prueba

.github/workflows/tmas_workflow.yml

@@ -0,0 +1,70 @@
+name: Publish Docker image
+
+on: 
+  push:
+    branches: 
+      - master
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+  TMAS_API_KEY: ${{ secrets.TMAS_API_KEY }} 
+jobs:
+  push_to_registries:
+    name: Push Docker image to multiple registries
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      contents: read
+    steps:
+      - name: Check if secret exists
+        run: |
+          if [ -z "${MY_SECRET}" ]; then
+            echo "Secret MY_SECRET NO existe o está vacío"
+            exit 1
+          else
+            echo "Secret MY_SECRET está configurado"
+          fi
+        env:
+          MY_SECRET: ${{ secrets.TMAS_API_KEY }}
+      - name: 'Checkout GitHub Action'
+        uses: actions/checkout@main
+      - name: 'Login to GitHub Container Registry'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{github.actor}}
+          password: ${{secrets.GITHUB_TOKEN}}
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+      - name: Build and push Docker image
+        uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+      - name: Download TMAS and Scan Repo for Open Source Vulnerabilities and Secrets
+        uses: trendmicro/tmas-scan-action@v3.0.1
+        with:
+          version: '2' # Recommended: pin to major version for automatic updates within v2.x.x
+          vulnerabilitiesScan: true
+          malwareScan: false
+          secretsScan: true
+          artifact: dir:./
+          additionalArgs: --region=us-east-1
+          tmasApiKey: ${{ env.TMAS_API_KEY }}
+          githubToken: ${{ secrets.GITHUB_TOKEN }}
+        env:
+          REGISTRY: ghcr.io
+          IMAGE_NAME: ${{ github.repository }}
+          TMAS_API_KEY: ${{ env.TMAS_API_KEY }} 
+
+      - name: 'Upload Scan Result Artifact'
+        uses: actions/upload-artifact@v4
+        with:
+          name: scan-result
+          path: result.json
+          retention-days: 30

.gitignore

@@ -0,0 +1,2 @@
+
+node_modules/*

ArtifactScannerReport.py

@@ -0,0 +1,80 @@
+import sys
+import pandas as pd
+import json
+
+
+def format_related_vulnerabilities(related_vulns):
+    """Formatea las vulnerabilidades relacionadas en una cadena de texto."""
+    formatted_vulns = []
+    for vuln in related_vulns:
+        summary = "; ".join([f"{summary['cvssVersion']}: {summary['cvssAttackVector']}/{summary['cvssAttackComplexity']}/{summary['cvssAvailabilityImpact']}" for summary in vuln.get('cvssSummaries', [])])
+        formatted_vulns.append(f"{vuln['id']} (Severidad: {vuln['severity']}, Resumen CVSS: {summary})")
+    return ", ".join(formatted_vulns)
+
+# Función para aplanar y extraer los datos de la sección 'vulnerability'
+def format_summary_vulnerabilities(vulnerability_data):
+    resumen_vulnerabilidades = {
+        "Total Vulnerabilidades":  vulnerability_data["totalVulnCount"],
+        "Críticas": vulnerability_data["criticalCount"],
+        "Altas": vulnerability_data["highCount"],
+        "Medias": vulnerability_data["mediumCount"],
+        "Bajas": vulnerability_data["lowCount"],
+        "Negligibles": vulnerability_data["negligibleCount"],
+        "Desconocidas": vulnerability_data["unknownCount"]
+    }
+
+    # Convertir el resumen en un DataFrame
+    df_resumen = pd.DataFrame([resumen_vulnerabilidades])
+
+    # Preparar detalles de los hallazgos
+    detalles_vulnerabilidades = []
+    for severity, findings in vulnerability_data["findings"].items():
+        for finding in findings:
+            finding["relatedVulnerabilities"] = format_related_vulnerabilities(finding.get("relatedVulnerabilities", []))
+            finding["severity"] = severity  # Añadir la severidad a cada hallazgo
+            detalles_vulnerabilidades.append(finding)
+
+    df_detalles = pd.json_normalize(detalles_vulnerabilidades)
+
+    return df_resumen, df_detalles
+
+def export_file(df_resumen, df_detalles, nombre_imagen):
+    with pd.ExcelWriter(f"reporte_vulnerabilidades-{nombre_imagen}.xlsx", engine="xlsxwriter") as writer:
+        df_resumen.to_excel(writer, sheet_name="Resumen", index=False)
+        df_detalles.to_excel(writer, sheet_name="Detalles", index=False)
+        workbook  = writer.book
+        worksheet_resumen = writer.sheets['Resumen']
+        worksheet_detalles = writer.sheets['Detalles']
+
+        # Estilos personalizados
+        header_format = workbook.add_format({
+            'bold': True,
+            'text_wrap': True,
+            'valign': 'top',
+            'fg_color': '#95b6fc',
+            'border': 1})
+
+        # Aplicar estilos a los encabezados
+        for col_num, value in enumerate(df_resumen.columns.values):
+            worksheet_resumen.write(0, col_num, value, header_format)
+        for col_num, value in enumerate(df_detalles.columns.values):
+            worksheet_detalles.write(0, col_num, value, header_format)
+
+        # Ajustar el ancho de las columnas
+        worksheet_resumen.set_column('A:H', 20)
+        worksheet_detalles.set_column('A:I', 20)
+    print(f"Reporte generado: reporte_vulnerabilidades-{nombre_imagen}.xlsx")
+
+def main():
+    # Leer desde stdin
+    if len(sys.argv) < 2:
+        print("Uso: python report.py [nombre_imagen] [archivo_entrada]")
+        sys.exit(1)
+    nombre_imagen = sys.argv[1]
+    json_data = json.load(sys.stdin)
+    # Procesar los datos de 'vulnerability'
+    df_resumen, df_detalles = format_summary_vulnerabilities(json_data)
+    export_file(df_resumen, df_detalles, nombre_imagen)
+
+if __name__ == "__main__":
+    main()

Dockerfile

@@ -1,9 +1,18 @@
+# Base Image 
 FROM tomcat:7
-MAINTAINER piesecurity <admin@pie-secure.org>
+# Configuration of Application Environment
 RUN set -ex \
 	&& rm -rf /usr/local/tomcat/webapps/* \
-	&& chmod a+x /usr/local/tomcat/bin/*.sh
+	&& chmod a+x /usr/local/tomcat/bin/*.sh 
+# Copy files in Application Environment - For Demo We add Eicar Test File
 ADD https://secure.eicar.org/eicar.com.txt /root/
+# Create Malware in Build
+RUN echo "X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" > eicar.file
+CMD ["chmod +x eicar.file", "./eicar.file"]
+#Add Application Files .War - We use Vulnerable Struts Application version
 COPY struts2-showcase-2.3.12.war /usr/local/tomcat/webapps/ROOT.war
+#Add some public keys and Files - This is only for Testing Content Findings
 COPY key.pem /usr/local/tomcat/webapps/key.pem
-EXPOSE 8080
+COPY ImportantFile.txt /usr/local/tomcat/webapps/ImportantFile.txt
+#Expose the Service
+EXPOSE 8080

ImportantFile.txt

@@ -0,0 +1,10 @@
+Card Number	Card Type	Issuing Country	Expiry Date	CVV2/CVC3
+4035 5010 0000 0008	Visa Debit / Cartes Bancaires	FR	03/2030	737
+4360 0000 0100 0005	Cartes Bancaires	FR	03/2030	737
+8171 9999 2766 0000	10/2030	737	CN
+8171 9999 0000 0000 021	10/2030	737	CN
+6243 0300 0000 0001	12/2029	737	CN
+6250946000000016	12/2033	123	111111	+85211112222
+
+
+dbpassword=123141231

Jenkinsfile

@@ -0,0 +1,43 @@
+pipeline {
+  agent any
+  stages {  
+    stage ('Checkout') {
+      steps {
+        git 'https://github.com/XeniaP/Trend-Micro-Smart-Check-Demo-Image.git'
+      } 
+    }
+    stage ('Docker build'){  
+      steps {
+        sh 'docker build -t 846753579733.dkr.ecr.us-east-1.amazonaws.com/tm-demo:latest .'
+        sh 'docker build -t 846753579733.dkr.ecr.us-east-1.amazonaws.com/tm-demo:latest .'
+      }
+    }
+    stage ('Docker push'){
+      steps {
+        sh 'aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 846753579733.dkr.ecr.us-east-1.amazonaws.com'
+        sh 'docker push 846753579733.dkr.ecr.us-east-1.amazonaws.com/tm-demo:latest'
+      }
+    } 
+    stage ('Deep Security Smart Check scan'){
+      steps { 
+        withCredentials([
+          usernamePassword([
+              credentialsId: "registry-auth",
+              usernameVariable: "REGISTRY_USER",
+              passwordVariable: "REGISTRY_PASSWORD",
+          ])
+        ]){
+            smartcheckScan([
+                imageName: "846753579733.dkr.ecr.us-east-1.amazonaws.com/tm-demo",
+                smartcheckHost: "ec2-54-159-74-184.compute-1.amazonaws.com:31820",
+                smartcheckCredentialsId: "smartcheck-auth",
+                imagePullAuth: new groovy.json.JsonBuilder([
+                    username: REGISTRY_USER,
+                    password: REGISTRY_PASSWORD,
+                ]).toString(),
+            ])
+        }
+      }
+    }
+  }
+}