From fb5ee6b9e931139a7989d7b69f43f342021281fd Mon Sep 17 00:00:00 2001 From: Elijah Gibson <82835625+semphorin@users.noreply.github.com> Date: Mon, 18 Dec 2023 15:58:16 -0500 Subject: [PATCH] Flake8 linting + isInJson tail recursion update --- .../analyzers/malwarebazaar/malwarebazaar.py | 31 ++++++++++++------- 1 file changed, 19 insertions(+), 12 deletions(-) diff --git a/salt/sensoroni/files/analyzers/malwarebazaar/malwarebazaar.py b/salt/sensoroni/files/analyzers/malwarebazaar/malwarebazaar.py index 8a8f51f73..cfc7d9f3a 100755 --- a/salt/sensoroni/files/analyzers/malwarebazaar/malwarebazaar.py +++ b/salt/sensoroni/files/analyzers/malwarebazaar/malwarebazaar.py @@ -25,18 +25,18 @@ def sendReq(meta, query): return response.json() -def isInJson(data, target_string, maxdepth): +def isInJson(data, target_string, maxdepth=1000, tail=0): # searches a JSON object for an occurance of a string # recursively. - # depth limiter (arbitrary value of 1000) - if maxdepth > 1000: + # depth limiter (arbitrary default value of 1000) + if tail > maxdepth: return False if isinstance(data, dict): for key, value in data.items(): if isinstance(value, (dict, list)): # recursive call - if isInJson(value, target_string, maxdepth + 1): + if isInJson(value, target_string, maxdepth, tail + 1): return True elif isinstance(value, str) and target_string in value.lower(): # found target string @@ -46,7 +46,7 @@ def isInJson(data, target_string, maxdepth): for item in data: if isinstance(item, (dict, list)): # recursive call - if isInJson(item, target_string, maxdepth + 1): + if isInJson(item, target_string, maxdepth, tail + 1): return True elif isinstance(item, str) and target_string in item.lower(): # found target string @@ -56,7 +56,8 @@ def isInJson(data, target_string, maxdepth): def prepareResults(raw): - # parse raw API response, gauge threat level and return status and a short summary + # parse raw API response, gauge threat level + # and return status and a short summary if raw == {}: status = 'caution' summary = 'internal_failure' @@ -72,7 +73,8 @@ def prepareResults(raw): elif 'YOROI_YOMI' in vendor_data: summary = vendor_data['YOROI_YOMI']['detection'] - # gauge vendors to determine an approximation of status, normalized to a value out of 100 + # gauge vendors to determine an approximation of status, + # normalized to a value out of 100 # only updates score if it finds a higher indicator value score = 0 vendor_info_list = [ @@ -81,8 +83,10 @@ def prepareResults(raw): ('DocGuard', 'alertlevel', lambda x: int(x) * 10), ('YOROI_YOMI', 'score', lambda x: int(float(x)) * 100), ('Inquest', 'verdict', lambda x: 100 if x == 'MALICIOUS' else 0), - ('ReversingLabs', 'status', lambda x: 100 if x == 'MALICIOUS' else 0), - ('Spamhaus_HBL', 'detection', lambda x: 100 if x == 'MALICIOUS' else 0), + ('ReversingLabs', 'status', + lambda x: 100 if x == 'MALICIOUS' else 0), + ('Spamhaus_HBL', 'detection', + lambda x: 100 if x == 'MALICIOUS' else 0), ] for vendor, key, transform in vendor_info_list: if vendor in vendor_data and key in vendor_data[vendor]: @@ -116,14 +120,17 @@ def analyze(input): meta = helpers.loadMetadata(__file__) helpers.checkSupportedType(meta, data["artifactType"]) - if (data['artifactType'] == 'tlsh' or data['artifactType'] == 'gimphash' or data['artifactType'] == 'telfhash'): - # To get accurate reporting for TLSH, telfhash and gimphash, we deem it necessary to query + if (data['artifactType'] == 'tlsh' or data['artifactType'] == 'gimphash' + or data['artifactType'] == 'telfhash'): + # To get accurate reporting for TLSH, telfhash and gimphash, + # we deem it necessary to query # twice for the sake of retrieving more specific data. initialQuery = buildReq(data['artifactType'], data['value']) initialRaw = sendReq(meta, initialQuery) - # To prevent double-querying when a tlsh/gimphash is invalid, this if statement is necessary. + # To prevent double-querying when a tlsh/gimphash is invalid, + # this if statement is necessary. if initialRaw['query_status'] == 'ok': # Setting artifactType and value to our new re-query arguments # to get a more detailed report.