feat(tools): Added more static analysis tools

This adds additional static analysis tools including sqlitedump, trufflehog, trivy,
and a custom Rust Volatility tool. This also patches a tagging bug in detect-it-easy
that left extra spaces in the value. And finally this enables the pharos pipelines
within the Thorium toolbox.

Author: gabaker

tools/README.md

@@ -13,7 +13,7 @@ The `build-actions-matrix.py` script is used by our gitlab actions pipeline to d
 To update the `toolbox.json` file before committing changes, run the `build-toolbox-manifest.py`:
 
 ```bash
-python3 scripts/build-toolbox-manifest.py config.toml
+python3 scripts/build-toolbox-manifest.py -c config.toml
 ```
 
 ### Toolbox Config (`config.toml`)
@@ -53,4 +53,4 @@ config_from = "antivirus.json"
 
 [images.clamav]
 version = "latest"
-```
+```

tools/images/exiftool.org/tools/exiftool/exiftool.json

@@ -22,7 +22,7 @@
     "commit": null,
     "output": "None"
   },
-  "description": "",
+  "description": null,
   "security_context": {
     "user": null,
     "group": null,

…/H3xKatana/autoVolatility3/manifest.toml …na/autoVolatility3/manifest.toml.excludetools/images/github.com/H3xKatana/autoVolatility3/manifest.toml renamed to tools/images/github.com/H3xKatana/autoVolatility3/manifest.toml.exclude tools/images/github.com/H3xKatana/autoVolatility3/manifest.toml renamed to tools/images/github.com/H3xKatana/autoVolatility3/manifest.toml.exclude

@@ -3,6 +3,14 @@ FROM $IMAGE
 
 WORKDIR /app
 
+RUN cargo version
+
+RUN apt clean all && \
+    apt update && \
+    apt install -y p7zip-full && \
+    apt clean && \
+    rm -rf /var/lib/apt/lists/*
+
 RUN cargo install binwalk
 
 COPY wrapper.bash /app/.

tools/images/github.com/ReFirmLabs/binwalk/Dockerfile

@@ -2,7 +2,13 @@
 
 mkdir -p /tmp/thorium/binwalk
 binwalk -e $1 -C /tmp/thorium/binwalk > /tmp/thorium/results
-mv /tmp/thorium/binwalk/*.extracted /tmp/thorium/children/carved/unknown/ || true
+
+if find "/tmp/results/binwalk" -maxdepth 1 -type f -name "*.extracted" -print -quit | grep -q .; then
+    mv /tmp/thorium/binwalk/*.extracted /tmp/thorium/children/carved/unknown/ 
+else
+    echo "INFO: No files extracted"
+    exit 0
+fi
 
 binHash=$(sha256sum $1)
 binHashArr=($binHash)

tools/images/github.com/ReFirmLabs/binwalk/wrapper.bash

@@ -0,0 +1,21 @@
+ARG IMAGE="ubuntu:22.04"
+FROM $IMAGE
+
+RUN apt update -y && \
+  apt-get install -y wget gnupg && \
+  wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | tee /usr/share/keyrings/trivy.gpg > /dev/null && \
+  echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | tee -a /etc/apt/sources.list.d/trivy.list && \
+  apt-get update -y && \
+  apt-get install -y trivy
+
+# prefetch and save our DB
+RUN trivy fs --scanners vuln,secret,misconfig,license /tmp && \
+    mv /root/.cache/* /tmp/cache/ && \
+    chmod -R 777 /tmp/cache
+
+# Add our wrapper.sh script
+WORKDIR /app
+COPY wrapper.sh .
+
+# setup our entrypoint
+ENTRYPOINT ["/app/wrapper.sh"]

tools/images/github.com/aquasecurity/trivy/Dockerfile

@@ -0,0 +1,6 @@
+name = "trivy"
+type = "image"
+config_from = "trivy.json"
+build_path = "./"
+image_name = "tools/github.com/aquasecurity/trivy"
+version = "latest"

tools/images/github.com/aquasecurity/trivy/manifest.toml

@@ -0,0 +1,110 @@
+{
+  "group": "static",
+  "name": "trivy",
+  "scaler": "K8s",
+  "image": "",
+  "timeout": 300,
+  "resources": {
+    "cpu": 4,
+    "memory": "4Gi",
+    "ephemeral_storage": "0Gi",
+    "nvidia_gpu": 0,
+    "amd_gpu": 0,
+    "burstable": {
+      "cpu": 0,
+      "memory": "0Gi"
+    }
+  },
+  "spawn_limit": "Unlimited",
+  "volumes": [],
+  "env": {},
+  "args": {
+    "entrypoint": null,
+    "command": null,
+    "reaction": null,
+    "repo": null,
+    "commit": null,
+    "output": {
+      "Kwarg": "-o"
+    }
+  },
+  "description": "The all in one code scanner\n\nhttps://trivy.dev/",
+  "security_context": {
+    "user": null,
+    "group": null,
+    "allow_privilege_escalation": false
+  },
+  "collect_logs": true,
+  "generator": false,
+  "dependencies": {
+    "samples": {
+      "location": "/tmp/thorium/samples",
+      "kwarg": null,
+      "strategy": "Paths"
+    },
+    "ephemeral": {
+      "location": "/tmp/thorium/ephemeral",
+      "kwarg": null,
+      "strategy": "Paths",
+      "names": []
+    },
+    "results": {
+      "images": [],
+      "location": "/tmp/thorium/prior-results",
+      "kwarg": "None",
+      "strategy": "Paths",
+      "names": []
+    },
+    "repos": {
+      "location": "/tmp/thorium/repos",
+      "kwarg": null,
+      "strategy": "Paths"
+    },
+    "tags": {
+      "enabled": false,
+      "location": "/tmp/thorium/prior-tags",
+      "kwarg": null,
+      "strategy": "Paths"
+    },
+    "children": {
+      "enabled": false,
+      "images": [],
+      "location": "/tmp/thorium/prior-children",
+      "kwarg": null,
+      "strategy": "Paths"
+    },
+    "cache": {
+      "location": "/tmp/thorium/cache",
+      "generic": {
+        "kwarg": null,
+        "strategy": "Disabled"
+      },
+      "use_parent_cache": false,
+      "enabled": true
+    }
+  },
+  "display_type": "String",
+  "output_collection": {
+    "handler": "Files",
+    "files": {
+      "results": "/tmp/thorium/results",
+      "result_files": "/tmp/thorium/result-files",
+      "tags": "/tmp/thorium/tags",
+      "names": []
+    },
+    "children": "/tmp/thorium/children",
+    "auto_tag": {},
+    "groups": []
+  },
+  "child_filters": {
+    "mime": [],
+    "file_name": [],
+    "file_extension": [],
+    "submit_non_matches": false
+  },
+  "clean_up": null,
+  "kvm": null,
+  "network_policies": [
+    "allow-all"
+  ]
+}

tools/images/github.com/aquasecurity/trivy/trivy.json

@@ -0,0 +1,8 @@
+#!/bin/sh
+
+# copy our trivy cache to our cache folder if it hasn't already been moved
+[ -d "/tmp/cache" ] && mv /tmp/cache/* /root/.cache/ && rm -rf /tmp/cache
+# run trivy and dump our table results
+trivy fs --scanners vuln,secret,misconfig,license --include-dev-deps -f table -o /tmp/thorium/results $1
+# run trivy and dump our json results
+trivy fs --scanners vuln,secret,misconfig,license --include-dev-deps -f json -o /tmp/thorium/result-files/trivy.json $1

tools/images/github.com/aquasecurity/trivy/wrapper.sh

@@ -15,16 +15,12 @@
   "volumes": [],
   "env": {},
   "args": {
-    "entrypoint": [
-      "/usr/local/bin/fn2hash"
-    ],
+    "entrypoint": null,
     "command": null,
     "reaction": null,
     "repo": null,
     "commit": null,
-    "output": {
-      "Kwarg": "--json"
-    }
+    "output": "None"
   },
   "description": null,
   "security_context": {