├── .gitattributes ├── terracotta-bank-0.1.0.tgz ├── terracotta-bank ├── templates │ ├── NOTES.txt │ ├── service.yaml │ ├── serviceaccount.yaml │ ├── tests │ │ └── test-connection.yaml │ ├── hpa.yaml │ ├── _helpers.tpl │ ├── ingress.yaml │ └── deployment.yaml ├── .helmignore ├── values.schema.json ├── README.md ├── Chart.yaml └── values.yaml ├── index.yaml ├── README.md └── .github └── workflows └── helm-package.yml /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | -------------------------------------------------------------------------------- /terracotta-bank-0.1.0.tgz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Contrast-Security-OSS/demo-apps-helm/main/terracotta-bank-0.1.0.tgz -------------------------------------------------------------------------------- /terracotta-bank/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | 1. Wait for the Pod counter above to show Ready / 1 Pod 2 | 2. Click the access URL above to browse your application -------------------------------------------------------------------------------- /index.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | entries: 3 | terracotta-bank: 4 | - apiVersion: v2 5 | appVersion: 1.16.0 6 | created: "2023-11-27T15:44:20.088067Z" 7 | description: A Helm chart for Kubernetes 8 | digest: fa78a516ad27e2f13b6782d1faf2b7c98c9509dd22063732f851b1cd0c914528 9 | name: terracotta-bank 10 | type: application 11 | urls: 12 | - terracotta-bank-0.1.0.tgz 13 | version: 0.1.0 14 | generated: "2023-11-27T15:44:20.086957Z" 15 | -------------------------------------------------------------------------------- /terracotta-bank/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /terracotta-bank/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "terracotta-bank.fullname" . }} 5 | labels: 6 | {{- include "terracotta-bank.labels" . | nindent 4 }} 7 | spec: 8 | type: {{ .Values.service.type }} 9 | ports: 10 | - port: {{ .Values.service.port }} 11 | targetPort: 8080 12 | protocol: TCP 13 | name: http 14 | selector: 15 | {{- include "terracotta-bank.selectorLabels" . | nindent 4 }} 16 | -------------------------------------------------------------------------------- /terracotta-bank/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "terracotta-bank.serviceAccountName" . }} 6 | labels: 7 | {{- include "terracotta-bank.labels" . | nindent 4 }} 8 | {{- with .Values.serviceAccount.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | automountServiceAccountToken: {{ .Values.serviceAccount.automount }} 13 | {{- end }} 14 | -------------------------------------------------------------------------------- /terracotta-bank/templates/tests/test-connection.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: "{{ include "terracotta-bank.fullname" . }}-test-connection" 5 | labels: 6 | {{- include "terracotta-bank.labels" . | nindent 4 }} 7 | annotations: 8 | "helm.sh/hook": test 9 | spec: 10 | containers: 11 | - name: wget 12 | image: busybox 13 | command: ['wget'] 14 | args: ['{{ include "terracotta-bank.fullname" . }}:{{ .Values.service.port }}'] 15 | restartPolicy: Never 16 | -------------------------------------------------------------------------------- /terracotta-bank/values.schema.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://json-schema.org/schema#", 3 | "type": "object", 4 | "properties": { 5 | "environment": { 6 | "type": "string", 7 | "title": "Contrast Server Environment", 8 | "enum": ["Development", "QA", "Production"], 9 | "default": "Development" 10 | }, 11 | "application_name": { 12 | "type": "string", 13 | "title": "Application Name" 14 | }, 15 | "server_name": { 16 | "type": "string", 17 | "title": "Server Name (Optional)" 18 | } 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /terracotta-bank/README.md: -------------------------------------------------------------------------------- 1 | # Introduction 2 | 3 | Terracotta Bank is an intentionally-vulnerable web application, useful for practicing detection, exploitation, and mitigation of common web application security vulnerabilities. 4 | 5 | ## Configuration 6 | 7 | The Contrast Demo environment makes use of the Kubernetes Agent Operator to automatically instrument this application for vulnerability detection (IAST) or runtime protection (RASP). 8 | All you need to provide is: 9 | 10 | * Name - this is the deployment name so needs to be unique 11 | * Contrast Application Name - this will be used for the application name in the Contrast UI 12 | * Environment - this should be set to Development, QA or Production 13 | * Server Name - this is optional, if not specified the container id will be used -------------------------------------------------------------------------------- /terracotta-bank/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: terracotta-bank 3 | description: A deliberately insecure Java web application 4 | annotations: 5 | category: Java 6 | icon: https://raw.githubusercontent.com/jzheaux/terracotta-bank-spring/master/terracotta.png 7 | keywords: 8 | - java 9 | - jsp 10 | - sqli 11 | home: https://github.com/Contrast-Security-OSS/demo-terracotta-bank 12 | maintainers: 13 | - name: Contrast SE Team 14 | sources: 15 | - https://github.com/davidaustinarcher/demo-apps-helm/tree/main/terracotta-bank 16 | # A chart can be either an 'application' or a 'library' chart. 17 | type: application 18 | 19 | # This is the chart version. This version number should be incremented each time you make changes 20 | # to the chart and its templates, including the app version. 21 | # Versions are expected to follow Semantic Versioning (https://semver.org/) 22 | version: 0.1.9 23 | 24 | # This is the version number of the application being deployed. This version number should be 25 | # incremented each time you make changes to the application. It is expected to match the Docker tag. 26 | appVersion: "3.1-no-agent" 27 | -------------------------------------------------------------------------------- /terracotta-bank/templates/hpa.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.autoscaling.enabled }} 2 | apiVersion: autoscaling/v2 3 | kind: HorizontalPodAutoscaler 4 | metadata: 5 | name: {{ include "terracotta-bank.fullname" . }} 6 | labels: 7 | {{- include "terracotta-bank.labels" . | nindent 4 }} 8 | spec: 9 | scaleTargetRef: 10 | apiVersion: apps/v1 11 | kind: Deployment 12 | name: {{ include "terracotta-bank.fullname" . }} 13 | minReplicas: {{ .Values.autoscaling.minReplicas }} 14 | maxReplicas: {{ .Values.autoscaling.maxReplicas }} 15 | metrics: 16 | {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} 17 | - type: Resource 18 | resource: 19 | name: cpu 20 | target: 21 | type: Utilization 22 | averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} 23 | {{- end }} 24 | {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} 25 | - type: Resource 26 | resource: 27 | name: memory 28 | target: 29 | type: Utilization 30 | averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} 31 | {{- end }} 32 | {{- end }} 33 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | # Vulnerable Demo Applications - Helm Charts 3 | 4 | ## Overview 5 | 6 | This repository hosts a collection of Helm charts for various deliberately vulnerable demo applications. These applications are designed to showcase the effectiveness of Contrast's runtime security in detecting vulnerabilities and preventing exploits in real-time. 7 | 8 | ## Getting Started 9 | 10 | The helm index is intended to be consumed by the Contrast Demo environment (based on Kubeapps), but these helm charts could also be deployed directly to a cluster. 11 | 12 | ### Guidelines for adding a new chart 13 | 14 | #TODO 15 | 16 | ## GitHub Action for Helm Index 17 | 18 | This repository includes a GitHub Action configured to automatically update the Helm chart repository index file whenever changes are pushed to the charts which are stored in separate folders. This ensures that the latest versions of the Helm charts are always available for use. 19 | 20 | ## Contributing 21 | 22 | We welcome contributions to improve the demo applications or the Helm charts, just submit a PR. 23 | 24 | ## Contact 25 | 26 | For any queries or assistance, please reach out to the Contrast Sales Engineering team. -------------------------------------------------------------------------------- /terracotta-bank/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Expand the name of the chart. 3 | */}} 4 | {{- define "terracotta-bank.name" -}} 5 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} 6 | {{- end }} 7 | 8 | {{/* 9 | Create a default fully qualified app name. 10 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 11 | If release name contains chart name it will be used as a full name. 12 | */}} 13 | {{- define "terracotta-bank.fullname" -}} 14 | {{- if .Values.fullnameOverride }} 15 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} 16 | {{- else }} 17 | {{- $name := default .Chart.Name .Values.nameOverride }} 18 | {{- if contains $name .Release.Name }} 19 | {{- .Release.Name | trunc 63 | trimSuffix "-" }} 20 | {{- else }} 21 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} 22 | {{- end }} 23 | {{- end }} 24 | {{- end }} 25 | 26 | {{/* 27 | Create chart name and version as used by the chart label. 28 | */}} 29 | {{- define "terracotta-bank.chart" -}} 30 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} 31 | {{- end }} 32 | 33 | {{/* 34 | Common labels 35 | */}} 36 | {{- define "terracotta-bank.labels" -}} 37 | helm.sh/chart: {{ include "terracotta-bank.chart" . }} 38 | {{ include "terracotta-bank.selectorLabels" . }} 39 | {{- if .Chart.AppVersion }} 40 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 41 | {{- end }} 42 | app.kubernetes.io/managed-by: {{ .Release.Service }} 43 | {{- end }} 44 | 45 | {{/* 46 | Selector labels 47 | */}} 48 | {{- define "terracotta-bank.selectorLabels" -}} 49 | app.kubernetes.io/name: {{ include "terracotta-bank.name" . }} 50 | app.kubernetes.io/instance: {{ .Release.Name }} 51 | {{- end }} 52 | 53 | {{/* 54 | Create the name of the service account to use 55 | */}} 56 | {{- define "terracotta-bank.serviceAccountName" -}} 57 | {{- if .Values.serviceAccount.create }} 58 | {{- default (include "terracotta-bank.fullname" .) .Values.serviceAccount.name }} 59 | {{- else }} 60 | {{- default "default" .Values.serviceAccount.name }} 61 | {{- end }} 62 | {{- end }} 63 | -------------------------------------------------------------------------------- /.github/workflows/helm-package.yml: -------------------------------------------------------------------------------- 1 | name: Package/Index Helm Charts 2 | 3 | on: 4 | push: 5 | paths: 6 | - 'terracotta-bank/**' 7 | # - 'path/to/any/other/chart/**' 8 | 9 | # Allows you to run this workflow manually from the Actions tab 10 | workflow_dispatch: 11 | 12 | jobs: 13 | build: 14 | runs-on: ubuntu-latest 15 | 16 | steps: 17 | - name: Checkout 18 | uses: actions/checkout@v2 19 | 20 | - name: Set up Helm 21 | uses: azure/setup-helm@v1 22 | with: 23 | version: 'v3.4.1' # Specify the Helm version 24 | 25 | - name: Package Helm Charts 26 | run: | 27 | mkdir -p .deploy 28 | paths=('terracotta-bank') # Define your paths here 29 | for path in "${paths[@]}"; do 30 | for d in $path; do 31 | if [ -d "$d" ]; then 32 | helm package "$d" -d .deploy 33 | fi 34 | done 35 | done 36 | 37 | - name: Update Helm Repo Index 38 | run: | 39 | helm repo index .deploy --url https://$(echo $GITHUB_REPOSITORY | cut -d'/' -f1).github.io/$(echo $GITHUB_REPOSITORY | cut -d'/' -f2) 40 | 41 | - name: Upload GitHub Pages artifact 42 | uses: actions/upload-pages-artifact@v2.0.0 43 | with: 44 | # Path of the directory containing the static assets. 45 | path: .deploy 46 | 47 | deploy: 48 | # Add a dependency to the build job 49 | needs: build 50 | 51 | # Grant GITHUB_TOKEN the permissions required to make a Pages deployment 52 | permissions: 53 | pages: write # to deploy to Pages 54 | id-token: write # to verify the deployment originates from an appropriate source 55 | 56 | # Deploy to the github-pages environment 57 | environment: 58 | name: github-pages 59 | url: ${{ steps.deployment.outputs.page_url }} 60 | 61 | # Specify runner + deployment step 62 | runs-on: ubuntu-latest 63 | steps: 64 | - name: Deploy to GitHub Pages 65 | id: deployment 66 | uses: actions/deploy-pages@v2 # or the latest "vX.X.X" version tag for this action 67 | -------------------------------------------------------------------------------- /terracotta-bank/templates/ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.ingress.enabled -}} 2 | {{- $fullName := include "terracotta-bank.fullname" . -}} 3 | {{- $svcPort := .Values.service.port -}} 4 | {{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} 5 | {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} 6 | {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} 7 | {{- end }} 8 | {{- end }} 9 | {{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} 10 | apiVersion: networking.k8s.io/v1 11 | {{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} 12 | apiVersion: networking.k8s.io/v1beta1 13 | {{- else -}} 14 | apiVersion: extensions/v1beta1 15 | {{- end }} 16 | kind: Ingress 17 | metadata: 18 | name: {{ $fullName }} 19 | labels: 20 | {{- include "terracotta-bank.labels" . | nindent 4 }} 21 | {{- with .Values.ingress.annotations }} 22 | annotations: 23 | {{- toYaml . | nindent 4 }} 24 | {{- end }} 25 | spec: 26 | {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} 27 | ingressClassName: {{ .Values.ingress.className }} 28 | {{- end }} 29 | {{- if .Values.ingress.tls }} 30 | tls: 31 | {{- range .Values.ingress.tls }} 32 | - hosts: 33 | {{- range .hosts }} 34 | - {{ . | quote }} 35 | {{- end }} 36 | secretName: {{ .secretName }} 37 | {{- end }} 38 | {{- end }} 39 | rules: 40 | {{- range .Values.ingress.hosts }} 41 | - host: {{ .host | quote }} 42 | http: 43 | paths: 44 | {{- range .paths }} 45 | - path: {{ .path }} 46 | {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} 47 | pathType: {{ .pathType }} 48 | {{- end }} 49 | backend: 50 | {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} 51 | service: 52 | name: {{ $fullName }} 53 | port: 54 | number: {{ $svcPort }} 55 | {{- else }} 56 | serviceName: {{ $fullName }} 57 | servicePort: {{ $svcPort }} 58 | {{- end }} 59 | {{- end }} 60 | {{- end }} 61 | {{- end }} 62 | -------------------------------------------------------------------------------- /terracotta-bank/templates/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: {{ include "terracotta-bank.fullname" . }} 5 | labels: 6 | {{- include "terracotta-bank.labels" . | nindent 4 }} 7 | spec: 8 | {{- if not .Values.autoscaling.enabled }} 9 | replicas: {{ .Values.replicaCount }} 10 | {{- end }} 11 | selector: 12 | matchLabels: 13 | {{- include "terracotta-bank.selectorLabels" . | nindent 6 }} 14 | template: 15 | metadata: 16 | {{- with .Values.podAnnotations }} 17 | annotations: 18 | {{- toYaml . | nindent 8 }} 19 | {{- end }} 20 | labels: 21 | {{- include "terracotta-bank.labels" . | nindent 8 }} 22 | {{- with .Values.podLabels }} 23 | {{- toYaml . | nindent 8 }} 24 | {{- end }} 25 | spec: 26 | {{- with .Values.imagePullSecrets }} 27 | imagePullSecrets: 28 | {{- toYaml . | nindent 8 }} 29 | {{- end }} 30 | serviceAccountName: {{ include "terracotta-bank.serviceAccountName" . }} 31 | securityContext: 32 | {{- toYaml .Values.podSecurityContext | nindent 8 }} 33 | containers: 34 | - name: {{ .Chart.Name }} 35 | securityContext: 36 | {{- toYaml .Values.securityContext | nindent 12 }} 37 | image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" 38 | imagePullPolicy: {{ .Values.image.pullPolicy }} 39 | ports: 40 | - name: http 41 | containerPort: {{ .Values.service.port }} 42 | protocol: TCP 43 | livenessProbe: 44 | httpGet: 45 | path: / 46 | port: 8080 47 | readinessProbe: 48 | httpGet: 49 | path: / 50 | port: 8080 51 | resources: 52 | {{- toYaml .Values.resources | nindent 12 }} 53 | {{- with .Values.volumeMounts }} 54 | volumeMounts: 55 | {{- toYaml . | nindent 12 }} 56 | {{- end }} 57 | {{- with .Values.volumes }} 58 | volumes: 59 | {{- toYaml . | nindent 8 }} 60 | {{- end }} 61 | {{- with .Values.nodeSelector }} 62 | nodeSelector: 63 | {{- toYaml . | nindent 8 }} 64 | {{- end }} 65 | {{- with .Values.affinity }} 66 | affinity: 67 | {{- toYaml . | nindent 8 }} 68 | {{- end }} 69 | {{- with .Values.tolerations }} 70 | tolerations: 71 | {{- toYaml . | nindent 8 }} 72 | {{- end }} 73 | env: 74 | - name: CONTRAST__APPLICATION__NAME 75 | value: {{ .Values.application_name }} 76 | - name: CONTRAST__SERVER__ENVIRONMENT 77 | value: {{ .Values.environment }} 78 | - name: CONTRAST__SERVER__NAME 79 | value: {{ .Values.server_name }} 80 | 81 | -------------------------------------------------------------------------------- /terracotta-bank/values.yaml: -------------------------------------------------------------------------------- 1 | # Default values for terracotta-bank. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | replicaCount: 1 6 | 7 | image: 8 | repository: contrastsecuritydemo/terracotta-bank 9 | pullPolicy: IfNotPresent 10 | # Overrides the image tag whose default is the chart appVersion. 11 | tag: "" 12 | 13 | imagePullSecrets: [] 14 | nameOverride: "" 15 | fullnameOverride: "" 16 | 17 | serviceAccount: 18 | # Specifies whether a service account should be created 19 | create: true 20 | # Automatically mount a ServiceAccount's API credentials? 21 | automount: true 22 | # Annotations to add to the service account 23 | annotations: {} 24 | # The name of the service account to use. 25 | # If not set and create is true, a name is generated using the fullname template 26 | name: "" 27 | 28 | podAnnotations: {} 29 | podLabels: {} 30 | 31 | podSecurityContext: {} 32 | # fsGroup: 2000 33 | 34 | securityContext: {} 35 | # capabilities: 36 | # drop: 37 | # - ALL 38 | # readOnlyRootFilesystem: true 39 | # runAsNonRoot: true 40 | # runAsUser: 1000 41 | 42 | service: 43 | type: LoadBalancer 44 | port: 80 45 | 46 | ingress: 47 | enabled: false 48 | className: "" 49 | annotations: {} 50 | # kubernetes.io/ingress.class: nginx 51 | # kubernetes.io/tls-acme: "true" 52 | hosts: 53 | - host: chart-example.local 54 | paths: 55 | - path: / 56 | pathType: ImplementationSpecific 57 | tls: [] 58 | # - secretName: chart-example-tls 59 | # hosts: 60 | # - chart-example.local 61 | 62 | resources: {} 63 | # We usually recommend not to specify default resources and to leave this as a conscious 64 | # choice for the user. This also increases chances charts run on environments with little 65 | # resources, such as Minikube. If you do want to specify resources, uncomment the following 66 | # lines, adjust them as necessary, and remove the curly braces after 'resources:'. 67 | # limits: 68 | # cpu: 100m 69 | # memory: 128Mi 70 | # requests: 71 | # cpu: 100m 72 | # memory: 128Mi 73 | 74 | autoscaling: 75 | enabled: false 76 | minReplicas: 1 77 | maxReplicas: 1 78 | targetCPUUtilizationPercentage: 80 79 | # targetMemoryUtilizationPercentage: 80 80 | 81 | # Additional volumes on the output Deployment definition. 82 | volumes: [] 83 | # - name: foo 84 | # secret: 85 | # secretName: mysecret 86 | # optional: false 87 | 88 | # Additional volumeMounts on the output Deployment definition. 89 | volumeMounts: [] 90 | # - name: foo 91 | # mountPath: "/etc/foo" 92 | # readOnly: true 93 | 94 | nodeSelector: {} 95 | 96 | tolerations: [] 97 | 98 | affinity: {} 99 | 100 | #Contrast specific values 101 | environment: Development 102 | application_name: Terracotta Bank 103 | server_name: "" --------------------------------------------------------------------------------