Feature/devsecops demo 03

samples/Dockerfile-01

@@ -0,0 +1,2 @@
+FROM alpine:3.14.0
+RUN echo "testuser:x:10999:10999:,,,:/home/testuser:/bin/bash" >> /etc/passwd && echo "testuser::18761:0:99999:7:::" >> /etc/shadow

samples/example-02.tf

@@ -0,0 +1,189 @@
+resource "azurerm_resource_group" "myresourcegroup" {
+  name     = "${var.prefix}-workshop"
+  location = var.location
+
+  tags = {
+    environment = "Production"
+  }
+}
+
+resource "azurerm_virtual_network" "vnet" {
+  name                = "${var.prefix}-vnet"
+  location            = azurerm_resource_group.myresourcegroup.location
+  address_space       = [var.address_space]
+  resource_group_name = azurerm_resource_group.myresourcegroup.name
+}
+
+resource "azurerm_subnet" "subnet" {
+  name                 = "${var.prefix}-subnet"
+  virtual_network_name = azurerm_virtual_network.vnet.name
+  resource_group_name  = azurerm_resource_group.myresourcegroup.name
+  address_prefixes     = [var.subnet_prefix]
+}
+
+resource "azurerm_network_security_group" "catapp-sg" {
+  name                = "${var.prefix}-sg"
+  location            = var.location
+  resource_group_name = azurerm_resource_group.myresourcegroup.name
+
+  security_rule {
+    name                       = "HTTP"
+    priority                   = 100
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "Tcp"
+    source_port_range          = "*"
+    destination_port_range     = "80"
+    source_address_prefix      = "*"
+    destination_address_prefix = "*"
+  }
+
+  security_rule {
+    name                       = "HTTPS"
+    priority                   = 102
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "Tcp"
+    source_port_range          = "*"
+    destination_port_range     = "443"
+    source_address_prefix      = "*"
+    destination_address_prefix = "*"
+  }
+
+  security_rule {
+    name                       = "SSH"
+    priority                   = 101
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "Tcp"
+    source_port_range          = "*"
+    destination_port_range     = "22"
+    source_address_prefix      = "*"
+    destination_address_prefix = "*"
+  }
+}
+
+resource "azurerm_network_interface" "catapp-nic" {
+  name                      = "${var.prefix}-catapp-nic"
+  location                  = var.location
+  resource_group_name       = azurerm_resource_group.myresourcegroup.name
+
+  ip_configuration {
+    name                          = "${var.prefix}ipconfig"
+    subnet_id                     = azurerm_subnet.subnet.id
+    private_ip_address_allocation = "Dynamic"
+    public_ip_address_id          = azurerm_public_ip.catapp-pip.id
+  }
+}
+
+resource "azurerm_network_interface_security_group_association" "catapp-nic-sg-ass" {
+  network_interface_id      = azurerm_network_interface.catapp-nic.id
+  network_security_group_id = azurerm_network_security_group.catapp-sg.id
+}
+
+resource "azurerm_public_ip" "catapp-pip" {
+  name                = "${var.prefix}-ip"
+  location            = var.location
+  resource_group_name = azurerm_resource_group.myresourcegroup.name
+  allocation_method   = "Dynamic"
+  domain_name_label   = "${var.prefix}-meow"
+}
+
+resource "azurerm_virtual_machine" "catapp" {
+  name                = "${var.prefix}-meow"
+  location            = var.location
+  resource_group_name = azurerm_resource_group.myresourcegroup.name
+  vm_size             = var.vm_size
+
+  network_interface_ids         = [azurerm_network_interface.catapp-nic.id]
+  delete_os_disk_on_termination = "true"
+
+  storage_image_reference {
+    publisher = var.image_publisher
+    offer     = var.image_offer
+    sku       = var.image_sku
+    version   = var.image_version
+  }
+
+  storage_os_disk {
+    name              = "${var.prefix}-osdisk"
+    managed_disk_type = "Standard_LRS"
+    caching           = "ReadWrite"
+    create_option     = "FromImage"
+  }
+
+  os_profile {
+    computer_name  = var.prefix
+    admin_username = var.admin_username
+    admin_password = var.admin_password
+  }
+
+  os_profile_linux_config {
+    disable_password_authentication = false
+  }
+
+  tags = {}
+
+  # Added to allow destroy to work correctly.
+  depends_on = [azurerm_network_interface_security_group_association.catapp-nic-sg-ass]
+}
+
+# We're using a little trick here so we can run the provisioner without
+# destroying the VM. Do not do this in production.
+
+# If you need ongoing management (Day N) of your virtual machines a tool such
+# as Chef or Puppet is a better choice. These tools track the state of
+# individual files and can keep them in the correct configuration.
+
+# Here we do the following steps:
+# Sync everything in files/ to the remote VM.
+# Set up some environment variables for our script.
+# Add execute permissions to our scripts.
+# Run the deploy_app.sh script.
+resource "null_resource" "configure-cat-app" {
+  depends_on = [
+    azurerm_virtual_machine.catapp,
+  ]
+
+  # Terraform 0.11
+  # triggers {
+  #   build_number = "${timestamp()}"
+  # }
+
+  # Terraform 0.12
+  triggers = {
+    build_number = timestamp()
+  }
+
+  provisioner "file" {
+    source      = "files/"
+    destination = "/home/${var.admin_username}/"
+
+    connection {
+      type     = "ssh"
+      user     = var.admin_username
+      password = var.admin_password
+      host     = azurerm_public_ip.catapp-pip.fqdn
+    }
+  }
+
+  provisioner "remote-exec" {
+    inline = [
+      "sudo apt -y update",
+      "sleep 15",
+      "sudo apt -y update",
+      "sudo apt -y install apache2",
+      "sudo systemctl start apache2",
+      "sudo chown -R ${var.admin_username}:${var.admin_username} /var/www/html",
+      "chmod +x *.sh",
+      "PLACEHOLDER=${var.placeholder} WIDTH=${var.width} HEIGHT=${var.height} PREFIX=${var.prefix} ./deploy_app.sh",
+    ]
+
+    connection {
+      type     = "ssh"
+      user     = var.admin_username
+      password = var.admin_password
+      host     = azurerm_public_ip.catapp-pip.fqdn
+    }
+  }
+}

samples/insecure-01.js

@@ -0,0 +1,2 @@
+let injection = "Hello, security vulnerabilities!";
+eval(`console.log(\"${injection}\");`);

samples/insecure-01.py

@@ -0,0 +1,26 @@
+#Commented out sample to pass  scanning 
+
+import hashlib
+print("I am very insecure. Bandit thinks so too.")
+#B110
+xs=[1,2,3,4,5,6,7,8]
+try:
+    print(xs[7])
+    print(xs[8])
+except: pass
+
+ys=[1, 2, None, None]
+for y in ys:
+    try:
+        print(str(y+3)) #TypeErrors ahead
+    except: continue #not how to handle them
+
+#some imports
+import telnetlib
+import ftplib
+
+#B303 and B324
+s = b"I am a string"
+print("MD5: " +hashlib.md5(s).hexdigest())
+print("SHA1: " +hashlib.sha1(s).hexdigest())
+print("SHA256: " +hashlib.sha256(s).hexdigest())