Update samples

Signed-off-by: egibs <[email protected]>

Makefile

@@ -3,7 +3,7 @@
 
 
 SAMPLES_REPO ?= chainguard-dev/malcontent-samples
-SAMPLES_COMMIT ?= 38d8faef6bcbd63f7cc02bb243b12aaa3e1ba70c
+SAMPLES_COMMIT ?= 2bd3bff19c0253821b3886db65a5059587cac893
 
 # BEGIN: lint-install ../malcontent
 # http://github.com/tinkerbell/lint-install

pkg/refresh/refresh.go

@@ -75,6 +75,7 @@ func newConfig(rc Config) *malcontent.Config {
 		MinFileRisk:           1,
 		MinRisk:               1,
 		QuantityIncreasesRisk: true,
+		IncludeDataFiles:      true,
 		RuleFS:                []fs.FS{rules.FS, thirdparty.FS},
 		TrimPrefixes:          []string{rc.SamplesPath},
 	}

tests/javascript/clean/3937.844b09f50594ca2613b4.js.map.simple

@@ -0,0 +1,8 @@
+# javascript/clean/3937.844b09f50594ca2613b4.js.map: medium
+exec/shell/power: medium
+false-positives/mattermost: low
+fs/directory/remove: low
+fs/file/copy: medium
+fs/file/delete: medium
+net/download/fetch: medium
+net/url/embedded: low

tests/javascript/clean/index.js.map.simple

@@ -0,0 +1,15 @@
+# javascript/clean/index.js.map: medium
+crypto/aes: low
+crypto/cipher: medium
+crypto/decrypt: low
+crypto/encrypt: medium
+crypto/public_key: low
+data/encoding/base64: low
+data/encoding/json_decode: low
+data/encoding/json_encode: low
+net/http/accept: low
+net/http/auth: low
+net/http/form_upload: medium
+net/http/post: medium
+net/url/embedded: low
+net/url/parse: low

tests/linux/2024.k4spreader/2.decoded.simple

@@ -0,0 +1,10 @@
+# linux/2024.k4spreader/2.decoded: critical
+c2/addr/ip: high
+c2/tool_transfer/download: medium
+evasion/net/http_443: high
+exec/imports/python: medium
+exec/remote_commands/code_eval: high
+impact/remote_access/remote_eval: critical
+net/url/embedded: low
+net/url/parse: low
+os/fd/read: low

tests/linux/2024.k4spreader/2.simple

@@ -0,0 +1,3 @@
+# linux/2024.k4spreader/2: critical
+anti-static/base64/function_names: critical
+data/embedded/base64_url: medium

tests/linux/clean/appsec-rules.json.simple

@@ -0,0 +1,76 @@
+# linux/clean/appsec-rules.json: critical
+collect/databases/mysql: medium
+collect/databases/postgresql: medium
+collect/databases/sqlite: medium
+credential/cloud/aws: medium
+credential/os/gshadow: medium
+credential/os/shadow: medium
+credential/password: low
+credential/server/htpasswd: medium
+credential/shell/bash_history: medium
+credential/shell/zsh_history: high
+credential/ssh: high
+credential/ssh/authorized_hosts: medium
+credential/ssh/d: medium
+crypto/openssl: medium
+data/base64/decode: medium
+data/compression/bzip2: low
+data/compression/gzip: low
+data/compression/lzma: low
+data/compression/zlib: low
+data/compression/zstd: low
+data/encoding/base64: low
+discover/multiple: medium
+discover/system/dmesg: low
+discover/system/platform: low
+discover/user/USER: low
+discover/user/name_get: medium
+evasion/bypass_security/linux/iptables: medium
+evasion/bypass_security/linux/ufw: medium
+evasion/file/prefix: medium
+evasion/logging/acct: low
+evasion/process_injection/readelf: medium
+exec/plugin: low
+exec/shell/bash_dev_udp: medium
+exec/shell/command: medium
+exec/shell/nohup: medium
+exec/system_controls/apparmor: medium
+exec/system_controls/systemd: low
+exec/tty/pathname: medium
+exfil: medium
+exfil/stealer/linux_server: high
+fs/fifo_create: low
+fs/file/times_set: medium
+fs/lock_update: low
+fs/mount: low
+fs/node_create: low
+fs/path/etc: low
+fs/path/etc_hosts: medium
+fs/path/home: low
+fs/path/home_config: low
+fs/path/tmp: medium
+fs/path/var: low
+fs/permission/modify: medium
+fs/tempfile: low
+hw/hardware_enumeration: medium
+hw/wireless: low
+impact/exploit: medium
+impact/exploit/cve: medium
+impact/remote_access/iptables: medium
+net/dns/servers: low
+net/download: medium
+net/ftp/t: low
+net/http/cookies: medium
+net/http/webhook: medium
+net/ip/host_port: medium
+net/socket/connect: medium
+net/tcp/sftp: medium
+persist/cron/tab: medium
+persist/daemon: medium
+persist/linux_multi: high
+persist/shell/bash: medium
+persist/shell/zsh: medium
+persist/ssh_authorized_keys: medium
+process/chroot: low
+process/unshare: low
+sec-tool/net/nmap: medium

tests/linux/clean/aws-c-io/aws-c-io-0.14.10-r0.spdx.json.simple

@@ -0,0 +1,4 @@
+# linux/clean/aws-c-io/aws-c-io-0.14.10-r0.spdx.json: medium
+c2/tool_transfer/arch: low
+net/download: medium
+net/url/embedded: low

tests/linux/clean/aws-c-io/aws-c-io-0.14.11-r0.spdx.json.simple

@@ -0,0 +1,4 @@
+# linux/clean/aws-c-io/aws-c-io-0.14.11-r0.spdx.json: medium
+c2/tool_transfer/arch: low
+net/download: medium
+net/url/embedded: low

tests/linux/clean/default_config.json.simple

@@ -0,0 +1,77 @@
+# linux/clean/default_config.json: critical
+collect/databases/mysql: medium
+collect/databases/postgresql: medium
+collect/databases/sqlite: medium
+credential/cloud/aws: medium
+credential/os/gshadow: medium
+credential/os/shadow: medium
+credential/password: low
+credential/server/htpasswd: medium
+credential/shell/bash_history: medium
+credential/shell/zsh_history: high
+credential/ssh: high
+credential/ssh/authorized_hosts: medium
+credential/ssh/d: medium
+crypto/openssl: medium
+data/base64/decode: medium
+data/compression/bzip2: low
+data/compression/gzip: low
+data/compression/lzma: low
+data/compression/zlib: low
+data/compression/zstd: low
+data/encoding/base64: low
+discover/multiple: medium
+discover/system/dmesg: low
+discover/system/platform: low
+discover/user/USER: low
+discover/user/name_get: medium
+evasion/bypass_security/linux/iptables: medium
+evasion/bypass_security/linux/ufw: medium
+evasion/file/prefix: medium
+evasion/logging/acct: low
+evasion/process_injection/readelf: medium
+exec/plugin: low
+exec/shell/bash_dev_udp: medium
+exec/shell/command: medium
+exec/shell/nohup: medium
+exec/system_controls/apparmor: medium
+exec/system_controls/systemd: low
+exec/tty/pathname: medium
+exfil: medium
+exfil/stealer/linux_server: high
+fs/fifo_create: low
+fs/file/times_set: medium
+fs/lock_update: low
+fs/mount: low
+fs/node_create: low
+fs/path/etc: low
+fs/path/etc_hosts: medium
+fs/path/home: low
+fs/path/home_config: low
+fs/path/tmp: medium
+fs/path/var: low
+fs/permission/modify: medium
+fs/tempfile: low
+hw/hardware_enumeration: medium
+hw/wireless: low
+impact/exploit: medium
+impact/exploit/cve: medium
+impact/remote_access/iptables: medium
+net/dns/servers: low
+net/download: medium
+net/ftp/t: low
+net/http/cookies: medium
+net/http/webhook: medium
+net/ip/host_port: medium
+net/socket/connect: medium
+net/tcp/sftp: medium
+persist/cron/tab: medium
+persist/daemon: medium
+persist/linux_multi: high
+persist/shell/bash: medium
+persist/shell/zsh: medium
+persist/ssh_authorized_keys: medium
+process/chroot: low
+process/unshare: low
+sec-tool/net/masscan: high
+sec-tool/net/nmap: medium

tests/linux/clean/gitlab-rails/android.tar.gz.simple

@@ -0,0 +1,2 @@
+# linux/clean/gitlab-rails/android.tar.gz ∴ /tree/project.json: low
+credential/password: low

tests/linux/clean/gitlab-rails/astro_tailwind.tar.gz.simple

@@ -0,0 +1,2 @@
+# linux/clean/gitlab-rails/astro_tailwind.tar.gz ∴ /tree/project.json: low
+credential/password: low

tests/linux/clean/gitlab-rails/bridgetown.tar.gz.simple

@@ -0,0 +1,2 @@
+# linux/clean/gitlab-rails/bridgetown.tar.gz ∴ /tree/project.json: low
+credential/password: low

tests/linux/clean/gitlab-rails/cluster_management.tar.gz.simple

@@ -0,0 +1,2 @@
+# linux/clean/gitlab-rails/cluster_management.tar.gz ∴ /tree/project.json: low
+credential/password: low

tests/linux/clean/gitlab-rails/dotnetcore.tar.gz.simple

@@ -0,0 +1,2 @@
+# linux/clean/gitlab-rails/dotnetcore.tar.gz ∴ /tree/project.json: low
+credential/password: low

tests/linux/clean/gitlab-rails/express.tar.gz.simple

@@ -0,0 +1,2 @@
+# linux/clean/gitlab-rails/express.tar.gz ∴ /tree/project.json: low
+credential/password: low

tests/linux/clean/gitlab-rails/gatsby.tar.gz.simple

@@ -0,0 +1,2 @@
+# linux/clean/gitlab-rails/gatsby.tar.gz ∴ /tree/project.json: low
+credential/password: low

tests/linux/clean/gitlab-rails/gitpod_spring_petclinic.tar.gz.simple

@@ -0,0 +1,2 @@
+# linux/clean/gitlab-rails/gitpod_spring_petclinic.tar.gz ∴ /tree/project.json: low
+credential/password: low

tests/linux/clean/gitlab-rails/gomicro.tar.gz.simple

@@ -0,0 +1,2 @@
+# linux/clean/gitlab-rails/gomicro.tar.gz ∴ /tree/project.json: low
+credential/password: low

tests/linux/clean/gitlab-rails/hexo.tar.gz.simple

@@ -0,0 +1,4 @@
+# linux/clean/gitlab-rails/hexo.tar.gz ∴ /tree/project.json: low
+credential/password: low
+# linux/clean/gitlab-rails/hexo.tar.gz ∴ /project.bundle: low
+crypto/aes: low

tests/linux/clean/gitlab-rails/hugo.tar.gz.simple

@@ -0,0 +1,2 @@
+# linux/clean/gitlab-rails/hugo.tar.gz ∴ /tree/project.json: low
+credential/password: low

tests/linux/clean/gitlab-rails/iosswift.tar.gz.simple

@@ -0,0 +1,6 @@
+# linux/clean/gitlab-rails/iosswift.tar.gz ∴ /tree/project.json: low
+credential/password: low
+# linux/clean/gitlab-rails/iosswift.tar.gz ∴ /project.bundle: medium
+credential/sniffer/bpf: medium
+net/tcp/ssh: medium
+process/chdir: low

tests/linux/clean/gitlab-rails/jekyll.tar.gz.simple

@@ -0,0 +1,2 @@
+# linux/clean/gitlab-rails/jekyll.tar.gz ∴ /tree/project.json: low
+credential/password: low

tests/linux/clean/gitlab-rails/jsonnet.tar.gz.simple

@@ -0,0 +1,2 @@
+# linux/clean/gitlab-rails/jsonnet.tar.gz ∴ /tree/project.json: low
+credential/password: low

tests/linux/clean/gitlab-rails/kotlin_native_linux.tar.gz.simple

@@ -0,0 +1,2 @@
+# linux/clean/gitlab-rails/kotlin_native_linux.tar.gz ∴ /tree/project.json: low
+credential/password: low

tests/linux/clean/gitlab-rails/laravel.tar.gz.simple

@@ -0,0 +1,2 @@
+# linux/clean/gitlab-rails/laravel.tar.gz ∴ /tree/project.json: low
+credential/password: low

tests/linux/clean/gitlab-rails/middleman.tar.gz.simple

@@ -0,0 +1,2 @@
+# linux/clean/gitlab-rails/middleman.tar.gz ∴ /tree/project.json: low
+credential/password: low

tests/linux/clean/gitlab-rails/nfgitbook.tar.gz.simple

@@ -0,0 +1,2 @@
+# linux/clean/gitlab-rails/nfgitbook.tar.gz ∴ /tree/project.json: low
+credential/password: low

tests/linux/clean/gitlab-rails/nfhexo.tar.gz.simple

@@ -0,0 +1,4 @@
+# linux/clean/gitlab-rails/nfhexo.tar.gz ∴ /project.bundle: low
+crypto/aes: low
+# linux/clean/gitlab-rails/nfhexo.tar.gz ∴ /tree/project.json: low
+credential/password: low

tests/linux/clean/gitlab-rails/nfhugo.tar.gz.simple

@@ -0,0 +1,2 @@
+# linux/clean/gitlab-rails/nfhugo.tar.gz ∴ /tree/project.json: low
+credential/password: low

tests/linux/clean/gitlab-rails/nfjekyll.tar.gz.simple

@@ -0,0 +1,2 @@
+# linux/clean/gitlab-rails/nfjekyll.tar.gz ∴ /tree/project.json: low
+credential/password: low

tests/linux/clean/gitlab-rails/nfplainhtml.tar.gz.simple

@@ -0,0 +1,2 @@
+# linux/clean/gitlab-rails/nfplainhtml.tar.gz ∴ /tree/project.json: low
+credential/password: low

tests/linux/clean/gitlab-rails/nist_80053r5.tar.gz.simple

@@ -0,0 +1,27 @@
+# linux/clean/gitlab-rails/nist_80053r5.tar.gz ∴ /tree/project/project_badges.ndjson: low
+net/url/embedded: low
+# linux/clean/gitlab-rails/nist_80053r5.tar.gz ∴ /tree/project.json: low
+credential/password: low
+# linux/clean/gitlab-rails/nist_80053r5.tar.gz ∴ /tree/project/labels.ndjson: low
+crypto/public_key: low
+# linux/clean/gitlab-rails/nist_80053r5.tar.gz ∴ /tree/project/issues.ndjson: medium
+anti-static/obfuscation/obfuscate: low
+c2/addr/ip: medium
+credential/password: low
+crypto/public_key: low
+discover/network/mac_address: medium
+exec/shell/command: medium
+exfil: medium
+exfil/stealer/credit_card: medium
+fs/file/delete_forcibly: low
+impact/exploit: medium
+impact/remote_access/agent: medium
+impact/remote_access/backdoor: medium
+impact/remote_access/trojan: medium
+lateral/scan/brute_force: low
+malware/ref: medium
+net/download: medium
+net/ip: low
+net/ip/spoof: medium
+sus/intercept: medium
+sus/malicious: medium

tests/linux/clean/gitlab-rails/pelican.tar.gz.simple

@@ -0,0 +1,2 @@
+# linux/clean/gitlab-rails/pelican.tar.gz ∴ /tree/project.json: low
+credential/password: low

tests/linux/clean/gitlab-rails/plainhtml.tar.gz.simple

@@ -0,0 +1,2 @@
+# linux/clean/gitlab-rails/plainhtml.tar.gz ∴ /tree/project.json: low
+credential/password: low

tests/linux/clean/gitlab-rails/rails.tar.gz.simple

@@ -0,0 +1,2 @@
+# linux/clean/gitlab-rails/rails.tar.gz ∴ /tree/project.json: low
+credential/password: low

tests/linux/clean/gitlab-rails/salesforcedx.tar.gz.simple

@@ -0,0 +1,2 @@
+# linux/clean/gitlab-rails/salesforcedx.tar.gz ∴ /tree/project.json: low
+credential/password: low

tests/linux/clean/gitlab-rails/serverless_framework.tar.gz.simple

@@ -0,0 +1,2 @@
+# linux/clean/gitlab-rails/serverless_framework.tar.gz ∴ /tree/project.json: low
+credential/password: low

tests/linux/clean/gitlab-rails/spring.tar.gz.simple

@@ -0,0 +1,2 @@
+# linux/clean/gitlab-rails/spring.tar.gz ∴ /tree/project.json: low
+credential/password: low

tests/linux/clean/gitlab-rails/tencent_serverless_framework.tar.gz.simple

@@ -0,0 +1,2 @@
+# linux/clean/gitlab-rails/tencent_serverless_framework.tar.gz ∴ /tree/project.json: low
+credential/password: low

tests/linux/clean/gitlab-rails/typo3_distribution.tar.gz.simple

@@ -0,0 +1,2 @@
+# linux/clean/gitlab-rails/typo3_distribution.tar.gz ∴ /tree/project.json: low
+credential/password: low

tests/linux/clean/kibana/2d62889e-e758-4c5e-b57e-c735914ee32a_101.json.simple

@@ -0,0 +1,7 @@
+# linux/clean/kibana/2d62889e-e758-4c5e-b57e-c735914ee32a_101.json: medium
+c2/tool_transfer/arch: low
+c2/tool_transfer/os: low
+exec/shell/power: medium
+impact/degrade/win_defender: low
+net/download: medium
+net/url/embedded: low

tests/linux/clean/kibana/2e29e96a-b67c-455a-afe4-de6183431d0d_111.json.simple

@@ -0,0 +1,10 @@
+# linux/clean/kibana/2e29e96a-b67c-455a-afe4-de6183431d0d_111.json: medium
+3P/sig_base/hacktool_strings_p0wnedshell: low
+c2/tool_transfer/os: low
+exec/shell/power: medium
+impact/infection/infected: medium
+malware/ref: medium
+mem/protect: low
+net/download: medium
+net/url/embedded: low
+sus/malicious: medium

tests/linux/clean/kibana/3728c08d-9b70-456b-b6b8-007c7d246128_5.json.simple

@@ -0,0 +1,18 @@
+# linux/clean/kibana/3728c08d-9b70-456b-b6b8-007c7d246128_5.json: critical
+c2/tool_transfer/os: low
+evasion/file/location/dev_shm: medium
+evasion/file/prefix: high
+evasion/file/prefix/dev: low
+exec/shell/command: medium
+exec/system_controls/systemd: low
+fs/path/etc: low
+fs/path/etc_initd: medium
+fs/path/home: low
+fs/path/home_config: low
+fs/path/root: medium
+fs/path/usr_local: medium
+fs/path/var: low
+net/url/embedded: low
+persist/shell/bash: high
+persist/shell/zsh: medium
+privesc/sudoers: medium

tests/linux/clean/kibana/83bf249e-4348-47ba-9741-1202a09556ad_101.json.simple

@@ -0,0 +1,10 @@
+# linux/clean/kibana/83bf249e-4348-47ba-9741-1202a09556ad_101.json: critical
+anti-static/obfuscation/powershell: critical
+c2/tool_transfer/os: low
+exec/shell/command: medium
+exec/shell/power: medium
+false-positives/kibana: low
+malware/ref: medium
+net/download: medium
+net/download/fetch: medium
+net/url/embedded: low