This package provides a simple on-disk store for findings generated by THOR scans.
Both findings and the content that was matched on (typically the file content) are stored, with both referencing each other. A finding will have none or one content item, while a content item may be referenced by multiple findings.
The store is a directory with the following structure:
├── findings
│ └── ab
│ ├── abcdef1234567890
│ └── abcdef1234567890.hash
└── samples
└── 1e
├── 1edc8bf0596dcdc0ca93b6dd89e14b57d0b4faf5da534d5487f9ed7ad0eb7e06
└── 1edc8bf0596dcdc0ca93b6dd89e14b57d0b4faf5da534d5487f9ed7ad0eb7e06.metadata
Where:
-
findings/contains the findings, organized by their first two characters of the finding ID.Each finding is stored in a file named after the finding ID, with an additional
.hashfile containing the SHA256 hash of the finding. -
samples/contains the content matched on, organized by the first two characters of the content's SHA256 hash.Each content item is stored in a file named after its SHA256 hash, with an additional
.metadatafile containing the findings that reference this content item in newline delimited JSON format.
Optionally, by setting Layout.Flat to true, the store can be configured to not create subdirectories under findings/ and samples/, but instead store all findings and samples in a single directory each.