Share
## https://sploitus.com/exploit?id=DE552D9B-4689-5BE9-A76E-DB32DF068497
# Project 2: Microservices with Infrastructure as Code

โš ๏ธ **WARNING: This project contains intentional security vulnerabilities for demonstration purposes only. DO NOT USE IN PRODUCTION.**

## Purpose

This project demonstrates Lacework CNAPP Code Security capabilities across multiple technologies:
- **SAST** (Static Application Security Testing) - Code-level vulnerabilities in Go and Java
- **SCA** (Software Composition Analysis) - Vulnerable dependencies
- **Secrets Detection** - Hardcoded credentials and API keys
- **IaC Scanning** - Terraform, Dockerfiles, and Kubernetes security misconfigurations

## Project Structure

```
project-2-microservices-iac/
โ”œโ”€โ”€ go-service/
โ”‚   โ”œโ”€โ”€ main.go          # Go microservice with SAST vulnerabilities
โ”‚   โ”œโ”€โ”€ go.mod           # Go dependencies
โ”‚   โ””โ”€โ”€ go.sum
โ”œโ”€โ”€ java-service/
โ”‚   โ”œโ”€โ”€ pom.xml          # Maven dependencies with known CVEs
โ”‚   โ””โ”€โ”€ src/main/java/com/demo/
โ”‚       โ””โ”€โ”€ UserService.java  # Java service with vulnerabilities
โ”œโ”€โ”€ terraform/
โ”‚   โ””โ”€โ”€ main.tf          # Terraform with AWS security misconfigurations
โ”œโ”€โ”€ k8s/
โ”‚   โ””โ”€โ”€ deployment.yaml  # Kubernetes manifests with security issues
โ”œโ”€โ”€ docker/
โ”‚   โ”œโ”€โ”€ Dockerfile.go    # Insecure Dockerfile for Go service
โ”‚   โ””โ”€โ”€ Dockerfile.java # Insecure Dockerfile for Java service
โ””โ”€โ”€ README.md
```

## Intentional Vulnerabilities

### SAST Vulnerabilities (Code-Level)

#### Go Service:
1. **SQL Injection** - Direct string concatenation in SQL queries
2. **Command Injection** - Unsafe command execution
3. **Unsafe Deserialization** - JSON deserialization without validation
4. **Exposed Secrets** - Hardcoded credentials in code

#### Java Service:
1. **SQL Injection** - Direct string concatenation in SQL queries
2. **Command Injection** - Runtime.exec() with user input
3. **Unsafe Deserialization** - Jackson deserialization without validation
4. **Exposed Secrets** - Hardcoded credentials in code

### SCA Vulnerabilities (Dependencies)

#### Java Dependencies:
- jackson-databind 2.9.10.1 (outdated, known CVEs)
- spring-web 5.2.0.RELEASE (outdated, known CVEs)
- commons-collections4 4.1 (outdated, known CVEs)
- mysql-connector-java 5.1.47 (outdated, known CVEs)
- log4j-core 2.14.1 (outdated, known CVEs including Log4Shell)

### Secrets Detection

Hardcoded credentials found in:
- `go-service/main.go` - AWS keys, database passwords, API tokens
- `java-service/UserService.java` - AWS keys, database passwords, API tokens
- `terraform/main.tf` - AWS credentials, database passwords
- `k8s/deployment.yaml` - Environment variables with secrets
- `docker/Dockerfile.go` - Environment variables with secrets
- `docker/Dockerfile.java` - Environment variables with secrets

### IaC Vulnerabilities

#### Terraform (`terraform/main.tf`):
1. Hardcoded AWS credentials in provider
2. S3 bucket with public access enabled
3. No encryption on S3 bucket
4. Security group with overly permissive rules (0.0.0.0/0)
5. EC2 instance without encryption at rest
6. Public IP enabled on EC2 instance
7. IAM role with wildcard permissions (*)
8. RDS instance publicly accessible
9. RDS instance without encryption
10. Weak database password
11. No backup retention on RDS

#### Kubernetes (`k8s/deployment.yaml`):
1. Running containers as root user
2. Privileged containers enabled
3. All capabilities added to containers
4. No resource limits defined
5. Hardcoded secrets in environment variables
6. Mounting host filesystem (/)
7. Using default service account
8. ClusterRole with excessive permissions (wildcards)
9. Service exposed as LoadBalancer (public)
10. ClusterRoleBinding with default service account

#### Dockerfiles:
1. Running as root user
2. Outdated base images with known CVEs
3. Secrets in environment variables
4. Exposing multiple ports unnecessarily
5. No health check defined
6. Copying sensitive files into image
7. Installing unnecessary packages

## Running the Services

### Go Service

```bash
cd go-service
go mod download
go run main.go
```

The service will run on `http://localhost:8080`

### Java Service

```bash
cd java-service
mvn clean package
java -jar target/java-service-1.0.0.jar
```

## Testing with Lacework CLI

To scan this project with Lacework CNAPP Code Security:

```bash
# Navigate to project directory
cd project-2-microservices-iac

# Scan IaC (Terraform, Dockerfiles, K8s)
lacework iac scan -d .

# Scan code (SAST, SCA, Secrets)
lacework sca scan . --formats=md-summary
```

## Expected Findings

When scanned with Lacework CNAPP Code Security, this project should flag:

- **SAST**: Multiple code-level security issues in Go and Java (SQL injection, command injection, etc.)
- **SCA**: Vulnerable dependencies in pom.xml (including Log4j)
- **Secrets**: Hardcoded AWS keys, API tokens, database passwords across multiple files
- **IaC**: 
  - Terraform misconfigurations (public S3, permissive security groups, etc.)
  - Kubernetes misconfigurations (privileged containers, root user, etc.)
  - Dockerfile misconfigurations (root user, secrets, outdated images)

## Demo Value

This project demonstrates:

โœ… **Multi-Language SAST** - Scans both Go and Java codebases

โœ… **Comprehensive IaC Scanning** - Terraform, Kubernetes, and Dockerfiles

โœ… **Real-World Scenarios** - Microservices architecture with infrastructure code

โœ… **Multiple Vulnerability Types** - Code vulnerabilities, dependency issues, secrets, and misconfigurations

## Notes

- All secrets and credentials in this project are fake/example values
- This project is intentionally vulnerable and should never be deployed
- Use only for Lacework CNAPP Code Security demonstration purposes