstromberg in #618
• Use 8-core runners for tests and updating third-party rules by @egibs in #633
• Refresh sample test data via new refresh command by @egibs in #634
• Don't consider .mdiff or .sdiff files in discoverTestData by @egibs in #637

Full Changelog: v1.4.0...v1.5.0

v1.4.0

Tool Improvements

• Modernize terminal output by @tstromberg in #564
• brief: highlight evidence by @tstromberg in #566
• fix over-indenting in diff mode by @tstromberg in #568
• Don't store an empty file report for err-first-hit/miss findings by @egibs in #579
• Fix inconsistent path behaviors when running diffs by @egibs in #581
• Fix 'none' severity findings breaking tests by @egibs in #586
• Allow --err-first-miss to continue for skipped files by @tstromberg in #591
• Improve --err-first-hit handling by @tstromberg in #596
• Log an error if an override rule has no underlying, overridden rule by @egibs in #597
• terminal: improve color matching, diff readability by @tstromberg in #600
• scan: fix missing newline, make less noisy by @tstromberg in #601
• showError: Remove unwrap for ErrMatchedCondition by @tstromberg in #604

Rule Improvements

• Add override rule for py3-hatch package by @egibs in #545
• Improve findings for Mirai, vncjew, alfa, custom RAT by @tstromberg in #541
• Reorganize rule filenames around the MalwareBehaviorCatalog standard by @tstromberg in #549
• Add compromised lottie-player test data by @egibs in #552
• Update YARAforge to 20241027 by @tstromberg in #556
• MalwareBehaviorCatalog follow-up: less naming stutter, less slashes by @tstromberg in #558
• Improve detection of Golang/Linux backdoors by @tstromberg in #567
• Update third-party rules as of 2024-11-03 by @octo-sts in #571
• Improve malicious Javascript detection by @tstromberg in #572
• Remove overriden behaviors that fall below minScore by @egibs in #580
• Improve Python detection based on the PyPI malregistry by @tstromberg in #584
• Update third-party rules as of 2024-11-06 by @octo-sts in #590
• Improve detection of "Beast" and other Linux ransomware by @tstromberg in #589
• Improve detection of malicious RubyGems by @tstromberg in #588
• Improve rule coverage for timb-machine/linux-malware by @tstromberg in #592
• Add Kibana overrides by @egibs in #594
• Rule tuning to decrease false-positives on Fedora by @tstromberg in #598
• Add Kibana security detection engine rule overrides by @egibs in #602
• Fedora: Address remaining false-positives within /usr by @tstromberg in #603
• Improve coverage for objective-see/Malware by @tstromberg in #605
• Add override rules for findings from latest full scan of Wolfi packages by @egibs in #606

Developer Improvements

• Format rule files with yara-x and add Workflow Check by @egibs in #546
• Add yara-x fmt to make lint by @egibs in #547
• Create scorecard.yml by @tstromberg in #551
• README: Clarify our focus on supply-chain and UNIX-like operating systems by @tstromberg in #550
• Address token and security policy OpenSSF findings by @egibs in #554
• Add Workflow to update third-party rules and PR the changes by @egibs in #557
• Install yara in third-party rule update Workflow by @egibs in #559
• Cleanly handle no-op third-party rule Workflow runs by @egibs in #560
• Simplify commit and PR steps for third-party Workflow by @egibs in #561
• remove reviewdog/woke style actions by @tstromberg in #562
• README: aim for subtleness, not paranoia by @tstromberg in #563
• README: updates screenshots, lean into what makes malcontent special by @tstromberg in #569
• Re-add GH_TOKEN to commit/PR step for third-party rule updates by @egibs in #570
• Makefile: Add Linux support for yara-x linter by @tstromberg in #583
• re-organize samples + integration tests to improve caching by @tstromberg in #593

Full Changelog: v1.3.0...v1.4.0

v1.3.0

Release v1.3.0

Tool Improvements

• Address two instances of CWE-22 by @egibs in #526
• error if an invalid value is passed to --min-*risk by @tstromberg in #531
• scan: include match strings (truncated) by @tstromberg in #537
• walk: log error instead of returning an error by @tstromberg in #538

Rule Improvements

• Improve macOS detection, particularly for AMOS/Poseidon and Cobaltstrike by @tstromberg in #524
• Add mlflow pypi_package_index override rule, allow for multiple rules per override by @egibs in #527
• improve detection of cipherbcryptors by @tstromberg in #519
• linux: alert tuning for k4spreader, injector, medusa, Sliver by @tstromberg in #517
• Decrease false-positives across Ubuntu 24.04, add more OS-specific tagging by @tstromberg in #530
• Update rancher pull-scripts rule by @egibs in #528
• Add override for filebeat misp_sample.ndjson.log by @egibs in #534
• Improve results when scanning Linux include files by @tstromberg in #535
• Remove HIGH findings from /etc on Ubuntu 24.04 by @tstromberg in #539
• Add additional Wolfi false positve overrides by @egibs in #540

Developer Improvements

• programkind: quietly skip non-file files by @tstromberg in #529

Full Changelog: v1.2.0...v1.3.0

v1.2.0

Release v1.2.0

Tool Improvements

• Better handling of overrides after all fr.Behaviors are added by @egibs in #487
• Add new renderer to display string matches for rules by @egibs in #488
• Delay rule compilation and cache the results by @tstromberg in #490
• process: make non-existent paths non-fatal, sort scan paths by @tstromberg in #493
• scan: wolfictl inspired output presentation by @tstromberg in #492
• processes: improve results on Linux by @tstromberg in #499
• programkind: return MIME type & file extension, swap magic library by @tstromberg in #507
• Remove errant nil check in switch statement by @egibs in #513
• Add --file-risk-change and --file-risk-increase flags by @egibs in #514
• Add risk levels to simple output by @egibs in #516
• Fix --min-risk behavior re: overrides by @egibs in #523
• programkind: be quiet if EOF reached by @tstromberg in #518

Rule Improvements

• Reduce some random Linux false positives by @tstromberg in #501
• New false positive rules by @egibs in #502
• Add jaraco py_dropper_chmod override by @egibs in #509
• rule tuning: make severities more appropriate by @tstromberg in #510
• Add filesize condition to linux_multi_persist rule by @egibs in #515

Developer Improvements

• Turn on prealloc linting rule, implement suggestions by @egibs in #491
• README tuning: left-justify logo, boost scan placement, update images by @tstromberg in #504
• Update samples commit, refresh test data, fix refresh-test-data on macOS by @egibs in #508
• makefile: fail if xz is missing by @tstromberg in #511

Full Changelog: v1.1.1...v1.2.0

v1.1.1

Rule Improvements

• Fix bad RookeryCapital testdata by @tstromberg in #484

Full Changelog: v1.1.0...v1.1.1

v1.1.0

Release v1.1.0

Tool Improvements

• Add --processes flag to scan active process commands by @egibs in #469
• Allow for multiple scan path inputs for analyze and scan by @egibs in #480
• Small archive extraction fixes; support bzip2 archives by @egibs in #479
• Allow for rule severity overrides; add default ignore tags by @egibs in #481

Rule Improvements

• Increase coverage of recent MalwareBazaar / MalShare samples by @tstromberg in #474
• Address false positives seen with argocd, grafana, jupyterhub, and reflex by @egibs in #475
• Update YARAForge rules, refresh testdata by @tstromberg in #482

Developer Improvements

• Bump actions/checkout from 4.1.7 to 4.2.0 in the all group by @dependabot in #472
• Check if frs sync.Map is nil within handleArchive by @egibs in #476
• malcontent branding: rewrite README, new go install target by @tstromberg in #477

Full Changelog: v1.0.1...v1.1.0

v1.0.1

Tool Improvements

• Explicitly check for "mal" binary name when ignoring self by @egibs in #466

Full Changelog: v1.0.0...v1.0.1

v1.0.0

bincapz is now malcontent

Ensure that your fork is updated to reference the new remote: git remote set-url origin [email protected]:chainguard-dev/malcontent.git

---

Tool Improvements

• Add .xz archive support by @egibs in #433
• programkind: Add .bat, .cpp, .dll, pyc by @tstromberg in #439
• Overhaul CLI functionality with urfave/cli by @egibs in #436
• Add shorter output format for 'scan' mode by @tstromberg in #457
• Don't return after encountering a report with lower than minimum risk by @egibs in #461
• Check if frs Map is nil before ranging over it by @egibs in #462
• bincapz is now malcontent by @egibs in #464

Rule Improvements

• Update third party rules by @tstromberg in #437
• Integrate JPCERT & TTC-CERT third party YARA rules by @tstromberg in #444
• Improve detection of droppers, stealers & obfuscated scripts by @tstromberg in #443
• Update third party rules, tighten base64_php_functions rule by @tstromberg in #446
• hadooken: Improve shell, python, and powershell dropper detection by @tstromberg in #455
• Improve JS/Python malware detection based on NPM/PyPI samples by @tstromberg in #456

Developer Improvements

• Add nil checks when iterating over sync.Maps by @egibs in #435
• Bump golang.org/x/term from 0.23.0 to 0.24.0 by @dependabot in #441
• Replace live OCI image pull with crane export by @egibs in #438
• Cache bincapz-samples repository to speed up subsequent tests by @egibs in #448
• refresh-sample-testdata refactor by @tstromberg in #450
• Bump step-security/harden-runner from 2.9.1 to 2.10.1 in the all group by @dependabot in #459
• refresh testdata: include scan_archive testdata by @tstromberg in #463

Full Changelog: v0.19.0...v1.0.0

v0.19.0

Tool Improvements

• Improve diff performance by @egibs in #429
• Replace combined channel with slice by @egibs in #430

Rule Improvements

• Improve detection of Python attacks similar to 'yocolor' by @tstromberg in #427

Developer Improvements

• Use new samples repo for tests; keep data separate and update path references by @egibs in #431

Full Changelog: v0.18.2...v0.19.0