file_analysis: Implement AnalyzerViolation() for file_analysis/Analyzer

Add a test parsing a malformed PE file showing that analyzer_violation_info is raised with the fa_file object set. It could be interesting to pass through an optional connection if one exists, but access is provided through f$conns, too.
2025-10-06 08:38:20 +00:00 · 2022-08-31 18:07:18 +02:00 · 2022-08-31 18:07:18 +02:00 · d5cd023dff
commit d5cd023dff
parent bc8fd5a4c6
10 changed files with 145 additions and 6 deletions
--- a/testing/btest/plugins/file-plugin/src/Foo.cc
+++ b/testing/btest/plugins/file-plugin/src/Foo.cc
@ -1,8 +1,8 @@
-
 #include "Foo.h"

 #include <zeek/file_analysis/File.h>
 #include <zeek/file_analysis/Manager.h>
+#include <algorithm>

 #include "events.bif.h"

@ -21,7 +21,16 @@ zeek::file_analysis::Analyzer* Foo::Instantiate(zeek::RecordValPtr args,

 bool Foo::DeliverStream(const u_char* data, uint64_t len)
 	{
+	static int i = 0;
+	AnalyzerConfirmation();
 	zeek::event_mgr.Enqueue(foo_piece, GetFile()->ToVal(),
 	                        zeek::make_intrusive<zeek::StringVal>(new zeek::String(data, len, 0)));
+	if ( ++i % 5 == 0 )
+		{
+		uint64_t threshold = 16;
+		AnalyzerViolation(zeek::util::fmt("test violation %d", i),
+		                  reinterpret_cast<const char*>(data), std::min(len, threshold));
+		}
+
 	return true;
 	}