Pin runtime base to ubuntu:24.04, gitignore test-data, add fetch helper

Bare 'FROM ubuntu' was floating; recent rollover (ubuntu:latest = 25.04
'resolute') dropped libpcre3 in favour of libpcre2 and broke the build
with E: Unable to locate package libpcre3.

Pin to 24.04 (same as docker_kaspersky and docker_sep) so the build is
reproducible across rollovers.

test-data/ is 255 MB of public corpora (Yamato hayabusa-sample-evtx +
local run outputs) — too large to track. fetch-test-data.sh clones the
upstream on demand.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.gitignore

@@ -0,0 +1 @@
+test-data/

Dockerfile

@@ -44,7 +44,9 @@ RUN rm -rf /opt/hayabusa/rules
 RUN git clone --depth=1 https://github.com/Yamato-Security/hayabusa-rules.git /opt/hayabusa/rules
 
 # Stage 2: Final Image
-FROM ubuntu
+# Pin major.minor; bare 'ubuntu' floats and recent rollovers dropped libpcre3
+# in favour of libpcre2 which broke this build.
+FROM ubuntu:24.04
 
 # Copy only the necessary files from the builder stage
 COPY --from=builder /opt/hayabusa /opt/hayabusa

fetch-test-data.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+# Pull the upstream EVTX sample bundle (all from Yamato-Security's curated
+# repo, which itself wraps several public sample sets — see test-data/sample-evtx/README.md).
+set -e
+cd "$(dirname "$0")"
+mkdir -p test-data
+[ -d test-data/sample-evtx ] || \
+  git clone --depth=1 https://github.com/Yamato-Security/hayabusa-sample-evtx.git test-data/sample-evtx
+echo "ready: test-data/sample-evtx"