Merge pull request #35 from jpohls1/split

Extract methods for more modular design
markuskont · Sep 25, 2023 · 3a7bc6c · 3a7bc6c
2 parents 482bc50 + b85d61d
commit 3a7bc6c
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 22 deletions.
diff --git a/rule.go b/rule.go
@@ -40,7 +40,32 @@ type Rule struct {
 	Tags      `yaml:"tags" json:"tags"`
 }
 
-// NewRuleList reads a list of sigma rule paths and parses them to rule objects
+// HasTags returns true if the rule contains all provided tags, otherwise false
+func (r *Rule) HasTags(tags []string) bool {
+	lookup := make(map[string]bool, len(r.Tags))
+	for _, tag := range r.Tags {
+		lookup[tag] = true
+	}
+	for _, tag := range tags {
+		if _, ok := lookup[tag]; !ok {
+			return false
+		}
+	}
+	return true
+}
+
+// RuleFromYAML parses yaml data into Rule object
+func RuleFromYAML(data []byte) (r Rule, err error) {
+	err = yaml.Unmarshal(data, &r)
+	return
+}
+
+// IsMultipart checks if rule is multipart
+func IsMultipart(data []byte) bool {
+	return !bytes.HasPrefix(data, []byte("---")) && bytes.Contains(data, []byte("---"))
+}
+
+// NewRuleList 	reads a list of sigma rule paths and parses them to rule objects
 func NewRuleList(files []string, skip, noCollapseWS bool, tags []string) ([]RuleHandle, error) {
 	if len(files) == 0 {
 		return nil, fmt.Errorf("missing rule file list")
@@ -53,8 +78,8 @@ loop:
 		if err != nil {
 			return nil, err
 		}
-		var r Rule
-		if err := yaml.Unmarshal(data, &r); err != nil {
+		r, err := RuleFromYAML(data)
+		if err != nil {
 			if skip {
 				errs = append(errs, ErrParseYaml{
 					Path:  path,
@@ -65,28 +90,16 @@ loop:
 			}
 			return nil, &ErrParseYaml{Err: err, Path: path}
 		}
-	tagLoop:
-		for _, tag := range tags {
-			for _, ruleTag := range r.Tags {
-				if ruleTag == tag {
-					continue tagLoop
-				}
-			}
-			errs = append(errs, ErrParseYaml{
-				Path:  path,
-				Count: i,
-				Err:   fmt.Errorf("rule does not have required %s tag", tag),
-			})
+
+		if !r.HasTags(tags) {
 			continue loop
 		}
 
 		rules = append(rules, RuleHandle{
 			Path:         path,
 			Rule:         r,
 			NoCollapseWS: noCollapseWS,
-			Multipart: func() bool {
-				return !bytes.HasPrefix(data, []byte("---")) && bytes.Contains(data, []byte("---"))
-			}(),
+			Multipart:    IsMultipart(data),
 		})
 	}
 	return rules, func() error {

diff --git a/ruleset.go b/ruleset.go
@@ -55,7 +55,7 @@ func NewRuleset(c Config, tags []string) (*Ruleset, error) {
 	if err != nil {
 		return nil, err
 	}
-	var fail, unsupp int
+	var fail int
 	rules, err := NewRuleList(files, !c.FailOnYamlParse, c.NoCollapseWS, tags)
 	if err != nil {
 		switch e := err.(type) {
@@ -65,6 +65,15 @@ func NewRuleset(c Config, tags []string) (*Ruleset, error) {
 			return nil, err
 		}
 	}
+	result := RulesetFromRuleList(rules)
+	result.root = c.Directory
+	result.Failed += fail
+	result.Total += fail
+	return result, nil
+}
+
+func RulesetFromRuleList(rules []RuleHandle) *Ruleset {
+	var fail, unsupp int
 	set := make([]*Tree, 0)
 loop:
 	for _, raw := range rules {
@@ -86,13 +95,12 @@ loop:
 	}
 	return &Ruleset{
 		mu:          &sync.RWMutex{},
-		root:        c.Directory,
 		Rules:       set,
 		Failed:      fail,
 		Ok:          len(set),
 		Unsupported: unsupp,
-		Total:       len(files),
-	}, nil
+		Total:       len(rules),
+	}
 }
 
 func (r *Ruleset) EvalAll(e Event) (Results, bool) {