# rcs-check-device-evidence.rb
#
# Questo script analizza un file txt (ottenuto esportando un evidence di tipo device)
# riportando eventuali antivirus/analysis tool software rilevati.

require 'optparse'

ARGV << '--help' if ARGV.empty?

OptionParser.new do |parser|
  parser.on("-f FILEPATH", String, "Path of the device evidence (usually is a .txt file with the application list)") do |path|
    @device_evidence_path = path
  end
end.parse!


$LOAD_PATH.unshift(File.dirname(__dir__))

require 'bundler/setup'
require 'rcs-common/path_utils'
require_relative '../lib/rcs-db/blacklist'

lines = File.read(@device_evidence_path).split("\n")

lines.each_with_index do |line, line_num|
  RCS::DB::Blacklist.each_analysis do |regexp|
    regexp = Regexp.new(regexp, Regexp::IGNORECASE)

    if line =~ regexp
      puts "Analysis tool #{regexp} matched at line #{line_num}: #{line.strip}"
    end
  end

  RCS::DB::Blacklist.each_av do |rule|
    regexp = Regexp.new(rule.split("|").last, Regexp::IGNORECASE)

    if line =~ regexp
      puts "Antivirus #{rule} matched at line #{line_num}: #{line.strip}"
    end
  end
end