skill-veil-core 0.2.0

Core library for skill-veil behavioral analysis
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82

use std::collections::BTreeMap;

use crate::findings::{ArtifactScope, Finding, RootCauseGroup, SignalClass, ThreatCategory};

pub(super) fn build_root_cause_groups(findings: &[Finding]) -> Vec<RootCauseGroup> {
    let mut groups =
        BTreeMap::<(ArtifactScope, ThreatCategory, SignalClass), RootCauseGroup>::new();

    for finding in findings {
        let key = (
            finding.artifact_scope,
            finding.category,
            finding.signal_class,
        );
        groups
            .entry(key)
            .and_modify(|group| {
                group.finding_count += 1;
                group.strongest_action = group.strongest_action.max(finding.recommended_action);
                if !group.representative_rules.contains(&finding.rule_id) {
                    group.representative_rules.push(finding.rule_id.clone());
                }
            })
            .or_insert_with(|| RootCauseGroup {
                scope: finding.artifact_scope,
                category: finding.category,
                signal_class: finding.signal_class,
                finding_count: 1,
                strongest_action: finding.recommended_action,
                representative_rules: vec![finding.rule_id.clone()],
            });
    }

    let mut groups: Vec<_> = groups.into_values().collect();
    for group in &mut groups {
        group.representative_rules.sort();
        group
            .representative_rules
            .truncate(super::MAX_REPRESENTATIVE_RULES);
    }
    groups.sort_by(|left, right| {
        right
            .strongest_action
            .cmp(&left.strongest_action)
            .then_with(|| right.finding_count.cmp(&left.finding_count))
    });
    groups
}

/// Merge groups that share `(scope, category, signal_class)` after calibration
/// may have reclassified signal_class, creating duplicates.
pub(super) fn merge_calibrated_groups(groups: Vec<RootCauseGroup>) -> Vec<RootCauseGroup> {
    let mut merged =
        BTreeMap::<(ArtifactScope, ThreatCategory, SignalClass), RootCauseGroup>::new();
    for group in groups {
        let key = (group.scope, group.category, group.signal_class);
        merged
            .entry(key)
            .and_modify(|existing| {
                existing.finding_count += group.finding_count;
                existing.strongest_action = existing.strongest_action.max(group.strongest_action);
                for rule in &group.representative_rules {
                    if !existing.representative_rules.contains(rule) {
                        existing.representative_rules.push(rule.clone());
                    }
                }
                existing.representative_rules.sort();
                existing
                    .representative_rules
                    .truncate(super::MAX_REPRESENTATIVE_RULES);
            })
            .or_insert(group);
    }
    let mut result: Vec<_> = merged.into_values().collect();
    result.sort_by(|left, right| {
        right
            .strongest_action
            .cmp(&left.strongest_action)
            .then_with(|| right.finding_count.cmp(&left.finding_count))
    });
    result
}