You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Now that we've improved rule categorization by moving to the MITRE Malware Behavior Catalog, I'm interested in adding a --sensitivity flag that CI/CD pipelines can use to adjust how noisy mal diff is in CI/CD pipelines based on the context of what kind of update is being processed. Here's my initial thinking:
--sensitivity=(1|file): show diff only if file risk changes. Obsoletes --file-risk-change. --sensitivity=(2|major): show diff if top-level namespace (objective) changes. --sensitivity=(3|minor): show diff only if second-level namespace (resource) changes --sensitivity=(4|patch): show diff if 3rd-level namespace (technique) changes --sensitivity=(5|full) show diff if anything changes
For example, Wolfi knows the versions on both sides of the update: we can use to keep the noise low for major version changes (1.0 -> 2.0), and dial the sensitivity up for subsequent minor releases (2.0->2.0.1). For simple epoch changes, we can dial the sensitivity up to 5.
As part of this, we should rename --file-risk-increase to something like --increased-risk
Now that we've improved rule categorization by moving to the MITRE Malware Behavior Catalog, I'm interested in adding a
--sensitivity
flag that CI/CD pipelines can use to adjust how noisymal diff
is in CI/CD pipelines based on the context of what kind of update is being processed. Here's my initial thinking:--sensitivity=(1|file)
: show diff only if file risk changes. Obsoletes--file-risk-change
.--sensitivity=(2|major)
: show diff if top-level namespace (objective) changes.--sensitivity=(3|minor)
: show diff only if second-level namespace (resource) changes--sensitivity=(4|patch)
: show diff if 3rd-level namespace (technique) changes--sensitivity=(5|full)
show diff if anything changesFor example, Wolfi knows the versions on both sides of the update: we can use to keep the noise low for major version changes (1.0 -> 2.0), and dial the sensitivity up for subsequent minor releases (2.0->2.0.1). For simple epoch changes, we can dial the sensitivity up to 5.
As part of this, we should rename
--file-risk-increase
to something like--increased-risk
cc @egibs @hectorj2f @tdunlap607 for thoughts.
The text was updated successfully, but these errors were encountered: