shapash 0.1.15

A deterministic, auditable forward-chaining rule engine with pluggable scoring
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113

//! Domain-specific fact types for Shapash rule evaluation
//!
//! These types represent facts that can be evaluated by HEL expressions.

use std::sync::Arc;

/// A fact in the rule evaluation system
///
/// Facts represent information about binaries, behaviors, and analysis results.
/// They can be referenced in HEL rule conditions.
#[derive(Debug, Clone, PartialEq, Eq, Hash)]
pub enum Fact {
/// Rule that has been triggered (for forward chaining)
TriggeredRule(Arc<str>),
/// Taint flow analysis result
TaintFlow(TaintFlow),
/// Function call observation
FunctionCall(FunctionCall),
/// Memory operation observation
MemoryOperation(MemoryOperation),
/// ONNX model output
OnnxModelOutput(Arc<str>),
/// Binary metadata
BinaryInfo(BinaryInfo),
/// Security flag status
SecurityFlags(SecurityFlags),
/// Binary section information
SectionInfo(SectionInfo),
/// Import/symbol information
ImportInfo(ImportInfo),
/// Symbolic execution query request
SymQueryRequest(SymQueryRequest),
/// Symbolic execution query result
SymQueryResult(SymQueryResult),
/// Custom fact with namespace, key, and value
Custom {
namespace: Arc<str>,
key: Arc<str>,
value: Arc<str>,
},
}

/// Taint flow analysis result
#[derive(Debug, Clone, PartialEq, Eq, Hash)]
pub struct TaintFlow {
pub source: Arc<str>,
pub sink: Arc<str>,
}

/// Function call observation
#[derive(Debug, Clone, PartialEq, Eq, Hash)]
pub struct FunctionCall {
pub name: Arc<str>,
pub arguments: Vec<Arc<str>>,
pub properties: Vec<Arc<str>>,
}

/// Memory operation observation
#[derive(Debug, Clone, PartialEq, Eq, Hash)]
pub struct MemoryOperation {
pub destination_address: u64,
pub is_write: bool,
}

/// Binary metadata fact
#[derive(Debug, Clone, PartialEq, Eq, Hash)]
pub struct BinaryInfo {
pub format: Arc<str>,
pub arch: Arc<str>,
pub entry_point: u64,
pub file_size: u64,
}

/// Security flags fact
#[derive(Debug, Clone, PartialEq, Eq, Hash)]
pub struct SecurityFlags {
pub flag_name: Arc<str>,
pub flag_value: Arc<str>,
}

/// Section information fact
#[derive(Debug, Clone, PartialEq, Eq, Hash)]
pub struct SectionInfo {
pub name: Arc<str>,
pub is_executable: bool,
pub is_writable: bool,
}

/// Import/symbol fact
#[derive(Debug, Clone, PartialEq, Eq, Hash)]
pub struct ImportInfo {
pub symbol: Arc<str>,
pub library: Option<Arc<str>>,
}

/// Symbolic execution query request
#[derive(Debug, Clone, PartialEq, Eq, Hash)]
pub struct SymQueryRequest {
pub query_id: String,
pub artifact_id: String,
pub addr: u64,
pub kind: String,
pub params: String,
}

/// Symbolic execution query result
#[derive(Debug, Clone, PartialEq, Eq, Hash)]
pub struct SymQueryResult {
pub query_id: String,
pub sat: bool,
pub summary: String,
pub witness: Option<String>,
}