feature : statusがdeprecatedなルールを読み込まない (#272)

* feature status deprecated exclude

* clean

* change logic and option name

* fix option description

src/detections/configs.rs

@@ -63,6 +63,7 @@ fn build_app<'a>() -> ArgMatches<'a> {
     -s --statistics 'Prints statistics of event IDs'
     -n --show-noisyalerts 'do not exclude noisy rules'
     -t --threadnum=[NUM] 'Thread number (default: optimal number for performance)'
+    --show-deprecated 'do not exclude rules with YAML's status deprecated'
     --contributors 'Prints the list of contributors'";
     App::new(&program)
         .about("Hayabusa: Aiming to be the world's greatest Windows event log analysis tool!")

src/yaml.rs

@@ -152,6 +152,19 @@ impl ParseYaml {
                     }
                 }
 
+                if !configs::CONFIG
+                    .read()
+                    .unwrap()
+                    .args
+                    .is_present("show-deprecated")
+                {
+                    let rule_status = &yaml_doc["status"].as_str();
+                    if rule_status.is_some() && rule_status.unwrap() == "deprecated" {
+                        self.ignorerule_count += 1;
+                        return Option::None;
+                    }
+                }
+
                 return Option::Some((filepath, yaml_doc));
             })
             .collect();
@@ -279,4 +292,15 @@ mod tests {
             .unwrap();
         assert_eq!(yaml.ignorerule_count, 0);
     }
+    #[test]
+    fn test_exclude_deprecated_rules_file() {
+        let mut yaml = yaml::ParseYaml::new();
+        let path = Path::new("test_files/rules/deprecated");
+        let exclude_ids = RuleExclude {
+            no_use_rule: HashSet::new(),
+        };
+        yaml.read_dir(path.to_path_buf(), &"", &exclude_ids)
+            .unwrap();
+        assert_eq!(yaml.ignorerule_count, 1);
+    }
 }