Revert "Revert "Adds a CI job for testing code changes against known samples on the m…""

[jeFF0Falltrades]

Reverts #39

Sigh....it's late and I reverted the wrong PR

[gemini-code-assist]

Summary of Changes

Hello @jeFF0Falltrades, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request serves to correct an accidental revert, thereby restoring a critical CI pipeline component. It reintroduces a comprehensive testing framework that validates the rat-king-parser's functionality against a diverse set of known malware samples. This ensures the parser's continued accuracy and robustness in identifying and extracting configuration details from various Remote Access Trojans.

Highlights

• CI Job Reinstatement: This pull request effectively reinstates a Continuous Integration (CI) job that tests code changes against a suite of known malware samples, correcting a previous erroneous revert.
• New Expected Sample Outputs: Multiple new JSON files have been added under tests/expected/, providing predefined expected parsing results for various Remote Access Trojan (RAT) families, including dcrat, asyncrat, quasarrat, xworm, venomrat, and xenorat.
• Development Dependency Update: The pyproject.toml file has been updated to include pytest as a development dependency, which is essential for running the newly restored sample-based tests.
• Version Bump: The project version has been incremented from 4.2.1 to 4.2.2 in src/rat_king_parser/_version.py.
• Git Ignore Updates: The .gitignore file has been updated to include bin/ and tests/samples/, ensuring these directories are properly excluded from version control.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Ignored Files

• Ignored by pattern: .github/workflows/** (1)
  • .github/workflows/ci.yml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request re-introduces a CI job for testing code changes against known malware samples. This includes adding a new test file, expected output data, updating project dependencies with pytest, and modifying .gitignore. The changes are solid and significantly improve the project's testing infrastructure. My review includes one suggestion to improve the maintainability of the new test script by reducing code duplication.

[gemini-code-assist]

The normalize_output function hardcodes the keys for normalization. This creates a duplication with ALLOWED_FIELDS and can lead to maintenance issues. For instance, if a new deterministic field is added, it must be updated in both ALLOWED_FIELDS and this function. A more maintainable approach would be to derive the fields for normalization from ALLOWED_FIELDS.

I suggest defining the set of fields to normalize by subtracting the non-deterministic fields from ALLOWED_FIELDS. This makes the relationship between these parts of the code explicit and easier to maintain.

Suggested change

	def normalize_output(data: dict) -> dict:
	"""
	Strip non-deterministic or environment-specific fields
	"""
	return {
	"sha256": data.get("sha256"),
	"yara_possible_family": data.get("yara_possible_family"),
	"key": data.get("key"),
	"salt": data.get("salt"),
	"config": data.get("config"),
	}
	def normalize_output(data: dict) -> dict:
	"""
	Strip non-deterministic or environment-specific fields
	"""
	fields_to_normalize = ALLOWED_FIELDS - {
	"file_path", # This field is environment-specific
	}
	return {
	key: data.get(key)
	for key in fields_to_normalize
	}