Skip to content

Commit 4349051

Browse files
committed
feat: rename finding
1 parent 6dc4c34 commit 4349051

7 files changed

Lines changed: 60 additions & 60 deletions

File tree

thorlog/common/event.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@ type LogEventMetadata struct {
2828
Mod string `json:"module" textlog:"module"`
2929
// The ID of the scan where this event was created.
3030
ScanID string `json:"scan_id" textlog:"scanid,omitempty"`
31-
// A unique ID for this finding.
31+
// A unique ID for this event.
3232
// The ID is transient and the same element may have different IDs across multiple scans.
3333
GenID string `json:"event_id,omitempty" textlog:"uid,omitempty"`
3434
// The hostname of the machine where this event was generated.

thorlog/jsonschema/generateschema.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -97,7 +97,7 @@ func main() {
9797
Title: "ThorEvent",
9898
OneOf: []*jsonschema.Schema{
9999
{
100-
Ref: "#/$defs/Finding",
100+
Ref: "#/$defs/Assessment",
101101
},
102102
{
103103
Ref: "#/$defs/Message",

thorlog/parser/parser_test.go

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -129,11 +129,11 @@ func TestParseEvent(t *testing.T) {
129129
},
130130
},
131131
{
132-
"JsonV3Finding",
133-
`{"type":"THOR finding","meta":{"time":"2024-09-24T14:18:46.190394329+02:00","level":"Alert","module":"Test","scan_id":"abdc","event_id":"abdas","hostname":"aserarsd"},"message":"This is a test finding","subject":{"type":"file","path":"path/to/file"},"score":70,"reasons":[{"type":"reason","summary":"Reason 1","signature":{"score":70,"ref":null,"origin":"internal","kind":""},"matched":null}],"reason_count":0,"context":[{"object":{"type":"at job"},"relation":"","unique":false}],"log_version":"v3"}`,
134-
&thorlog.Finding{
132+
"JsonV3Assessment",
133+
`{"type":"THOR assessment","meta":{"time":"2024-09-24T14:18:46.190394329+02:00","level":"Alert","module":"Test","scan_id":"abdc","event_id":"abdas","hostname":"aserarsd"},"message":"This is a test assessment","subject":{"type":"file","path":"path/to/file"},"score":70,"reasons":[{"type":"reason","summary":"Reason 1","signature":{"score":70,"ref":null,"origin":"internal","kind":""},"matched":null}],"reason_count":0,"context":[{"object":{"type":"at job"},"relation":"","unique":false}],"log_version":"v3"}`,
134+
&thorlog.Assessment{
135135
ObjectHeader: jsonlog.ObjectHeader{
136-
Type: "THOR finding",
136+
Type: "THOR assessment",
137137
},
138138
Meta: thorlog.LogEventMetadata{
139139
Time: mustTime("2024-09-24T14:18:46.190394329+02:00"),
@@ -143,7 +143,7 @@ func TestParseEvent(t *testing.T) {
143143
GenID: "abdas",
144144
Source: "aserarsd",
145145
},
146-
Text: "This is a test finding",
146+
Text: "This is a test assessment",
147147
Subject: &thorlog.File{
148148
ObjectHeader: jsonlog.ObjectHeader{
149149
Type: "file",

thorlog/v3/event.go

Lines changed: 33 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -14,21 +14,21 @@ import (
1414
"golang.org/x/exp/slices"
1515
)
1616

17-
// Finding is a summary of a Subject's analysis by THOR.
18-
// This object is usually, but not necessarily suspicious; the
17+
// Assessment is a summary of a Subject's analysis by THOR.
18+
// The assessed object is not necessarily suspicious; the
1919
// severity can be seen in the Score, and beyond that the
20-
// Reasons contain further information on why this Subject is
20+
// Reasons contain further information if this Subject is
2121
// considered suspicious.
22-
type Finding struct {
22+
type Assessment struct {
2323
jsonlog.ObjectHeader
2424
Meta LogEventMetadata `json:"meta" textlog:",expand"`
25-
// Text is the message THOR printed for this finding.
26-
// This is usually a summary based on this finding's subject and level.
25+
// Text is the message THOR printed for this assessment.
26+
// This is usually a summary based on this assessment's subject and level.
2727
Text string `json:"message" textlog:"message"`
28-
// Subject is the object analysed by THOR.
29-
Subject ReportableObject `json:"subject" textlog:",expand"`
28+
// Subject is the object assessed by THOR.
29+
Subject AssessableObject `json:"subject" textlog:",expand"`
3030
// Score is a metric that combines severity and certainty. The score is always in a range of 0 to 100;
31-
// 0 indicates that the analysis found no suspicious indicators, whereas 100 indicates very high
31+
// 0 indicates that the assessment found no suspicious indicators, whereas 100 indicates very high
3232
// severity and certainty.
3333
Score int64 `json:"score" textlog:"score"`
3434
// Reasons describes the indicators that contributed to the score.
@@ -45,46 +45,46 @@ type Finding struct {
4545
// and a relation name of "parent", indicating that the Subject derives from this object,
4646
// which is its parent.
4747
EventContext Context `json:"context" textlog:",expand" jsonschema:"nullable"`
48-
// Issues lists any problems that THOR encountered when trying to create a Finding for this analysis.
48+
// Issues lists any problems that THOR encountered when trying to create a JSON struct for this assessment.
4949
// This may include e.g. overly long fields that were truncated, fields that could not be rendered to JSON,
5050
// or similar problems.
5151
Issues []Issue `json:"issues,omitempty" textlog:"-"`
5252
// LogVersion describes the jsonlog version that this event was created with.
5353
LogVersion common.Version `json:"log_version"`
5454
}
5555

56-
// ReportableObject can be any object type that THOR analyses, e.g. File or Process.
57-
type ReportableObject interface {
56+
// AssessableObject can be any object type that THOR assesses, e.g. File or Process.
57+
type AssessableObject interface {
5858
reportable()
5959
jsonlog.Object
6060
}
6161

62-
func (f *Finding) Message() string {
62+
func (f *Assessment) Message() string {
6363
return f.Text
6464
}
6565

66-
func (f *Finding) Version() common.Version {
66+
func (f *Assessment) Version() common.Version {
6767
return f.LogVersion
6868
}
6969

70-
func (f *Finding) Metadata() *LogEventMetadata {
70+
func (f *Assessment) Metadata() *LogEventMetadata {
7171
return &f.Meta
7272
}
7373

74-
func (f *Finding) UnmarshalJSON(data []byte) error {
75-
type plainFinding Finding
76-
var rawFinding struct {
77-
plainFinding // Embed without unmarshal method to avoid infinite recursion
78-
Subject EmbeddedObject `json:"subject"` // EmbeddedObject is used to allow unmarshalling of the subject as a ReportableObject
74+
func (f *Assessment) UnmarshalJSON(data []byte) error {
75+
type plainAssessment Assessment
76+
var rawAssessment struct {
77+
plainAssessment // Embed without unmarshal method to avoid infinite recursion
78+
Subject EmbeddedObject `json:"subject"` // EmbeddedObject is used to allow unmarshalling of the subject as a AssessableObject
7979
}
80-
if err := json.Unmarshal(data, &rawFinding); err != nil {
80+
if err := json.Unmarshal(data, &rawAssessment); err != nil {
8181
return err
8282
}
83-
subject, ok := rawFinding.Subject.Object.(ReportableObject)
83+
subject, ok := rawAssessment.Subject.Object.(AssessableObject)
8484
if !ok {
8585
return fmt.Errorf("subject must implement the reportable interface")
8686
}
87-
*f = Finding(rawFinding.plainFinding) // Copy the fields from rawFinding to f
87+
*f = Assessment(rawAssessment.plainAssessment) // Copy the fields from rawAssessment to f
8888
f.Subject = subject
8989

9090
// Resolve all references
@@ -115,14 +115,14 @@ func (f *Finding) UnmarshalJSON(data []byte) error {
115115
return nil
116116
}
117117

118-
var _ common.Event = (*Finding)(nil)
118+
var _ common.Event = (*Assessment)(nil)
119119

120120
type Context []ContextObject
121121

122122
// ContextObject describes a relation of an object to another.
123123
type ContextObject struct {
124-
Object ReportableObject `json:"object" textlog:",expand"`
125-
// Relations describes how the object relates to the main subject of the finding.
124+
Object AssessableObject `json:"object" textlog:",expand"`
125+
// Relations describes how the object relates to the assessed subject.
126126
// There may be multiple relations, e.g. if the object is both the parent and the topmost ancestor of the subject.
127127
//
128128
// Relations should be ordered by relevance, i.e. the most important relation should be first.
@@ -145,7 +145,7 @@ func (c *ContextObject) UnmarshalJSON(data []byte) error {
145145
if err := json.Unmarshal(data, &rawContextObject); err != nil {
146146
return err
147147
}
148-
reportableObject, isReportable := rawContextObject.Object.Object.(ReportableObject)
148+
reportableObject, isReportable := rawContextObject.Object.Object.(AssessableObject)
149149
if !isReportable {
150150
return fmt.Errorf("object of type %q must implement the reportable interface", rawContextObject.Object.Object.EmbeddedHeader().Type)
151151
}
@@ -207,14 +207,14 @@ func (c Context) MarshalTextLog(t jsonlog.TextlogFormatter) jsonlog.TextlogEntry
207207
return result
208208
}
209209

210-
const typeFinding = "THOR finding"
210+
const typeAssessment = "THOR assessment"
211211

212-
func init() { AddLogObjectType(typeFinding, &Finding{}) }
212+
func init() { AddLogObjectType(typeAssessment, &Assessment{}) }
213213

214-
func NewFinding(subject ReportableObject, message string) *Finding {
215-
return &Finding{
214+
func NewAssessment(subject AssessableObject, message string) *Assessment {
215+
return &Assessment{
216216
ObjectHeader: LogObjectHeader{
217-
Type: typeFinding,
217+
Type: typeAssessment,
218218
},
219219
Text: message,
220220
Subject: subject,
@@ -223,7 +223,7 @@ func NewFinding(subject ReportableObject, message string) *Finding {
223223
}
224224

225225
// Message describes a THOR message printed during the scan.
226-
// Unlike Finding, this does not describe an analysis' result,
226+
// Unlike Assessment, this does not describe an analysis' result,
227227
// but rather something about the scan itself (e.g. how many IOCs were loaded).
228228
type Message struct {
229229
jsonlog.ObjectHeader

thorlog/v3/event_test.go

Lines changed: 15 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -117,18 +117,18 @@ func concatEntry(entry jsonlog.TextlogEntry) string {
117117
return builder.String()
118118
}
119119

120-
func TestFinding_UnmarshalJSON(t *testing.T) {
121-
for i, finding := range []*Finding{
120+
func TestAssessment_UnmarshalJSON(t *testing.T) {
121+
for i, assessment := range []*Assessment{
122122
{
123-
ObjectHeader: LogObjectHeader{Type: typeFinding},
123+
ObjectHeader: LogObjectHeader{Type: typeAssessment},
124124
Meta: LogEventMetadata{
125125
Lvl: common.Alert,
126126
Mod: "Test",
127127
ScanID: "abdc",
128128
GenID: "abdas",
129129
Source: "aserarsd",
130130
},
131-
Text: "This is a test finding",
131+
Text: "This is a test assessment",
132132
Subject: NewFile("path/to/file"),
133133
EventContext: Context{
134134
{
@@ -146,27 +146,27 @@ func TestFinding_UnmarshalJSON(t *testing.T) {
146146
},
147147
} {
148148
t.Run(strconv.Itoa(i), func(t *testing.T) {
149-
jsonform, err := json.Marshal(finding)
149+
jsonform, err := json.Marshal(assessment)
150150
if err != nil {
151151
t.Fatal(err)
152152
}
153153
t.Log(string(jsonform))
154-
var newFinding Finding
155-
if err := json.Unmarshal(jsonform, &newFinding); err != nil {
154+
var newAssessment Assessment
155+
if err := json.Unmarshal(jsonform, &newAssessment); err != nil {
156156
t.Fatal(err)
157157
}
158-
newFinding.LogVersion = common.Version(newFinding.LogVersion.Major())
159-
if !reflect.DeepEqual(finding, &newFinding) {
160-
t.Errorf("UnmarshalJSON() = %+v, want %+v", newFinding, *finding)
158+
newAssessment.LogVersion = common.Version(newAssessment.LogVersion.Major())
159+
if !reflect.DeepEqual(assessment, &newAssessment) {
160+
t.Errorf("UnmarshalJSON() = %+v, want %+v", newAssessment, *assessment)
161161
}
162162
})
163163
}
164164
}
165165

166-
func TestFinding_UnmarshalIssue(t *testing.T) {
167-
finding := `{"type":"THOR finding","meta":{"time":"2025-07-01T12:05:12.993789131+02:00","level":"Info","module":"ProcessCheck","scan_id":"S-pSxgCmyvvfs","event_id":"","hostname":"dummy"},"message":"process found","subject":{"type":"process","pid":502168,"name":"chromium","command":"/usr/lib/chromium/chromium","owner":"owner","image":{"type":"file","path":"/usr/lib/chromium/chromium","exists":"yes","extension":"","magic_header":"ELF","hashes":{"md5":"fc04ee20f064adc18e370c22512e268e","sha1":"2c8b7d05d25e04db9c169ce85e8e8f84321ef0c8","sha256":"0cf1727aa8dc3995d5aa103001f656b8ee8a1b3ffbc6d8664c5ad95cf225771f"},"first_bytes":{"hex":"7f454c4602010100000000000000000003003e00","ascii":"ELF\u003e"},"file_times":{"modified":"2025-06-25T19:45:43+02:00","accessed":"2025-07-01T08:46:56.750309598+02:00","changed":"2025-06-26T08:39:59.980605063+02:00"},"size":252546120,"permissions":{"type":"Unix permissions","owner":"root","group":"root","mask":{"user":{"readable":true,"writable":true,"executable":true},"group":{"readable":true,"writable":false,"executable":true},"world":{"readable":true,"writable":false,"executable":true}}}},"parent_info":{"pid":9011,"exe":"/usr/lib/chromium/chromium","command":"/usr/lib/chromium/chromium"},"tree":["/usr/lib/chromium/chromium","/usr/lib/chromium/chromium"],"created":"2025-07-01T12:00:05+02:00","session":"","listen_ports":null,"connections":[]},"score":0,"reasons":null,"reason_count":0,"context":null,"issues":[{"affected":"/subject/sections","category":"truncated","description":"Removed some sections from process memory (originally 638)"}],"log_version":"v3.0.0"}`
168-
var findingObj Finding
169-
if err := json.Unmarshal([]byte(finding), &findingObj); err != nil {
170-
t.Fatalf("Failed to unmarshal finding: %v", err)
166+
func TestAssessment_UnmarshalIssue(t *testing.T) {
167+
assessment := `{"type":"THOR assessment","meta":{"time":"2025-07-01T12:05:12.993789131+02:00","level":"Info","module":"ProcessCheck","scan_id":"S-pSxgCmyvvfs","event_id":"","hostname":"dummy"},"message":"process found","subject":{"type":"process","pid":502168,"name":"chromium","command":"/usr/lib/chromium/chromium","owner":"owner","image":{"type":"file","path":"/usr/lib/chromium/chromium","exists":"yes","extension":"","magic_header":"ELF","hashes":{"md5":"fc04ee20f064adc18e370c22512e268e","sha1":"2c8b7d05d25e04db9c169ce85e8e8f84321ef0c8","sha256":"0cf1727aa8dc3995d5aa103001f656b8ee8a1b3ffbc6d8664c5ad95cf225771f"},"first_bytes":{"hex":"7f454c4602010100000000000000000003003e00","ascii":"ELF\u003e"},"file_times":{"modified":"2025-06-25T19:45:43+02:00","accessed":"2025-07-01T08:46:56.750309598+02:00","changed":"2025-06-26T08:39:59.980605063+02:00"},"size":252546120,"permissions":{"type":"Unix permissions","owner":"root","group":"root","mask":{"user":{"readable":true,"writable":true,"executable":true},"group":{"readable":true,"writable":false,"executable":true},"world":{"readable":true,"writable":false,"executable":true}}}},"parent_info":{"pid":9011,"exe":"/usr/lib/chromium/chromium","command":"/usr/lib/chromium/chromium"},"tree":["/usr/lib/chromium/chromium","/usr/lib/chromium/chromium"],"created":"2025-07-01T12:00:05+02:00","session":"","listen_ports":null,"connections":[]},"score":0,"reasons":null,"reason_count":0,"context":null,"issues":[{"affected":"/subject/sections","category":"truncated","description":"Removed some sections from process memory (originally 638)"}],"log_version":"v3.0.0"}`
168+
var assessmentObj Assessment
169+
if err := json.Unmarshal([]byte(assessment), &assessmentObj); err != nil {
170+
t.Fatalf("Failed to unmarshal assessment: %v", err)
171171
}
172172
}

thorlog/v3/issue.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@ package thorlog
22

33
import "github.com/NextronSystems/jsonlog"
44

5-
// Issue describes a problem that occurred during the analysis of a scan target like a file or process.
5+
// Issue describes a problem that occurred during the assessment of a scan target like a file or process.
66
// Often this will be an issue with displaying the results,
77
// e.g. the results may be truncated due to size limitations.
88
type Issue struct {

thorlog/v3/reason.go

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ import (
77
"github.com/NextronSystems/jsonlog"
88
)
99

10-
// Reason describes a match of a single Signature on a ReportableObject.
10+
// Reason describes a match of a single Signature on a AssessableObject.
1111
type Reason struct {
1212
jsonlog.ObjectHeader
1313

@@ -38,11 +38,11 @@ func init() {
3838
type Signature struct {
3939
// Score is a metric that combines severity and certainty for this signature.
4040
//
41-
// It is related to the Finding.Score, which is derived from the scores of all
41+
// It is related to the Assessment.Score, which is derived from the scores of all
4242
// signatures that matched; however, signature scores are not limited to the
43-
// 0 to 100 interval of finding scores, but may also be negative to indicate
43+
// 0 to 100 interval of assessment scores, but may also be negative to indicate
4444
// a likely false positive (which results in a score reduction on any related
45-
// finding).
45+
// assessment).
4646
Score int64 `json:"score" textlog:"subscore"`
4747
// Ref contains references (usually as links) for further information about
4848
// the threat that is detected by this signature.

0 commit comments

Comments
 (0)