Bump to golang 1.23 (#110)

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.22-bookworm AS skopeo-builder
+FROM golang:1.23-bookworm AS skopeo-builder
 
 # Ubuntu (`libbtrfs-dev` requires Ubuntu 18.10 and above):
 RUN apt update && DEBIAN_FRONTEND=noninteractive apt install -y libgpgme-dev libassuan-dev libbtrfs-dev libdevmapper-dev pkg-config
@@ -8,7 +8,7 @@ RUN cd $GOPATH/src/github.com/containers/skopeo && DISABLE_DOCS=1 make bin/skope
 RUN cd $GOPATH/src/github.com/containers/skopeo && DISABLE_DOCS=1 make
 RUN cd $GOPATH/src/github.com/containers/skopeo && cp ./bin/skopeo /usr/bin/skopeo
 
-FROM golang:1.22-alpine3.18 AS builder
+FROM golang:1.23-alpine3.20 AS builder
 
 RUN apk add --no-cache \
     git \
@@ -40,9 +40,9 @@ RUN apk add --no-cache -t .build-deps py-setuptools \
     libmagic-static \
     linux-headers
 
-RUN cd /root && wget https://github.com/VirusTotal/yara/archive/refs/tags/v4.3.2.tar.gz \
-    && tar -zxf v4.3.2.tar.gz \
-    && cd yara-4.3.2 \
+RUN cd /root && wget https://github.com/VirusTotal/yara/archive/refs/tags/v4.5.2.tar.gz \
+    && tar -zxf v4.5.2.tar.gz \
+    && cd yara-4.5.2 \
     && ./bootstrap.sh \
     && ./configure --prefix=/usr/local/yara --disable-dotnet --enable-magic --enable-cuckoo --disable-shared --enable-static\
     && make \
@@ -62,15 +62,15 @@ LABEL deepfence.role=system
 COPY --from=skopeo-builder /usr/bin/skopeo /usr/bin/skopeo
 
 ENV LD_LIBRARY_PATH=/usr/local/yara/lib \
-    DOCKERVERSION=24.0.6
+    DOCKERVERSION=27.3.1
 
 RUN apt-get update && apt-get -qq -y --no-install-recommends install libjansson4 libssl3 libmagic1 libstdc++6 jq bash curl ca-certificates
 
 ARG TARGETARCH
 
 RUN <<EOF
 set -eux
-nerdctl_version=1.6.0
+nerdctl_version=1.7.7
 curl -fsSLOk https://github.com/containerd/nerdctl/releases/download/v${nerdctl_version}/nerdctl-${nerdctl_version}-linux-${TARGETARCH}.tar.gz
 tar Cxzvvf /usr/local/bin nerdctl-${nerdctl_version}-linux-${TARGETARCH}.tar.gz
 rm nerdctl-${nerdctl_version}-linux-${TARGETARCH}.tar.gz

Makefile

@@ -1,5 +1,5 @@
 export IMAGE_REPOSITORY?=quay.io/deepfenceio
-export DF_IMG_TAG?=3.0.0
+export DF_IMG_TAG?=2.5.0
 
 all: yarahunter
 

README.md

@@ -37,14 +37,23 @@ Images may be compromised with the installation of a cryptominer such as XMRig.
 Pull the official **yarahunter** image:
 
 ```
-docker pull quay.io/deepfenceio/deepfence_malware_scanner_ce:2.3.0
+docker pull quay.io/deepfenceio/deepfence_malware_scanner_ce:2.5.0
 ```
 
 or Build it from source clone this repo and run below command
 ```
 make docker
 ```
 
+### Generate License Key
+
+Run this command to generate a license key. Work/official email id has to be used.
+```shell
+curl https://license.deepfence.io/threatmapper/generate-license?first_name=<FIRST_NAME>&last_name=<LAST_NAME>&email=<EMAIL>&company=<ORGANIZATION_NAME>&resend_email=true
+```
+
+### Scan
+
 Pull the image that needs to be scanned for example `metal3d/xmrig` and scan it:
 
 ```
@@ -59,7 +68,7 @@ docker run -i --rm --name=deepfence-yarahunter \
      -e DEEPFENCE_LICENSE=<ThreatMapper or ThreatStryker license key> \
      -v /var/run/docker.sock:/var/run/docker.sock \
      -v /tmp:/home/deepfence/output \
-     quay.io/deepfenceio/deepfence_malware_scanner_ce:3.0.0 \
+     quay.io/deepfenceio/deepfence_malware_scanner_ce:2.5.0 \
      --image-name metal3d/xmrig:latest \
      --output=json > xmrig-scan.json
 ```
@@ -74,7 +83,7 @@ docker run -i --rm --name=deepfence-yarahunter \
      -v /var/run/docker.sock:/var/run/docker.sock \
      -v /tmp:/home/deepfence/output \
      -v /tmp/rules:/tmp/rules \
-     quay.io/deepfenceio/deepfence_malware_scanner_ce:3.0.0 \
+     quay.io/deepfenceio/deepfence_malware_scanner_ce:2.5.0 \
      --image-name metal3d/xmrig:latest \
      --output=json \
      --rules-path=/tmp/rules > xmrig-scan.json

docs/docs/yarahunter/configure/cli.md

@@ -7,14 +7,14 @@ title: Command-Line Options
 Display the command line options:
 
 ```bash
-$ docker run -it --rm quay.io/deepfenceio/deepfence_malware_scanner_ce:2.3.0 --help
+$ docker run -it --rm quay.io/deepfenceio/deepfence_malware_scanner_ce:2.5.0 --help
 ```
 
 Note that all files and directories used in YaraHunter configuration are local to the container, not the host filesystem. The examples given illustrate how to map host directories to the container when needed.
 
 ### General Configuration
 
- * `--log-level string`: one of FATAL, ERROR, IMPORTANT, WARN, INFO, DEBUG (default "ERROR"); print messages of this severity or higher.
+ * `--debug-level string`: one of FATAL, ERROR, IMPORTANT, WARN, INFO, DEBUG (default "ERROR"); print messages of this severity or higher.
  * `--threads int`: Number of concurrent threads to use during scan (default number of logical CPUs).
  * `--temp-directory string`: temporary storage for working data (default "/tmp")
 

docs/docs/yarahunter/configure/output.md

@@ -5,12 +5,14 @@ title: Configure Output
 
 # Configure Output
 
-YaraHunter can writes output to `stdout` it can redirected to a file for further analysis.
+YaraHunter can writes output to `stdout`. It can be redirected to a file for further analysis.
 
 ```bash
 docker run -i --rm --name=yara-hunter \
+    -e DEEPFENCE_PRODUCT=<ThreatMapper or ThreatStryker> \
+    -e DEEPFENCE_LICENSE=<ThreatMapper or ThreatStryker license key> \
     -v /var/run/docker.sock:/var/run/docker.sock \
-    quay.io/deepfenceio/deepfence_malware_scanner_ce:2.3.0 \
+    quay.io/deepfenceio/deepfence_malware_scanner_ce:2.5.0 \
     --image-name node:latest \
 # highlight-next-line
     --output=json > xmrig-scan.json

docs/docs/yarahunter/configure/rules.md

@@ -15,10 +15,12 @@ You can mount the rules directory over the existing one (using `-v $(pwd)/my-rul
 mkdir ./my-rules
 
 docker run -it --rm --name=yara-hunter \
+    -e DEEPFENCE_PRODUCT=<ThreatMapper or ThreatStryker> \
+    -e DEEPFENCE_LICENSE=<ThreatMapper or ThreatStryker license key> \
     -v /var/run/docker.sock:/var/run/docker.sock \
 # highlight-next-line
     -v $(pwd)/my-rules:/tmp/my-rules \
-    quay.io/deepfenceio/deepfence_malware_scanner_ce:2.3.0 --image-name node:latest \
+    quay.io/deepfenceio/deepfence_malware_scanner_ce:2.5.0 --image-name node:latest \
 # highlight-next-line
     --rules-path /tmp/my-rules
 ```

docs/docs/yarahunter/index.md

@@ -18,6 +18,12 @@ Key capabilities:
 
 ![Yadare in Action](img/yarahunter.svg)
 
+## Generate License Key
+
+Run this command to generate a license key. Work/official email id has to be used.
+```shell
+curl https://license.deepfence.io/threatmapper/generate-license?first_name=<FIRST_NAME>&last_name=<LAST_NAME>&email=<EMAIL>&company=<ORGANIZATION_NAME>&resend_email=true
+```
 
 ## Example: Finding Indicators of Compromise in a Container Image
 
@@ -27,9 +33,11 @@ Images may be compromised with the installation of a cryptominer such as XMRig.
 docker pull metal3d/xmrig
 
 docker run -i --rm --name=deepfence-yarahunter \
+     -e DEEPFENCE_PRODUCT=<ThreatMapper or ThreatStryker> \
+     -e DEEPFENCE_LICENSE=<ThreatMapper or ThreatStryker license key> \
      -v /var/run/docker.sock:/var/run/docker.sock \
      -v /tmp:/home/deepfence/output \
-     quay.io/deepfenceio/deepfence_malware_scanner_ce:2.3.0 \
+     quay.io/deepfenceio/deepfence_malware_scanner_ce:2.5.0 \
      --image-name metal3d/xmrig:latest \
      --output=json > xmrig-scan.json
 ```
@@ -43,6 +51,20 @@ cat /tmp/xmrig-scan.json | jq '.IOC[] | ."Matched Rule Name"'
 
 This returns a list of the IOCs identified in the container we scanned.
 
+Rules can also be cached to use next run by mounting a seperate path and passing `rules-path` argument
+```bash
+docker run -i --rm --name=deepfence-yarahunter \
+     -e DEEPFENCE_PRODUCT=<ThreatMapper or ThreatStryker> \
+     -e DEEPFENCE_LICENSE=<ThreatMapper or ThreatStryker license key> \
+     -v /var/run/docker.sock:/var/run/docker.sock \
+     -v /tmp:/home/deepfence/output \
+     -v /tmp/rules:/tmp/rules \
+     quay.io/deepfenceio/deepfence_malware_scanner_ce:2.5.0 \
+     --image-name metal3d/xmrig:latest \
+     --output=json \
+     --rules-path=/tmp/rules > xmrig-scan.json
+```
+
 ## When to use YaraHunter
 
 YaraHunter can be used in the following ways:

docs/docs/yarahunter/quickstart.md

@@ -9,7 +9,14 @@ Pull the latest YaraHunter image, and use it to scan a `node:latest` container.
 ## Pull the latest YaraHunter image
 
 ```bash
-docker pull quay.io/deepfenceio/deepfence_malware_scanner_ce:2.3.0
+docker pull quay.io/deepfenceio/deepfence_malware_scanner_ce:2.5.0
+```
+
+## Generate License Key
+
+Run this command to generate a license key. Work/official email id has to be used.
+```shell
+curl https://license.deepfence.io/threatmapper/generate-license?first_name=<FIRST_NAME>&last_name=<LAST_NAME>&email=<EMAIL>&company=<ORGANIZATION_NAME>&resend_email=true
 ```
 
 ## Scan a Container Image
@@ -20,8 +27,10 @@ Pull an image to your local repository, then scan it
 docker pull node:latest
 
 docker run -i --rm --name=yara-hunter \
+    -e DEEPFENCE_PRODUCT=<ThreatMapper or ThreatStryker> \
+    -e DEEPFENCE_LICENSE=<ThreatMapper or ThreatStryker license key> \
     -v /var/run/docker.sock:/var/run/docker.sock \
-    quay.io/deepfenceio/deepfence_malware_scanner_ce:2.3.0 \
+    quay.io/deepfenceio/deepfence_malware_scanner_ce:2.5.0 \
     --image-name node:latest
 
 docker rmi node:latest
@@ -33,9 +42,11 @@ You can summarise the results by processing the JSON output, e.g. using `jq`:
 
 ```bash
 docker run -i --rm --name=yara-hunter \
+    -e DEEPFENCE_PRODUCT=<ThreatMapper or ThreatStryker> \
+    -e DEEPFENCE_LICENSE=<ThreatMapper or ThreatStryker license key> \
     -v /var/run/docker.sock:/var/run/docker.sock \
     -v /tmp:/home/deepfence/output \
-    quay.io/deepfenceio/deepfence_malware_scanner_ce:2.3.0 \
+    quay.io/deepfenceio/deepfence_malware_scanner_ce:2.5.0 \
     --image-name node:latest \
     --output=json > node-latest.json
 

docs/docs/yarahunter/using/build.md

@@ -7,11 +7,11 @@ title: Build YaraHunter
 YaraHunter is a self-contained docker-based tool. Clone the [YaraHunter repository](https://github.com/deepfence/YaraHunter), then build:
 
 ```bash
-docker build --rm=true --tag=quay.io/deepfenceio/deepfence_malware_scanner_ce:2.3.0 -f Dockerfile .
+docker build --rm=true --tag=quay.io/deepfenceio/deepfence_malware_scanner_ce:2.5.0 -f Dockerfile .
 ```
 
-Alternatively, you can pull the official deepfence image at `quay.io/deepfenceio/deepfence_malware_scanner_ce:2.3.0`.
+Alternatively, you can pull the official deepfence image at `quay.io/deepfenceio/deepfence_malware_scanner_ce:2.5.0`.
 
 ```bash
-docker pull quay.io/deepfenceio/deepfence_malware_scanner_ce:2.3.0
+docker pull quay.io/deepfenceio/deepfence_malware_scanner_ce:2.5.0
 ```

docs/docs/yarahunter/using/grpc.md

@@ -27,7 +27,7 @@ docker run -it --rm --name=deepfence-malwarescanner \
 	-v $(pwd):/home/deepfence/output \
 	-v /var/run/docker.sock:/var/run/docker.sock \
 	-v /tmp/sock:/tmp/sock \
-	quay.io/deepfenceio/deepfence_malware_scanner_ce:2.3.0 \
+	quay.io/deepfenceio/deepfence_malware_scanner_ce:2.5.0 \
 	-socket-path /tmp/sock/s.sock
 ```
 

docs/docs/yarahunter/using/scan.md

@@ -15,8 +15,10 @@ Pull the image to your local repository, then scan it
 docker pull node:latest
 
 docker run -it --rm --name=yara-hunter \
+    -e DEEPFENCE_PRODUCT=<ThreatMapper or ThreatStryker> \
+    -e DEEPFENCE_LICENSE=<ThreatMapper or ThreatStryker license key> \
     -v /var/run/docker.sock:/var/run/docker.sock \
-    quay.io/deepfenceio/deepfence_malware_scanner_ce:2.3.0 \
+    quay.io/deepfenceio/deepfence_malware_scanner_ce:2.5.0 \
 # highlight-next-line
     --image-name node:latest
 
@@ -29,10 +31,12 @@ Mount the root directory into the YaraHunter container at a location of your cho
 
 ```bash
 docker run -it --rm --name=yara-hunter \
+    -e DEEPFENCE_PRODUCT=<ThreatMapper or ThreatStryker> \
+    -e DEEPFENCE_LICENSE=<ThreatMapper or ThreatStryker license key> \
     -v /var/run/docker.sock:/var/run/docker.sock \
 # highlight-next-line
     -v /:/deepfence/mnt \
-    quay.io/deepfenceio/deepfence_malware_scanner_ce:2.3.0 \
+    quay.io/deepfenceio/deepfence_malware_scanner_ce:2.5.0 \
 # highlight-next-line
     --host-mount-path /deepfence/mnt --container-id 69221b948a73
 ```
@@ -43,9 +47,11 @@ Mount the filesystem within the YaraHunter container and scan it:
 
 ```bash
 docker run -it --rm --name=yara-hunter \
+    -e DEEPFENCE_PRODUCT=<ThreatMapper or ThreatStryker> \
+    -e DEEPFENCE_LICENSE=<ThreatMapper or ThreatStryker license key> \
 # highlight-next-line
     -v ~/src/YARA-RULES:/tmp/YARA-RULES \
-    quay.io/deepfenceio/deepfence_malware_scanner_ce:2.3.0 \
+    quay.io/deepfenceio/deepfence_malware_scanner_ce:2.5.0 \
 # highlight-next-line
     --local /tmp/YARA-RULES --host-mount-path /tmp/YARA-RULES
 ```