more software signatures

[jstucke]

• added some software signatures (mbed TLS, file, opkg)

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 66.66667% with 7 lines in your changes missing coverage. Please review.

Project coverage is 92.01%. Comparing base (058e49f) to head (2fce538).
Report is 2 commits behind head on master.

Files with missing lines	Patch %	Lines
...is/software_components/code/software_components.py	61.11%	7 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #1301      +/-   ##
==========================================
- Coverage   92.42%   92.01%   -0.42%     
==========================================
  Files         379      378       -1     
  Lines       23661    21469    -2192     
==========================================
- Hits        21869    19754    -2115     
+ Misses       1792     1715      -77     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[maringuu]

Can you document somewhere (commit message/code comments), why these signatures are correct?
I think it is important to not only have signatures, but also be able to verify why they are correct.
The most preferable proof would we permalinks to source code, but I'm happy with anything that allows me to understand why the signatures are as they are.

[jstucke]

Can you document somewhere (commit message/code comments), why these signatures are correct? I think it is important to not only have signatures, but also be able to verify why they are correct. The most preferable proof would we permalinks to source code, but I'm happy with anything that allows me to understand why the signatures are as they are.

I tried to find the corresponding places in the source code but I also found that in libmagic the version is stored as an integer instead of a string. The FSR currently does not have the capability to extract integers, so I added it.

[maringuu]

Does this need a rebase after #1263?

[jstucke]

Does this need a rebase after #1263?

I don't think so, since the PR didn't change any internals, but I did one anyway.

[maringuu]

A few comments otherwise lgtm!

[maringuu]

This function should not take the meta_dict but rather the regex as parameter.
Also storing a python regex as json encoded array in a yara file seems a bit too complex to me (As can be seen by the amount of backslashes).
What do you think about formatting it in two separate fields:

rule file_libmagic {
	meta:
		software_name = "file"
		// versions are stored as decimal int with three digits
		// (first digit: major version, remaining two digits: minor version)
		version_regex = "\\d{3}"
		_version_function = "magic_version"
                _sub_regex = "(\\d)(\\d{2})"
                _sub_replacement = "\\1.\\2"
                ...
}

[maringuu]

Also, what is the difference between the version_regex and the _sub_regex?
Could (should?) they be merged?

[jstucke]

version_regex is for reading in the version from the matched string (if it doesn't have the default 1.2.3 form) and _sub_regex (short for substitution regex) is something new that I had to think of, because file/libmagic came with a version in the form XYY (e.g. 524) and there is no way to read this in as X.YY without it. _sub_regex and _sub_replacement are the inputs for re.sub()

Why is XYY not enough in this case? Because it is stored as X.YY in the CVE data and we cannot match it otherwise

[maringuu]

Nit: I personally prefer less indentation, which in this case can be archived by adding:

if function is None:
    return []

Also: Why can function be none if we did not get an exception in the call to getGlobalFunctions?!
I think it cannot.

[maringuu]

Why does this raise a type error?