feat: add -e option in boreal-cli

vthib · Dec 31, 2023 · 4485352 · 4485352
1 parent f9077bf
commit 4485352
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 1 deletion.
diff --git a/boreal-cli/src/main.rs b/boreal-cli/src/main.rs
@@ -113,6 +113,13 @@ fn build_command() -> Command {
                 .value_parser(parse_fragmented_scan_mode)
                 .help("Specify scan mode for fragmented memory (e.g. process scanning)"),
         )
+        .arg(
+            Arg::new("print_namespace")
+                .short('e')
+                .long("print-namespace")
+                .action(ArgAction::SetTrue)
+                .help("Print rule namespace"),
+        )
         .arg(
             Arg::new("print_strings")
                 .short('s')
@@ -402,6 +409,7 @@ struct ScanOptions {
     print_strings_matches_data: bool,
     print_string_length: bool,
     print_metadata: bool,
+    print_namespace: bool,
     print_tags: bool,
     no_mmap: bool,
     identifier: Option<String>,
@@ -415,6 +423,7 @@ impl ScanOptions {
             print_strings_matches_data: args.get_flag("print_strings"),
             print_string_length: args.get_flag("print_string_length"),
             print_metadata: args.get_flag("print_metadata"),
+            print_namespace: args.get_flag("print_namespace"),
             print_tags: args.get_flag("print_tags"),
             no_mmap: if cfg!(feature = "memmap") {
                 args.get_flag("no_mmap")
@@ -495,7 +504,10 @@ fn display_scan_results(res: ScanResult, what: &str, options: &ScanOptions) {
             }
         }
 
-        // <rulename> [<ruletags>] <matched object>
+        // <rule_namespace>:<rule_name> [<ruletags>] <matched object>
+        if options.print_namespace {
+            print!("{}:", rule.namespace.unwrap_or("default"));
+        }
         print!("{}", &rule.name);
         if options.print_tags {
             print!(" [{}]", rule.tags.join(","));
@@ -759,6 +771,7 @@ mod tests {
             print_strings_matches_data: false,
             print_string_length: false,
             print_metadata: false,
+            print_namespace: false,
             print_tags: false,
             no_mmap: false,
             identifier: None,

diff --git a/boreal-cli/tests/cli.rs b/boreal-cli/tests/cli.rs
@@ -1094,3 +1094,25 @@ rule too_long {
         .stderr(format!("Cannot scan {path}: timeout\n"))
         .failure();
 }
+
+#[test]
+fn test_print_namespace() {
+    let rule_file = test_file(
+        br#"
+rule first { condition: true }
+"#,
+    );
+
+    let input = test_file(b"");
+    let path = input.path().display();
+
+    // Test filter by identifier
+    cmd()
+        .arg("-e")
+        .arg(rule_file.path())
+        .arg(input.path())
+        .assert()
+        .stdout(format!("default:first {path}\n"))
+        .stderr("")
+        .success();
+}