feat(gha): update gha, update Dockerfile and add clamv, tree outputs

.github/renovate.json5

@@ -1,14 +1,16 @@
 {
   $schema: "https://docs.renovatebot.com/renovate-schema.json",
+  // Keep the extends started with ":" at the end of the list to allow overriding
   extends: [
     "config:recommended",
     "docker:pinDigests",
     "helpers:pinGitHubActionDigestsToSemver",
     "security:openssf-scorecard",
     ":disableDependencyDashboard",
-    ":docker",
     ":disableRateLimiting",
+    ":docker",
     ":enableVulnerabilityAlertsWithLabel(security)",
+    ":pinSkipCi",
   ],
   "git-submodules": {
     enabled: true,

.github/workflows/mega-linter.yml

@@ -38,8 +38,9 @@ jobs:
           chmod a+x README.sh
 
       - name: 💡 MegaLinter
-        uses: oxsecurity/megalinter@a7a0163b6c8ff7474a283d99a706e27483ddd80f # v7.10.0
+        uses: oxsecurity/megalinter@03986e6993ccf699a22451118520680b438e7d2a # v7.11.1
         env:
           GITHUB_COMMENT_REPORTER: false
-          GITHUB_STATUS_REPORTER: true
+          # Disabled due to error: [GitHub Status Reporter] Error posting Status for REPOSITORY with ...: 403
+          GITHUB_STATUS_REPORTER: false
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/renovate.yml

@@ -20,7 +20,7 @@ on:
       - main
       - "!renovate/*"
   schedule:
-    - cron: "0 0,2,4 * * 0"
+    - cron: "0 0-3 * * 0"
 
 env:
   # https://docs.renovatebot.com/troubleshooting/#log-debug-levels
@@ -45,6 +45,7 @@ jobs:
     runs-on: ubuntu-latest
     concurrency:
       group: ${{ github.workflow }}-${{ github.ref }}
+    permissions: write-all
     steps:
       - name: Checkout
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
@@ -53,9 +54,9 @@ jobs:
         id: app-token
         with:
           app-id: ${{ secrets.MY_RENOVATE_GITHUB_APP_ID }}
-          private-key: "${{ secrets.MY_RENOVATE_GITHUB_PRIVATE_KEY }}"
+          private-key: ${{ secrets.MY_RENOVATE_GITHUB_PRIVATE_KEY }}
 
       - name: 💡 Self-hosted Renovate
-        uses: renovatebot/github-action@2d90417499f45ff78a09586f7b9874b19817dba3 # v40.1.0
+        uses: renovatebot/github-action@89bd050bafa5a15de5d9383e3129edf210422004 # v40.1.5
         with:
-          token: "${{ steps.app-token.outputs.token }}"
+          token: ${{ steps.app-token.outputs.token }}

.github/workflows/semantic-pull-request.yml

@@ -2,6 +2,7 @@
 name: semantic-pull-request
 
 on:
+  workflow_dispatch:
   pull_request_target:
     types:
       - opened
@@ -15,6 +16,12 @@ jobs:
   semantic-pull-request:
     runs-on: ubuntu-latest
     steps:
-      - uses: amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f # v5.4.0
+      - uses: actions/create-github-app-token@7bfa3a4717ef143a604ee0a99d859b8886a96d00 # v1.9.3
+        id: app-token
+        with:
+          app-id: ${{ secrets.MY_RENOVATE_GITHUB_APP_ID }}
+          private-key: ${{ secrets.MY_RENOVATE_GITHUB_PRIVATE_KEY }}
+
+      - uses: amannn/action-semantic-pull-request@cfb60706e18bc85e8aec535e3c577abe8f70378e # v5.5.2
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}

.github/workflows/stale.yml

@@ -2,6 +2,7 @@
 name: stale
 
 on:
+  workflow_dispatch:
   schedule:
     - cron: "9 9 * * *"
 

.mega-linter.yml

@@ -33,7 +33,7 @@ REPOSITORY_DEVSKIM_ARGUMENTS: --ignore-globs CHANGELOG.md --ignore-rule-ids DS16
 
 REPOSITORY_KICS_ARGUMENTS: --fail-on high
 
-REPOSITORY_TRIVY_ARGUMENTS: --ignorefile .trivyignore.yaml --severity HIGH,CRITICAL
+REPOSITORY_TRIVY_ARGUMENTS: --ignorefile .trivyignore.yaml --severity HIGH,CRITICAL --ignore-unfixed
 
 TERRAFORM_TFLINT_UNSECURED_ENV_VARIABLES:
   - GITHUB_TOKEN

Dockerfile

@@ -1,6 +1,6 @@
-FROM python:3.12.0-alpine3.17@sha256:fc34b07ec97a4f288bc17083d288374a803dd59800399c76b977016c9fe5b8f2 as build
+FROM python:3.12-alpine3.19 as build
 
-ENV XMRIG_VERSION="6.20.0"
+ENV XMRIG_VERSION="6.21.3"
 
 # xmrig
 RUN set -eux && \
@@ -10,19 +10,25 @@ RUN set -eux && \
     tar xvzf /mnt/xmrig/xmrig-linux-static-x64.tar.gz -C /mnt/xmrig/ --strip-components=1 "xmrig-${XMRIG_VERSION}/xmrig"
 
 # Compile own version of xmrig cryptominer
+# hadolint ignore=DL3003
 RUN set -eux && \
     if [ "$(uname -m)" = "x86_64" ]; then \
-      apk add --no-cache git make cmake libstdc++ gcc g++ libuv-dev openssl-dev hwloc-dev && \
+      apk add --no-cache automake autoconf cmake g++ gcc git libstdc++ libtool linux-headers make && \
       git clone --branch "v${XMRIG_VERSION}" https://github.com/xmrig/xmrig && \
       sed -i \
         -e 's/APP_ID.*/APP_ID "myxmrig"/' \
         -e 's/APP_NAME.*/APP_NAME "My XMRig"/' \
         -e 's/APP_DESC.*/APP_DESC "My XMRig miner"/' \
         -e 's/APP_VERSION.*"\(.*\)"/APP_VERSION "\1-my"/' \
         xmrig/src/version.h && \
-      cmake -S xmrig -B xmrig/build && make -C xmrig/build -j"$(nproc)" && \
-      ./xmrig/build/xmrig --version && \
-      mv ./xmrig/build/xmrig /mnt/xmrig/my-xmrig ; \
+      mkdir xmrig/build && \
+      cd xmrig/scripts && \
+      ./build_deps.sh && \
+      cd xmrig/build && \
+      cmake .. -DXMRIG_DEPS=scripts/deps -DBUILD_STATIC=ON && \
+      make -j"$(nproc)" ) && \
+      xmrig/build/xmrig --version && \
+      mv xmrig/build/xmrig /mnt/xmrig/my-xmrig ; \
     fi
 
 # eicar
@@ -44,7 +50,7 @@ RUN set -eux && \
     # Composite Document File V2 Document, Little Endian, Os: Windows, Version 4.10, Code page: 1252, Title: Password List for March 26th 1999, Subject: Adult Website Passwords, Author: John Holmes, Keywords: 73 sites in this list, Comments: Password List for March 26th 1999, Template: Normal.dot, Last Saved By: Him, Revision Number: 2, Name of Creating Application: Microsoft Word 8.0, Create Time/Date: Fri Mar 26 11:39:00 1999, Last Saved Time/Date: Fri Mar 26 11:39:00 1999, Number of Pages: 2, Number of Words: 745, Number of Characters: 4249, Security: 0
     wget -q "https://github.com/Da2dalus/The-MALWARE-Repo/raw/e8ddc517b4ecd80728e0acef1c558fad9a1c888a/Virus/Melissa.doc"                                                                                                 -O /mnt/Melissa.doc && \
     # Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|PIE>
-    wget -q "https://github.com/Da2dalus/The-MALWARE-Repo/raw/e8ddc517b4ecd80728e0acef1c558fad9a1c888a/Trojan/XCSSETMacMalware/TrojanSpy.MacOS.XCSSET.A.6614978ab256f922d7b6dbd7cc15c6136819f4bcfb5a0fead480561f0df54ca6" -O /mnt/TrojanSpy.MacOS.XCSSET.A && \
+    wget -q "https://github.com/Da2dalus/The-MALWARE-Repo/raw/e8ddc517b4ecd80728e0acef1c558fad9a1c888a/Trojan/XCSSETMacMalware/TrojanSpy.MacOS.XCSSET.A.6614978ab256f922d7b6dbd7cc15c6136819f4bcfb5a0fead480561f0df54ca6" -O /mnt/TrojanSpy.MacOS.XCSSET.A.bin && \
     # DOS executable (COM)
     wget -q "https://github.com/Da2dalus/The-MALWARE-Repo/raw/e8ddc517b4ecd80728e0acef1c558fad9a1c888a/Virus/Walker.com"                                                                                                  -O /mnt/Walker.com && \
     # PE32 executable (GUI) Intel 80386, for MS Windows
@@ -81,14 +87,20 @@ RUN set -eux && \
     # Java archive data (JAR)
     wget -q "https://github.com/HonbraDev/fractureiser-samples/raw/221bcc4bf45d5896f8908b21d5a8f3e7fcbc2875/stage-0-infected-DisplayEntityEditor-1.0.4.jar"                                                                -O /mnt/Trojan.Java.Fractureiser.MTB.jar
 
+RUN set -eux && \
+    apk add --no-cache clamav file tree && \
+    freshclam --quiet && \
+    tree --dirsfirst /mnt/ && \
+    file /mnt/eicar/* /mnt/xmrig/* /mnt/* && \
+    ( clamscan --infected --no-summary --recursive /mnt/ || true )
+
 COPY img /mnt/img
 COPY README.md /mnt/
 
 RUN set -eux && \
-    # Bug with versions: https://github.com/joeyespo/grip/issues/377
     # renovate: datasource=pypi depName=grip
     GRIP_VERSION="4.6.2" && \
-    pip install --no-cache-dir grip=="${GRIP_VERSION}" flask==2.3.3 werkzeug==2.3.7 && \
+    pip install --no-cache-dir grip=="${GRIP_VERSION}" && \
     grip /mnt/README.md --export /mnt/index.html
 
 ################################################################################

README.md

@@ -33,7 +33,7 @@ Security tools should be able to scan the image and discover harmful files.
 > do not "activate" / "execute" the malware.
 
 - Container Image:
-  - [quay.io/petr_ruzicka/malware-cryptominer-container:2.0.2](https://quay.io/petr_ruzicka/malware-cryptominer-container:2.0.2)
+  - [quay.io/petr_ruzicka/malware-cryptominer-container:2.2.0](https://quay.io/petr_ruzicka/malware-cryptominer-container:2.2.0)
 - Container Registry:
   - <https://quay.io/repository/petr_ruzicka/malware-cryptominer-container?tab=tags>
 - Container build pipeline:
@@ -54,39 +54,48 @@ The malware/crypto miner are located in the `/usr/share/nginx/html` directory:
 
 ```text
 /usr/share/nginx/html
+├── eicar
+│   ├── eicar.com                     [EICAR virus test files]
+│   ├── eicar.com.txt                 [EICAR virus test files]
+│   └── eicarcom2.zip                 [Zip archive data, at least v1.0 to extract]
+├── xmrig
+│   ├── my-xmrig                      [ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped]
+│   ├── xmrig                         [ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped]
+│   └── xmrig-linux-static-x64.tar.gz [gzip compressed data, from Unix, original size modulo 2^32 8291840]
 ├── ILOVEYOU.vbs                      [C source, ASCII text]
 ├── Invoke-ConPtyShell.ps1            [ASCII text, with very long lines (361)]
 ├── L0Lz.bat                          [DOS batch file, ASCII text]
 ├── Linux.Trojan.Multiverze.elf.x86   [ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, with debug_info, not stripped]
-├── MadMan.exe                        [MS-DOS executable]
+├── MadMan.exe                        [MS-DOS executable, MZ for MS-DOS]
 ├── Melissa.doc                       [Composite Document File V2 Document, Little Endian, Os: Windows, Version 4.10, Code page: 1252, Title: Password List for March 26th 1999, Subject: Adult Website Passwords, Author: John Holmes, Keywords: 73 sites in this list, Comments: Password List for March 26th 1999, Template: Normal.dot, Last Saved By: Him, Revision Number: 2, Name of Creating Application: Microsoft Word 8.0, Create Time/Date: Fri Mar 26 11:39:00 1999, Last Saved Time/Date: Fri Mar 26 11:39:00 1999, Number of Pages: 2, Number of Words: 745, Number of Characters: 4249, Security: 0]
 ├── Py.Trojan.NecroBot.py             [Python script, ASCII text executable, with very long lines (4330), with CRLF line terminators]
-├── TrojanSpy.MacOS.XCSSET.A          [Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|PIE>]
-├── Trojan.Java.Fractureiser.MTB.jar  [Trojan:Java/Fractureiser!MTB]
+├── Trojan.Java.Fractureiser.MTB.jar  [Java archive data (JAR)]
+├── TrojanSpy.MacOS.XCSSET.A.bin      [Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|PIE>]
 ├── Txt.Malware.Sustes.sh             [Bourne-Again shell script, ASCII text executable]
 ├── Unix.Downloader.Rocke.sh          [POSIX shell script, ASCII text executable]
-├── Unix.Malware.Kaiji.elf.arm        [ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, Go BuildID=9fdmXJhReUX31Gj9ZEYg/ufudXOOpAambiyMItr13/otwZTTTdWsnO_OuvAAn-/qn6mMLxbKwGft_Ecoum6, stripped]
+├── Unix.Malware.Kaiji.elf.arm        [ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, Go, stripped]
 ├── Unix.Trojan.Mirai.elf.m68k        [ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped]
 ├── Unix.Trojan.Mirai.elf.mips        [ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped]
 ├── Unix.Trojan.Mirai.elf.ppc         [ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, not stripped]
 ├── Unix.Trojan.Mirai.elf.sparc       [ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, not stripped]
 ├── Unix.Trojan.Mirai.elf.x86_64      [ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped]
 ├── Unix.Trojan.Spike.elf.arm         [ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, for GNU/Linux 2.6.16, with debug_info, not stripped]
 ├── Walker.com                        [DOS executable (COM), start instruction 0xe9cd04e8 5400e871]
-├── WannaCry.exe                      [PE32 executable (GUI) Intel 80386, for MS Windows]
+├── WannaCry.exe                      [PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections]
 ├── Win.Trojan.Perl.perl              [Perl script text executable]
-├── Zloader.xlsm                      [Microsoft Excel 2007+]
-├── eicar
-│   ├── eicar.com                     [EICAR virus test files]
-│   ├── eicar.com.txt                 [EICAR virus test files]
-│   └── eicarcom2.zip                 [Zip archive data, at least v1.0 to extract]
-└── xmrig
-    ├── xmrig                         [ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, stripped]
-    └── xmrig-linux-static-x64.tar.gz [gzip compressed data, last modified: Sun Oct 23 10:50:44 2022, from Unix, original size modulo 2^32 8898560]
+└── Zloader.xlsm                      [Microsoft Excel 2007+]
 ```
 
 List of malware/ransomware/crypto miner files:
 
+- [eicar](https://secure.eicar.org/eicar.com)
+  [EICAR virus test files]
+  - [Virustotal](https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f)
+  - [Hybrid Analysis](https://www.hybrid-analysis.com/sample/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/)
+- [xmrig](https://xmrig.com/)
+  [ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, stripped]
+  - [Virustotal](https://www.virustotal.com/gui/file/0ad68d5804804c25a6f6f3d87cc3a3886583f69b7115ba01ab7c6dd96a186404)
+  - [Hybrid Analysis](https://www.hybrid-analysis.com/sample/0ad68d5804804c25a6f6f3d87cc3a3886583f69b7115ba01ab7c6dd96a186404)
 - [ILOVEYOU.vbs](https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Email-Worm/ILOVEYOU.vbs)
   [C source, ASCII text]
   - [Virustotal](https://www.virustotal.com/gui/file/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1)
@@ -174,22 +183,14 @@ List of malware/ransomware/crypto miner files:
   [PE32 executable (GUI) Intel 80386, for MS Windows]
   - [Virustotal](https://www.virustotal.com/gui/file/be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844)
   - [Hybrid Analysis](https://www.hybrid-analysis.com/sample/be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844)
-- [Zloader.xlsm](https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Banking-Malware/Zloader.xlsm)
-  [Microsoft Excel 2007+]
-  - [Virustotal](https://www.virustotal.com/gui/file/90c03a8ca35c33aad5e77488625598da6deeb08794e6efc9f1ddbe486df33e0c)
-  - [Hybrid Analysis](https://www.hybrid-analysis.com/sample/90c03a8ca35c33aad5e77488625598da6deeb08794e6efc9f1ddbe486df33e0c)
 - [Win.Trojan.Perl.perl](https://github.com/timb-machine/linux-malware/raw/main/malware/binaries/Win.Trojan.Perl/9aed7ab8806a90aa9fac070fbf788466c6da3d87deba92a25ac4dd1d63ce4c44.perl)
   [Perl script text executable]
   - [Virustotal](https://www.virustotal.com/gui/file/9aed7ab8806a90aa9fac070fbf788466c6da3d87deba92a25ac4dd1d63ce4c44)
   - [Hybrid Analysis](https://www.hybrid-analysis.com/sample/9aed7ab8806a90aa9fac070fbf788466c6da3d87deba92a25ac4dd1d63ce4c44)
-- [eicar](https://secure.eicar.org/eicar.com)
-  [EICAR virus test files]
-  - [Virustotal](https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f)
-  - [Hybrid Analysis](https://www.hybrid-analysis.com/sample/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/)
-- [xmrig](https://xmrig.com/)
-  [ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, stripped]
-  - [Virustotal](https://www.virustotal.com/gui/file/0ad68d5804804c25a6f6f3d87cc3a3886583f69b7115ba01ab7c6dd96a186404)
-  - [Hybrid Analysis](https://www.hybrid-analysis.com/sample/0ad68d5804804c25a6f6f3d87cc3a3886583f69b7115ba01ab7c6dd96a186404)
+- [Zloader.xlsm](https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Banking-Malware/Zloader.xlsm)
+  [Microsoft Excel 2007+]
+  - [Virustotal](https://www.virustotal.com/gui/file/90c03a8ca35c33aad5e77488625598da6deeb08794e6efc9f1ddbe486df33e0c)
+  - [Hybrid Analysis](https://www.hybrid-analysis.com/sample/90c03a8ca35c33aad5e77488625598da6deeb08794e6efc9f1ddbe486df33e0c)
 
 ## Deployment of the vulnerable image
 
@@ -206,7 +207,7 @@ export AWS_DEFAULT_REGION="eu-central-1"
 
 aws cloudformation deploy --capabilities CAPABILITY_IAM \
   --stack-name "${USER}-malware-cryptominer-container-ec2" \
-  --parameter-overrides "ContainerImage=quay.io/petr_ruzicka/malware-cryptominer-container:2.0.2" \
+  --parameter-overrides "ContainerImage=quay.io/petr_ruzicka/malware-cryptominer-container:2.2.0" \
   --template-file EC2InstanceWithDockerSample.yaml \
   --tags "Name=${USER}-malware-cryptominer-container-ec2"
 
@@ -222,7 +223,7 @@ example:
 export AWS_DEFAULT_REGION="eu-central-1"
 
 copilot init --app "${USER}-malware-cryptominer-app" --name "${USER}-malware-cryptominer" \
-  --image quay.io/petr_ruzicka/malware-cryptominer-container:2.0.2 \
+  --image quay.io/petr_ruzicka/malware-cryptominer-container:2.2.0 \
   --type 'Load Balanced Web Service' --port 8080 --deploy
 
 # copilot app delete --name "${USER}-malware-cryptominer-app"
@@ -238,7 +239,7 @@ export CLUSTER_NAME="${USER}-malware-cryptominer-eks"
 export KUBECONFIG="/tmp/kubeconfig-${CLUSTER_NAME}.conf"
 
 eksctl create cluster --name "${CLUSTER_NAME}" --instance-types t3a.small --kubeconfig "${KUBECONFIG}"
-kubectl run malware-cryptominer --image=quay.io/petr_ruzicka/malware-cryptominer-container:2.0.2
+kubectl run malware-cryptominer --image=quay.io/petr_ruzicka/malware-cryptominer-container:2.2.0
 
 # eksctl delete cluster --name "${CLUSTER_NAME}"
 ```
@@ -813,7 +814,7 @@ End Date:   2023:01:04 08:06:51
 ## Verify image integrity
 
 ```bash
-IMAGE="quay.io/petr_ruzicka/malware-cryptominer-container:2.0.2"
+IMAGE="quay.io/petr_ruzicka/malware-cryptominer-container:2.2.0"
 
 cosign verify "${IMAGE}" | jq
 cosign verify "${IMAGE}" | jq -r '.[].optional| .Issuer + " | " + .Subject + " | " + .githubWorkflowRef + " | https://rekor.tlog.dev/?logIndex=" + (.Bundle.Payload.logIndex|tostring)'
@@ -848,5 +849,5 @@ docker run -it --rm --entrypoint=/bin/sh --user root -p 8080:8080 malware-crypto
 Run in Kubernetes:
 
 ```bash
-kubectl run malware-cryptominer --image=quay.io/petr_ruzicka/malware-cryptominer-container:2.0.2
+kubectl run malware-cryptominer --image=quay.io/petr_ruzicka/malware-cryptominer-container:2.2.0
 ```