Merge pull request #1206 from MaibornWolff/dev

chore: merge to main for release 1.8.0
MaibornWolff · Mar 9, 2024 · bb17d48 · bb17d48
2 parents 4114571 + 8663766
commit bb17d48
Show file tree

Hide file tree

Showing 162 changed files with 7,208 additions and 2,321 deletions.
diff --git a/.github/workflows/build_push_dev.yml b/.github/workflows/build_push_dev.yml
@@ -16,7 +16,7 @@ jobs:
         uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+        uses: docker/setup-buildx-action@0d103c3126aa41d772a8362f6aa67afac040f80c # v3.1.0
       -
         name: Login to Docker Hub
         uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
@@ -28,7 +28,7 @@ jobs:
         run: echo "CREATED=$(date +'%Y-%m-%dT%H:%M:%S')" >> $GITHUB_ENV
       -
         name: Build and push backend
-        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
+        uses: docker/build-push-action@af5a7ed5ba88268d5278f7203fb52cd833f66d6e # v5.2.0
         with:
           context: .
           file: ./docker/backend/prod/django/Dockerfile
@@ -40,7 +40,7 @@ jobs:
             VERSION=dev
       -
         name: Build and push frontend
-        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
+        uses: docker/build-push-action@af5a7ed5ba88268d5278f7203fb52cd833f66d6e # v5.2.0
         with:
           context: .
           file: ./docker/frontend/Dockerfile
@@ -51,8 +51,8 @@ jobs:
             REVISION=${{ github.sha }}
             VERSION=dev
       - 
-        name: Run vulnerability scanners for images
-        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@6fad8b2c5deca101131d74c8387e7301ac9371e8 # main
+        name: Run SCA vulnerability scanners
+        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@cd1288ce6cb16c1b41bea98f60c275c0fc103166 # main
         with:
-          so_configuration: 'so_configuration_images.yml'
+          so_configuration: 'so_configuration_sca_dev.yml'
           SO_API_TOKEN: ${{ secrets.SO_API_TOKEN }}
diff --git a/.github/workflows/build_push_release.yml b/.github/workflows/build_push_release.yml
@@ -24,7 +24,7 @@ jobs:
         uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+        uses: docker/setup-buildx-action@0d103c3126aa41d772a8362f6aa67afac040f80c # v3.1.0
       -
         name: Login to Docker Hub
         uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
@@ -36,7 +36,7 @@ jobs:
         run: echo "CREATED=$(date +'%Y-%m-%dT%H:%M:%S')" >> $GITHUB_ENV
       -
         name: Build and push backend
-        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
+        uses: docker/build-push-action@af5a7ed5ba88268d5278f7203fb52cd833f66d6e # v5.2.0
         with:
           context: .
           file: ./docker/backend/prod/django/Dockerfile
@@ -50,7 +50,7 @@ jobs:
             VERSION=${{ github.event.inputs.release }}
       -
         name: Build and push frontend
-        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
+        uses: docker/build-push-action@af5a7ed5ba88268d5278f7203fb52cd833f66d6e # v5.2.0
         with:
           context: .
           file: ./docker/frontend/Dockerfile
@@ -64,13 +64,13 @@ jobs:
             VERSION=${{ github.event.inputs.release }}
       - 
         name: Run vulnerability scanners for images
-        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@6fad8b2c5deca101131d74c8387e7301ac9371e8 # main
+        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@cd1288ce6cb16c1b41bea98f60c275c0fc103166 # main
         with:
-          so_configuration: 'so_configuration_images.yml'
+          so_configuration: 'so_configuration_sca_current.yml'
           SO_API_TOKEN: ${{ secrets.SO_API_TOKEN }}
       - 
         name: Run vulnerability scanners for endpoints
-        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@6fad8b2c5deca101131d74c8387e7301ac9371e8 # main
+        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@cd1288ce6cb16c1b41bea98f60c275c0fc103166 # main
         with:
           so_configuration: 'so_configuration_endpoints.yml'
           SO_API_TOKEN: ${{ secrets.SO_API_TOKEN }}
diff --git a/.github/workflows/check_backend.yml b/.github/workflows/check_backend.yml
@@ -1,6 +1,6 @@
 name: Check backend
 
-on: [push]
+on: [push, pull_request]
 
 permissions: read-all
 

diff --git a/.github/workflows/check_frontend.yml b/.github/workflows/check_frontend.yml
@@ -1,6 +1,6 @@
 name: Check frontend
 
-on: [push]
+on: [push, pull_request]
 
 permissions: read-all
 

diff --git a/.github/workflows/check_vulnerabilities.yml b/.github/workflows/check_vulnerabilities.yml
@@ -6,15 +6,15 @@ permissions: read-all
 
 jobs:
   check_code_vulnerabilities:
-
+    if: github.event.repository.url == 'https://github.com/MaibornWolff/SecObserve'
     runs-on: ubuntu-latest
-
     steps:
-      - name: Checkout code
+      - 
+        name: Checkout code
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-
-      - name: Run vulnerability scanners for code
-        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@6fad8b2c5deca101131d74c8387e7301ac9371e8 # main
+      -
+        name: Run vulnerability scanners for code
+        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@cd1288ce6cb16c1b41bea98f60c275c0fc103166 # main
         with:
           so_configuration: 'so_configuration_code.yml'
           SO_API_TOKEN: ${{ secrets.SO_API_TOKEN }}
diff --git a/.github/workflows/generate_sboms.yml b/.github/workflows/generate_sboms.yml
@@ -0,0 +1,101 @@
+name: Generate SBOMs for a release
+
+on:
+  workflow_dispatch:
+    inputs:
+      #checkov:skip=CKV_GHA_7:This is a false positive
+      release:
+        description: 'SecObserve release (without the v)'
+        required: true
+
+permissions: read-all
+
+jobs:
+  generate_sboms:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          ref: 'v${{ github.event.inputs.release }}'
+      - 
+        name: Install programs
+        env:
+          CYCLONE_DX_BOM_VERSION: 4.1.2
+          CYCLONE_DX_NPM_VERSION: 1.16.1
+          SBOM_UTILITY_VERSION: 0.15.0
+          PARLAY_VERSION: 0.3.0
+          TRIVY_VERSION: 0.49.1
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y python3-pip npm
+          python -m pip install --upgrade cyclonedx-bom=="$CYCLONE_DX_BOM_VERSION"
+          npm install -g @cyclonedx/cyclonedx-npm@"$CYCLONE_DX_NPM_VERSION"
+          cd /usr/local/bin
+          wget --no-verbose https://github.com/CycloneDX/sbom-utility/releases/download/v"$SBOM_UTILITY_VERSION"/sbom-utility-v"$SBOM_UTILITY_VERSION"-linux-amd64.tar.gz -O - | tar -zxf -
+          wget --no-verbose https://github.com/snyk/parlay/releases/download/v"$PARLAY_VERSION"/parlay_Linux_x86_64.tar.gz -O - | tar -zxf -
+          wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v"$TRIVY_VERSION"/trivy_"$TRIVY_VERSION"_Linux-64bit.tar.gz -O - | tar -zxf -
+      - 
+        name: Generate SBOM for backend application
+        env:
+          VERSION: ${{ github.event.inputs.release }}
+        working-directory: ./sbom
+        run: |
+          sed -i "s|REPLACE_VERSION|$VERSION|g" ./configuration/patch_backend_application.json
+          cyclonedx-py poetry --only main,prod --output-format json ../backend \
+            | parlay ecosystems enrich - \
+            | sbom-utility trim --keys=externalReferences,properties,vulnerabilities --quiet --input-file - \
+            | sbom-utility patch --patch-file ./configuration/patch_supplier.json --quiet --input-file - \
+            | sbom-utility patch --patch-file ./configuration/patch_backend_application.json --quiet --input-file - --output-file sbom_backend_application_"$VERSION".json
+          sbom-utility validate --input-file sbom_backend_application_"$VERSION".json
+      - 
+        name: Generate SBOM for frontend application
+        env:
+          VERSION: ${{ github.event.inputs.release }}
+        working-directory: ./sbom
+        run: |
+          sed -i "s|REPLACE_VERSION|$VERSION|g" ./configuration/patch_frontend_application.json
+          cyclonedx-npm --omit dev --package-lock-only --output-format JSON ../frontend/package-lock.json \
+            | parlay ecosystems enrich - \
+            | sbom-utility trim --keys=externalReferences,properties,vulnerabilities --quiet --input-file - \
+            | sbom-utility patch --patch-file ./configuration/patch_supplier.json --quiet --input-file - \
+            | sbom-utility patch --patch-file ./configuration/patch_frontend_application.json --quiet --input-file - --output-file sbom_frontend_application_"$VERSION".json
+          sbom-utility validate --input-file sbom_frontend_application_"$VERSION".json
+      - 
+        name: Generate SBOM for backend container
+        env:
+          VERSION: ${{ github.event.inputs.release }}
+        working-directory: ./sbom
+        run: |
+          sed -i "s|REPLACE_VERSION|$VERSION|g" ./configuration/patch_backend_container.json
+          trivy image --vuln-type os --scanners license --format cyclonedx --quiet maibornwolff/secobserve-backend:"$VERSION" \
+            | parlay ecosystems enrich - \
+            | sbom-utility trim --keys=externalReferences,properties,vulnerabilities --quiet --input-file - \
+            | sbom-utility patch --patch-file ./configuration/patch_supplier.json --quiet --input-file - \
+            | sbom-utility patch --patch-file ./configuration/patch_backend_container.json --quiet --input-file - --output-file sbom_backend_container_"$VERSION".json
+          sbom-utility validate --input-file sbom_backend_container_"$VERSION".json
+      - 
+        name: Generate SBOM for frontend container
+        env:
+          VERSION: ${{ github.event.inputs.release }}
+        working-directory: ./sbom
+        run: |
+          sed -i "s|REPLACE_VERSION|$VERSION|g" ./configuration/patch_frontend_container.json
+          trivy image --vuln-type os --scanners license --format cyclonedx --quiet maibornwolff/secobserve-frontend:"$VERSION" \
+            | parlay ecosystems enrich - \
+            | sbom-utility trim --keys=externalReferences,properties,vulnerabilities --quiet --input-file - \
+            | sbom-utility patch --patch-file ./configuration/patch_supplier.json --quiet --input-file - \
+            | sbom-utility patch --patch-file ./configuration/patch_frontend_container.json --quiet --input-file - --output-file sbom_frontend_container_"$VERSION".json
+          sbom-utility validate --input-file sbom_frontend_container_"$VERSION".json
+      - 
+        name: Commit SBOMs
+        uses: stefanzweifel/git-auto-commit-action@8756aa072ef5b4a080af5dc8fef36c5d586e521d # v5
+        with:
+          skip_fetch: true
+          create_branch: true
+          commit_message: "chore: generate SBOMs for release ${{ github.event.inputs.release }}"
+          branch: "chore/sboms_release_${{ github.event.inputs.release }}"
+          file_pattern: "sbom/sbom*.json"
diff --git a/.github/workflows/publish_docs.yml b/.github/workflows/publish_docs.yml
@@ -18,7 +18,7 @@ jobs:
       - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
         with:
           python-version: 3.x
-      - uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
+      - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
         with:
           key: ${{ github.ref }}
           path: .cache

diff --git a/.github/workflows/scan_sca_current.yml b/.github/workflows/scan_sca_current.yml
@@ -0,0 +1,30 @@
+name: SCA scan current release
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '30 2 * * *'
+
+permissions: read-all
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          ref: 'v1.8.0'
+      -
+        name: Run SCA vulnerability scanners
+        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@cd1288ce6cb16c1b41bea98f60c275c0fc103166 # main
+        with:
+          so_configuration: 'so_configuration_sca_current.yml'
+          SO_API_TOKEN: ${{ secrets.SO_API_TOKEN }}
+      - 
+        name: Run endpoint vulnerability scanners
+        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@cd1288ce6cb16c1b41bea98f60c275c0fc103166 # main
+        with:
+          so_configuration: 'so_configuration_endpoints.yml'
+          SO_API_TOKEN: ${{ secrets.SO_API_TOKEN }}
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -67,6 +67,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 # v3.24.0
+        uses: github/codeql-action/upload-sarif@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
         with:
           sarif_file: results.sarif
diff --git a/.gitignore b/.gitignore
@@ -15,3 +15,7 @@ frontend/.env.microsoft
 keycloak/h2/keycloakdb.trace.db
 keycloak/h2/keycloakdb.lock.db
 keycloak/h2/keycloakdb.mv.db
+sbom/sbom_backend_application_1.7.0.json
+sbom/sbom_backend_container_1.7.0.json
+sbom/sbom_frontend_application_1.7.0.json
+sbom/sbom_frontend_container_1.7.0.json
diff --git a/backend/application/__init__.py b/backend/application/__init__.py
@@ -1,4 +1,4 @@
-__version__ = "1.7.0"
+__version__ = "1.8.0"
 
 import pymysql
 

diff --git a/backend/application/access_control/services/roles_permissions.py b/backend/application/access_control/services/roles_permissions.py
@@ -28,6 +28,7 @@ class Permissions(IntEnum):
     Product_Delete = 1103
     Product_Create = 1104
     Product_Import_Observations = 1105
+    Product_VEX = 1106
 
     Product_Member_View = 1201
     Product_Member_Edit = 1202
@@ -158,6 +159,7 @@ def get_roles_with_permissions():
             Permissions.Product_Group_View,
             Permissions.Product_View,
             Permissions.Product_Import_Observations,
+            Permissions.Product_VEX,
             Permissions.Product_Member_View,
             Permissions.Product_Rule_View,
             Permissions.Branch_View,
@@ -174,6 +176,7 @@ def get_roles_with_permissions():
             Permissions.Product_View,
             Permissions.Product_Edit,
             Permissions.Product_Import_Observations,
+            Permissions.Product_VEX,
             Permissions.Product_Member_View,
             Permissions.Product_Member_Edit,
             Permissions.Product_Member_Delete,
@@ -206,6 +209,7 @@ def get_roles_with_permissions():
             Permissions.Product_Edit,
             Permissions.Product_Delete,
             Permissions.Product_Import_Observations,
+            Permissions.Product_VEX,
             Permissions.Product_Member_View,
             Permissions.Product_Member_Edit,
             Permissions.Product_Member_Delete,

diff --git a/backend/application/commons/api/serializers.py b/backend/application/commons/api/serializers.py
@@ -15,6 +15,10 @@ class VersionSerializer(Serializer):
     version = CharField(max_length=200)
 
 
+class SettingsSerializer(Serializer):
+    features = ListField(child=CharField(), min_length=0, max_length=200, required=True)
+
+
 class NotificationSerializer(ModelSerializer):
     message = SerializerMethodField()
     product_name = SerializerMethodField()

diff --git a/backend/application/commons/api/views.py b/backend/application/commons/api/views.py
@@ -1,3 +1,4 @@
+from constance import config
 from django_filters.rest_framework import DjangoFilterBackend
 from drf_spectacular.utils import extend_schema
 from rest_framework.decorators import action
@@ -15,6 +16,7 @@
 from application.commons.api.serializers import (
     NotificationBulkSerializer,
     NotificationSerializer,
+    SettingsSerializer,
     VersionSerializer,
 )
 from application.commons.models import Notification
@@ -46,6 +48,18 @@ def get(self, request):
         return response
 
 
+class SettingsView(APIView):
+    serializer_class = SettingsSerializer
+
+    @action(detail=True, methods=["get"], url_name="settings")
+    def get(self, request):
+        features = []
+        if config.FEATURE_VEX:
+            features.append("feature_vex")
+        content = {"features": features}
+        return Response(content)
+
+
 class NotificationViewSet(
     GenericViewSet, DestroyModelMixin, ListModelMixin, RetrieveModelMixin
 ):

diff --git a/backend/application/core/api/filters.py b/backend/application/core/api/filters.py
@@ -119,7 +119,12 @@ class BranchFilter(FilterSet):
 
     ordering = OrderingFilter(
         # tuple-mapping retains order
-        fields=(("name", "name"), ("last_import", "last_import")),
+        fields=(
+            ("name", "name"),
+            ("last_import", "last_import"),
+            ("purl", "purl"),
+            ("cpe23", "cpe23"),
+        ),
     )
 
     class Meta: