From 87f9e02685dbe5f33235262c4204331f6d36fcb9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Johannes=20B=C3=BClow?= <johannes@jmbfountain.de>
Date: Tue, 19 Sep 2023 08:37:12 +0200
Subject: [PATCH] added container for doing static analysis of files

---
 .woodpecker/builder.yml                       | 28 ++++++++++++
 .woodpecker/static-analysis.yml               | 28 ++++++++++++
 .woodpecker.yml => .woodpecker/vm-builder.yml | 15 -------
 staticanalysis/Dockerfile                     | 44 +++++++++++++++++++
 staticanalysis/yara-rules                     |  2 +
 5 files changed, 102 insertions(+), 15 deletions(-)
 create mode 100644 .woodpecker/builder.yml
 create mode 100644 .woodpecker/static-analysis.yml
 rename .woodpecker.yml => .woodpecker/vm-builder.yml (66%)
 create mode 100644 staticanalysis/Dockerfile
 create mode 100755 staticanalysis/yara-rules

diff --git a/.woodpecker/builder.yml b/.woodpecker/builder.yml
new file mode 100644
index 0000000..7e47056
--- /dev/null
+++ b/.woodpecker/builder.yml
@@ -0,0 +1,28 @@
+# Build and publish Docker images for multible architectures.
+# 
+# Pushing an image to codeberg as container registry,
+# package owner will be the repo owner.
+#
+# this config also shows usage of yaml aliases and
+# was taken from https://codeberg.org/6543/docker-images/src/commit/37e29c227717c1c07d2776cddcf14725bf952875/.woodpecker/hello.yml
+
+when:
+  branch: main
+
+steps:
+  publish-builder:
+    image: woodpeckerci/plugin-docker-buildx
+    settings:
+      dockerfile: builder/Dockerfile
+      platforms: linux/arm64/v8,linux/amd64
+      repo: git.jmbit.de/filegate/utility-containers
+      registry: git.jmbit.de
+      tags: 
+        - builder-latest
+        - builder
+      username: jmb
+      password:
+        from_secret: forgejo_token
+    when:
+      event: push
+
diff --git a/.woodpecker/static-analysis.yml b/.woodpecker/static-analysis.yml
new file mode 100644
index 0000000..95c1363
--- /dev/null
+++ b/.woodpecker/static-analysis.yml
@@ -0,0 +1,28 @@
+# Build and publish Docker images for multible architectures.
+# 
+# Pushing an image to codeberg as container registry,
+# package owner will be the repo owner.
+#
+# this config also shows usage of yaml aliases and
+# was taken from https://codeberg.org/6543/docker-images/src/commit/37e29c227717c1c07d2776cddcf14725bf952875/.woodpecker/hello.yml
+
+when:
+  branch: main
+
+steps:
+  publish-builder:
+    image: woodpeckerci/plugin-docker-buildx
+    settings:
+      dockerfile: staticanalysis/Dockerfile
+      platforms: linux/arm64/v8,linux/amd64
+      repo: git.jmbit.de/filegate/utility-containers
+      registry: git.jmbit.de
+      tags: 
+        - staticanalysis-latest
+        - staticanalysis
+      username: jmb
+      password:
+        from_secret: forgejo_token
+    when:
+      event: push
+
diff --git a/.woodpecker.yml b/.woodpecker/vm-builder.yml
similarity index 66%
rename from .woodpecker.yml
rename to .woodpecker/vm-builder.yml
index 11af8d6..218553a 100644
--- a/.woodpecker.yml
+++ b/.woodpecker/vm-builder.yml
@@ -10,21 +10,6 @@ when:
   branch: main
 
 steps:
-  publish-builder:
-    image: woodpeckerci/plugin-docker-buildx
-    settings:
-      dockerfile: builder/Dockerfile
-      platforms: linux/arm64/v8,linux/amd64
-      repo: git.jmbit.de/filegate/utility-containers
-      registry: git.jmbit.de
-      tags: 
-        - builder-latest
-        - builder
-      username: jmb
-      password:
-        from_secret: forgejo_token
-    when:
-      event: push
   publish-vm-builder:
     image: woodpeckerci/plugin-docker-buildx
     settings:
diff --git a/staticanalysis/Dockerfile b/staticanalysis/Dockerfile
new file mode 100644
index 0000000..8e63305
--- /dev/null
+++ b/staticanalysis/Dockerfile
@@ -0,0 +1,44 @@
+FROM debian:latest
+LABEL authors="Johannes Bülow <johannes.buelow@jmbit.de>"
+WORKDIR /tmp/crap
+RUN export DEBIAN_FRONTEND="noninteractive" \
+  && apt-get update \
+  && apt-get upgrade -y \
+  && apt-get install --no-install-recommends -y bash wget curl yara zip unzip git file binutils msitools exif coreutils \
+     python3-pip libsqlite3-dev
+## TRID  
+RUN wget https://mark0.net/download/trid_linux_64.zip \
+	 && unzip trid_linux_64.zip \
+	 && chmod +x trid \
+	 && mv trid /usr/local/bin/trid
+## YARA
+COPY ./yara-rules /usr/local/bin/yara-rules 
+RUN git clone https://github.com/Yara-Rules/rules.git /usr/local/src/yara-rules
+## Detect-It-Easy
+RUN wget https://github.com/horsicq/DIE-engine/releases/download/3.08/die_3.08_Debian_12_amd64.deb -O die.deb\
+	 && apt-get install --no-install-recommends -y ./die.deb
+##  PiP stuff	
+#RUN pip3 install stringsifter pyelftools dotnetfile peframe-ds flare-floss oletools
+RUN pip3 install stringsifter pyelftools dotnetfile flare-floss oletools
+## Manalyze
+RUN apt-get install -y libboost-regex-dev libboost-program-options-dev libboost-system-dev libboost-filesystem-dev libssl-dev build-essential cmake git python3-dev \
+    && git clone https://github.com/JusticeRage/Manalyze.git && cd Manalyze \
+	 && cmake . \
+	 && make -j5 \
+	 && make install \
+	 && cd /tmp/crap
+## dllcharacteristics
+RUN wget https://raw.githubusercontent.com/accidentalrebel/dllcharacteristics.py/master/dllcharacteristics.py -O /usr/local/bin/dllcharacteristics.py \
+	 && chmod +x /usr/local/bin/dllcharacteristics.py
+## Malchive
+RUN git clone https://github.com/MITRECND/malchive.git && cd malchive && pip install . && cd /tmp/crap
+## CAPA
+RUN wget https://github.com/mandiant/capa/releases/download/v6.1.0/capa-v6.1.0-linux.zip -O capa.zip \
+    && unzip capa.zip && chmod +x capa && mv capa /usr/local/bin/
+## CLEANUP
+RUN apt-get -y autoremove \
+ 	 && apt-get clean -y \
+	 && unset DEBIAN_FRONTEND \
+	 && rm -rf /tmp/crap
+
+
diff --git a/staticanalysis/yara-rules b/staticanalysis/yara-rules
new file mode 100755
index 0000000..fbb8c81
--- /dev/null
+++ b/staticanalysis/yara-rules
@@ -0,0 +1,2 @@
+#!/bin/bash
+yara -w /usr/local/src/yara-rules/index.yar "${*}"