scanbridge 0.3.0

A unified, pluggable API for malware scanning with circuit breakers, policy enforcement, and audit logging
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340

//! Scan result structures.
//!
//! This module defines `ScanResult` and related types that represent
//! the outcome of a scanning operation, including metadata about
//! which engine was used and how long the scan took.

use crate::core::types::{FileHash, FileMetadata, ScanContext, ScanOutcome, ThreatInfo};
use chrono::{DateTime, Utc};
use serde::{Deserialize, Serialize};
use std::time::Duration;

/// The complete result of a scan operation.
///
/// This structure contains all information about a completed scan,
/// including the outcome, metadata, timing, and engine information.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct ScanResult {
    /// Unique identifier for this scan result.
    pub id: String,

    /// The outcome of the scan.
    pub outcome: ScanOutcome,

    /// Metadata about the scanned file.
    pub file_metadata: FileMetadata,

    /// Name of the engine that performed the scan.
    pub engine: String,

    /// Version of the engine's signature database, if available.
    pub engine_version: Option<String>,

    /// When the scan started.
    pub started_at: DateTime<Utc>,

    /// When the scan completed.
    pub completed_at: DateTime<Utc>,

    /// How long the scan took.
    #[serde(with = "duration_serde")]
    pub duration: Duration,

    /// The context in which the scan was requested.
    pub context: ScanContext,

    /// Whether this result came from a cache.
    pub cached: bool,

    /// Additional engine-specific details.
    #[serde(default)]
    pub details: std::collections::HashMap<String, serde_json::Value>,
}

impl ScanResult {
    /// Creates a new `ScanResult` with the given outcome.
    pub fn new(
        outcome: ScanOutcome,
        file_metadata: FileMetadata,
        engine: impl Into<String>,
        duration: Duration,
        context: ScanContext,
    ) -> Self {
        let now = Utc::now();
        Self {
            id: uuid::Uuid::new_v4().to_string(),
            outcome,
            file_metadata,
            engine: engine.into(),
            engine_version: None,
            started_at: now - chrono::Duration::from_std(duration).unwrap_or_default(),
            completed_at: now,
            duration,
            context,
            cached: false,
            details: std::collections::HashMap::new(),
        }
    }

    /// Returns `true` if the file is clean.
    pub fn is_clean(&self) -> bool {
        self.outcome.is_clean()
    }

    /// Returns `true` if the file is infected.
    pub fn is_infected(&self) -> bool {
        self.outcome.is_infected()
    }

    /// Returns the threats if infected.
    pub fn threats(&self) -> Option<&[ThreatInfo]> {
        match &self.outcome {
            ScanOutcome::Infected { threats } => Some(threats),
            _ => None,
        }
    }

    /// Returns the file hash.
    pub fn file_hash(&self) -> &FileHash {
        &self.file_metadata.hash
    }

    /// Sets the engine version.
    pub fn with_engine_version(mut self, version: impl Into<String>) -> Self {
        self.engine_version = Some(version.into());
        self
    }

    /// Marks this result as cached.
    pub fn with_cached(mut self, cached: bool) -> Self {
        self.cached = cached;
        self
    }

    /// Adds a detail entry.
    pub fn with_detail(mut self, key: impl Into<String>, value: serde_json::Value) -> Self {
        self.details.insert(key.into(), value);
        self
    }
}

/// A report combining results from multiple scan engines.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct ScanReport {
    /// Unique identifier for this report.
    pub id: String,

    /// Individual results from each engine.
    pub results: Vec<ScanResult>,

    /// The aggregated outcome (worst case from all engines).
    pub aggregated_outcome: ScanOutcome,

    /// File hash (consistent across all results).
    pub file_hash: FileHash,

    /// When the scan was requested.
    pub requested_at: DateTime<Utc>,

    /// When the scan completed.
    pub completed_at: DateTime<Utc>,

    /// Total duration including all engines.
    #[serde(with = "duration_serde")]
    pub total_duration: Duration,

    /// The context in which the scan was requested.
    pub context: ScanContext,
}

impl ScanReport {
    /// Creates a new `ScanReport` from multiple results.
    pub fn from_results(results: Vec<ScanResult>, context: ScanContext) -> Self {
        let now = Utc::now();
        let aggregated_outcome = aggregate_outcomes(results.iter().map(|r| &r.outcome));
        let file_hash = results
            .first()
            .map(|r| r.file_metadata.hash.clone())
            .unwrap_or_else(|| FileHash::new("unknown"));

        let total_duration = results.iter().map(|r| r.duration).sum();

        let requested_at = results
            .iter()
            .map(|r| r.started_at)
            .min()
            .unwrap_or(now);

        Self {
            id: uuid::Uuid::new_v4().to_string(),
            results,
            aggregated_outcome,
            file_hash,
            requested_at,
            completed_at: now,
            total_duration,
            context,
        }
    }

    /// Returns `true` if all engines reported clean.
    pub fn is_clean(&self) -> bool {
        self.aggregated_outcome.is_clean()
    }

    /// Returns `true` if any engine reported infected.
    pub fn is_infected(&self) -> bool {
        self.aggregated_outcome.is_infected()
    }

    /// Returns all detected threats from all engines.
    pub fn all_threats(&self) -> Vec<&ThreatInfo> {
        self.results
            .iter()
            .filter_map(|r| r.threats())
            .flatten()
            .collect()
    }

    /// Returns the engines that detected threats.
    pub fn detecting_engines(&self) -> Vec<&str> {
        self.results
            .iter()
            .filter(|r| r.is_infected())
            .map(|r| r.engine.as_str())
            .collect()
    }

    /// Returns the number of engines that participated in the scan.
    pub fn engine_count(&self) -> usize {
        self.results.len()
    }
}

/// Aggregates multiple outcomes into a single worst-case outcome.
fn aggregate_outcomes<'a>(outcomes: impl Iterator<Item = &'a ScanOutcome>) -> ScanOutcome {
    let mut has_error = false;
    let mut has_infected = false;
    let mut all_threats = Vec::new();
    let mut has_suspicious = false;
    let mut suspicious_reason = String::new();
    let mut suspicious_confidence = 0.0f32;

    for outcome in outcomes {
        match outcome {
            ScanOutcome::Error { recoverable: false } => {
                return ScanOutcome::Error { recoverable: false };
            }
            ScanOutcome::Error { .. } => has_error = true,
            ScanOutcome::Infected { threats } => {
                has_infected = true;
                all_threats.extend(threats.clone());
            }
            ScanOutcome::Suspicious { reason, confidence } => {
                has_suspicious = true;
                if *confidence > suspicious_confidence {
                    suspicious_confidence = *confidence;
                    suspicious_reason = reason.clone();
                }
            }
            ScanOutcome::Clean => {}
        }
    }

    if has_infected {
        ScanOutcome::Infected {
            threats: all_threats,
        }
    } else if has_suspicious {
        ScanOutcome::Suspicious {
            reason: suspicious_reason,
            confidence: suspicious_confidence,
        }
    } else if has_error {
        ScanOutcome::Error { recoverable: true }
    } else {
        ScanOutcome::Clean
    }
}

/// Serde helper for Duration serialization.
mod duration_serde {
    use serde::{Deserialize, Deserializer, Serialize, Serializer};
    use std::time::Duration;

    pub fn serialize<S>(duration: &Duration, serializer: S) -> Result<S::Ok, S::Error>
    where
        S: Serializer,
    {
        duration.as_millis().serialize(serializer)
    }

    pub fn deserialize<'de, D>(deserializer: D) -> Result<Duration, D::Error>
    where
        D: Deserializer<'de>,
    {
        let millis = u64::deserialize(deserializer)?;
        Ok(Duration::from_millis(millis))
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::core::types::ThreatSeverity;

    #[test]
    fn test_scan_result_creation() {
        let hash = FileHash::new("abc123");
        let metadata = FileMetadata::new(1000, hash);
        let context = ScanContext::new().with_tenant_id("test");

        let result = ScanResult::new(
            ScanOutcome::Clean,
            metadata,
            "test-engine",
            Duration::from_millis(100),
            context,
        );

        assert!(result.is_clean());
        assert!(!result.is_infected());
        assert!(result.threats().is_none());
    }

    #[test]
    fn test_scan_result_infected() {
        let hash = FileHash::new("abc123");
        let metadata = FileMetadata::new(1000, hash);
        let context = ScanContext::new();

        let threats = vec![ThreatInfo::new("Test.Malware", ThreatSeverity::High, "test")];
        let result = ScanResult::new(
            ScanOutcome::Infected {
                threats: threats.clone(),
            },
            metadata,
            "test-engine",
            Duration::from_millis(100),
            context,
        );

        assert!(!result.is_clean());
        assert!(result.is_infected());
        assert_eq!(result.threats().unwrap().len(), 1);
    }

    #[test]
    fn test_aggregate_outcomes() {
        let outcomes = vec![ScanOutcome::Clean, ScanOutcome::Clean];
        assert!(aggregate_outcomes(outcomes.iter()).is_clean());

        let outcomes = vec![
            ScanOutcome::Clean,
            ScanOutcome::Infected {
                threats: vec![ThreatInfo::new("Test", ThreatSeverity::High, "engine")],
            },
        ];
        assert!(aggregate_outcomes(outcomes.iter()).is_infected());
    }
}