Merge pull request #2131 from MaibornWolff/dev

chore: merge to main for release 1.21.0
MaibornWolff · Oct 30, 2024 · 58c39ce · 58c39ce
2 parents 9e3afdc + 4972aeb
commit 58c39ce
Show file tree

Hide file tree

Showing 296 changed files with 25,765 additions and 6,804 deletions.
diff --git a/.github/workflows/build_push_dev.yml b/.github/workflows/build_push_dev.yml
@@ -10,7 +10,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       -
         name: Set up QEMU
         uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
@@ -52,7 +52,7 @@ jobs:
             VERSION=dev
       - 
         name: Run SCA vulnerability scanners
-        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@70451f5f17e1de8fddcaebb767167a279dc8815b # main
+        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@6eefe400d9efeaae2b7abe05710785fa4a53dbf6 # main
         with:
           so_configuration: 'so_configuration_sca_dev.yml'
           SO_API_TOKEN: ${{ secrets.SO_API_TOKEN }}
diff --git a/.github/workflows/build_push_release.yml b/.github/workflows/build_push_release.yml
@@ -16,7 +16,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: 'v${{ github.event.inputs.release }}'
       -
@@ -64,13 +64,13 @@ jobs:
             VERSION=${{ github.event.inputs.release }}
       - 
         name: Run vulnerability scanners for images
-        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@70451f5f17e1de8fddcaebb767167a279dc8815b # main
+        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@6eefe400d9efeaae2b7abe05710785fa4a53dbf6 # main
         with:
           so_configuration: 'so_configuration_sca_current.yml'
           SO_API_TOKEN: ${{ secrets.SO_API_TOKEN }}
       - 
         name: Run vulnerability scanners for endpoints
-        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@70451f5f17e1de8fddcaebb767167a279dc8815b # main
+        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@6eefe400d9efeaae2b7abe05710785fa4a53dbf6 # main
         with:
           so_configuration: 'so_configuration_endpoints.yml'
           SO_API_TOKEN: ${{ secrets.SO_API_TOKEN }}
diff --git a/.github/workflows/check_backend.yml b/.github/workflows/check_backend.yml
@@ -14,9 +14,9 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Set up Python 3.12
-        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
           python-version: 3.12
 

diff --git a/.github/workflows/check_frontend.yml b/.github/workflows/check_frontend.yml
@@ -10,8 +10,8 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
-    - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
       with:
         node-version: 20
 

diff --git a/.github/workflows/check_licenses_dev.yml b/.github/workflows/check_licenses_dev.yml
@@ -0,0 +1,57 @@
+name: Check application licenses for dev
+
+on:
+  push:
+    branches:
+      - dev
+
+permissions: read-all
+
+jobs:
+  scan_licenses:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - 
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+        with:
+          node-version: 20
+      - 
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - 
+        name: Install programs
+        env:
+          CDXGEN_VERSION: 10.10.6
+        run: |
+          npm install -g @cyclonedx/cdxgen@"$CDXGEN_VERSION"
+      - 
+        name: Generate SBOM for backend application
+        env:
+          FETCH_LICENSE: 1
+        run: |
+          cdxgen ./backend --type python --required-only --profile license-compliance --no-auto-compositions --output sbom_backend_application.json
+      - 
+        name: Generate SBOM for frontend application
+        run: |
+          cdxgen ./frontend --type npm --no-babel --required-only --profile license-compliance --no-auto-compositions --project-name secobserve --output sbom_frontend_application.json
+      -
+        name: Import backend SBOM
+        uses: MaibornWolff/secobserve_actions_templates/actions/importer@6eefe400d9efeaae2b7abe05710785fa4a53dbf6 # main
+        with:
+          so_product_name: 'SecObserve'
+          so_file_name: 'sbom_backend_application.json'
+          so_parser_name: 'CycloneDX'
+          so_branch_name: 'dev'
+          so_api_base_url: "https://secobserve-backend.maibornwolff.de"
+          so_api_token: ${{ secrets.SO_API_TOKEN }}
+      -
+        name: Import frontend SBOM
+        uses: MaibornWolff/secobserve_actions_templates/actions/importer@6eefe400d9efeaae2b7abe05710785fa4a53dbf6 # main
+        with:
+          so_product_name: 'SecObserve'
+          so_file_name: 'sbom_frontend_application.json'
+          so_parser_name: 'CycloneDX'
+          so_branch_name: 'dev'
+          so_api_base_url: "https://secobserve-backend.maibornwolff.de"
+          so_api_token: ${{ secrets.SO_API_TOKEN }}
diff --git a/.github/workflows/check_vulnerabilities.yml b/.github/workflows/check_vulnerabilities.yml
@@ -11,10 +11,10 @@ jobs:
     steps:
       - 
         name: Checkout code
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       -
         name: Run vulnerability scanners for code
-        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@70451f5f17e1de8fddcaebb767167a279dc8815b # main
+        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@6eefe400d9efeaae2b7abe05710785fa4a53dbf6 # main
         with:
           so_configuration: 'so_configuration_code.yml'
           SO_API_TOKEN: ${{ secrets.SO_API_TOKEN }}
diff --git a/.github/workflows/generate_sboms.yml b/.github/workflows/generate_sboms.yml
@@ -16,12 +16,12 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
+      - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
         with:
           node-version: 20
       -
         name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: 'v${{ github.event.inputs.release }}'
       - 

diff --git a/.github/workflows/publish_docs.yml b/.github/workflows/publish_docs.yml
@@ -14,11 +14,11 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
-      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
           python-version: 3.x
-      - uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
+      - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
         with:
           key: ${{ github.ref }}
           path: .cache

diff --git a/.github/workflows/scan_sca_current.yml b/.github/workflows/scan_sca_current.yml
@@ -13,18 +13,18 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          ref: 'v1.20.0'
+          ref: 'v1.21.0'
       -
         name: Run SCA vulnerability scanners
-        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@70451f5f17e1de8fddcaebb767167a279dc8815b # main
+        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@6eefe400d9efeaae2b7abe05710785fa4a53dbf6 # main
         with:
           so_configuration: 'so_configuration_sca_current.yml'
           SO_API_TOKEN: ${{ secrets.SO_API_TOKEN }}
       - 
         name: Run endpoint vulnerability scanners
-        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@70451f5f17e1de8fddcaebb767167a279dc8815b # main
+        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@6eefe400d9efeaae2b7abe05710785fa4a53dbf6 # main
         with:
           so_configuration: 'so_configuration_endpoints.yml'
           SO_API_TOKEN: ${{ secrets.SO_API_TOKEN }}
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -32,7 +32,7 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false
 
@@ -67,6 +67,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12
+        uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
         with:
           sarif_file: results.sarif
diff --git a/README.md b/README.md
@@ -5,17 +5,17 @@
 [![OpenSSF Best Practices](https://www.bestpractices.dev/projects/8388/badge)](https://www.bestpractices.dev/projects/8388) [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/MaibornWolff/SecObserve/badge)](https://securityscorecards.dev/viewer/?uri=github.com/MaibornWolff/SecObserve)
 
 
-SecObserve is an open source vulnerability management system for software development and cloud environments. It supports a variety of open source vulnerability scanners and integrates easily into CI/CD pipelines. Results about potential security flaws from various vulnerability scanning tools are made available for assessment and reporting.
+SecObserve is an open source vulnerability and license management system for software development teams and cloud environments. It supports a variety of open source vulnerability scanners and integrates easily into CI/CD pipelines. Results about potential security flaws from various vulnerability scanning tools are made available for assessment and reporting.
 
 ![Dashboard](docs/assets/images/screenshot_dashboard.png)
 
 ## Overview
 
 The aim of SecObserve is to make vulnerability scanning and vulnerability management as easy as possible for software development projects using open source tools. It consists of 2 major components:
 
-* **Vulnerability management system SecObserve:** SecObserve provides the development team with an overview of the results of all vulnerability scans for their project, which can be easily filtered and sorted. In the detailed view, the results are displayed uniformly with a wealth of information, regardless of which vulnerability scanner generated them.
+* **Vulnerability and license management system SecObserve:** SecObserve provides the development team with an overview of the results of all vulnerability and license scans for their project, which can be easily filtered and sorted. In the detailed view, the results are displayed uniformly with a wealth of information, regardless of which vulnerability scanner generated them.
 
-    With the help of automatically executed rules and manual assessments, the results can be efficiently evaluated to eliminate irrelevant results and accept risks. This allows the development team to concentrate on fixing the relevant vulnerabilities.
+    With the help of automatically executed rules and manual assessments, the vulnerability results can be efficiently evaluated to eliminate irrelevant results and accept risks. This allows the development team to concentrate on fixing the relevant vulnerabilities.
 
 * **GitLab CI templates and GitHub actions:** Integrating vulnerability scanners into a CI/CD pipeline can be tedious. Each tool has to be installed differently and is called with different parameters. To avoid having to solve this task all over again, there are repositories with GitLab CI Templates and GitHub Actions. These make the process of integrating vulnerability scanners very simple by providing uniform methods for launching the tools and uniform parameters. The tools are regularly updated in the repositories so that the latest features and bug fixes are always available.
 

diff --git a/backend/application/__init__.py b/backend/application/__init__.py
@@ -1,4 +1,4 @@
-__version__ = "1.20.0"
+__version__ = "1.21.0"
 
 import pymysql
 

diff --git a/backend/application/access_control/services/authorization.py b/backend/application/access_control/services/authorization.py
@@ -26,6 +26,7 @@
     Api_Configuration,
     Vulnerability_Check,
 )
+from application.licenses.models import License_Component
 from application.rules.models import Rule
 from application.vex.models import VEX_Base
 
@@ -118,6 +119,12 @@ def user_has_permission(  # pylint: disable=too-many-return-statements,too-many-
     ):
         return user_has_permission(obj.product, permission, user)
 
+    if (
+        isinstance(obj, License_Component)
+        and permission in Permissions.get_component_license_permissions()
+    ):
+        return user_has_permission(obj.product, permission, user)
+
     raise NoAuthorizationImplementedError(
         f"No authorization implemented for class {type(obj).__name__} and permission {permission}"
     )

diff --git a/backend/application/access_control/services/roles_permissions.py b/backend/application/access_control/services/roles_permissions.py
@@ -76,6 +76,8 @@ class Permissions(IntEnum):
     VEX_Delete = 5003
     VEX_Create = 5004
 
+    License_Component_Delete = 6003
+
     @classmethod
     def has_value(cls, value):
         try:
@@ -176,6 +178,12 @@ def get_vulnerability_check_permissions(cls):
             Permissions.Product_View,
         }
 
+    @classmethod
+    def get_component_license_permissions(cls):
+        return {
+            Permissions.License_Component_Delete,
+        }
+
 
 def get_roles_with_permissions():
     return {
@@ -250,6 +258,7 @@ def get_roles_with_permissions():
             Permissions.VEX_Edit,
             Permissions.VEX_Create,
             Permissions.VEX_Delete,
+            Permissions.License_Component_Delete,
         },
         Roles.Owner: {
             Permissions.Product_Group_View,
@@ -295,6 +304,7 @@ def get_roles_with_permissions():
             Permissions.VEX_Edit,
             Permissions.VEX_Create,
             Permissions.VEX_Delete,
+            Permissions.License_Component_Delete,
         },
     }
 

diff --git a/backend/application/commons/api/extended_ordering_filter.py b/backend/application/commons/api/extended_ordering_filter.py
@@ -0,0 +1,22 @@
+from django.core.validators import EMPTY_VALUES
+from django.db.models import F
+from django_filters import OrderingFilter
+
+
+# Copied from https://github.com/carltongibson/django-filter/issues/274#issuecomment-1862859556
+class ExtendedOrderingFilter(OrderingFilter):
+    def filter(self, qs, value):
+        if value in EMPTY_VALUES:
+            return qs
+
+        ordering = []
+        for param in value:
+            fields = self.param_map[param.removeprefix("-")]
+            if not isinstance(fields, tuple):
+                fields = (fields,)
+            for field in fields:
+                if isinstance(field, str):
+                    field = F(field)
+                ordering.append(field.desc() if param.startswith("-") else field)
+
+        return qs.order_by(*ordering)
diff --git a/backend/application/commons/api/views.py b/backend/application/commons/api/views.py
@@ -33,7 +33,7 @@ class VersionView(APIView):
     @action(detail=True, methods=["get"], url_name="version")
     def get(self, request):
         content = {
-            "version": "version_unkown",
+            "version": "version_unknown",
         }
         return Response(content)
 
@@ -67,6 +67,8 @@ def get(self, request):
                 features.append("feature_vex")
             if settings.feature_general_rules_need_approval:
                 features.append("feature_general_rules_need_approval")
+            if settings.feature_license_management:
+                features.append("feature_license_management")
 
         content = {
             "features": features,

diff --git a/backend/application/commons/migrations/0010_settings_feature_license_management_and_more.py b/backend/application/commons/migrations/0010_settings_feature_license_management_and_more.py
@@ -0,0 +1,45 @@
+# Generated by Django 5.1.2 on 2024-10-15 10:43
+
+import django.core.validators
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("commons", "0009_settings_password_validator_attribute_similarity_and_more"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="settings",
+            name="feature_license_management",
+            field=models.BooleanField(
+                default=True, help_text="Enable license management"
+            ),
+        ),
+        migrations.AddField(
+            model_name="settings",
+            name="license_import_crontab_hour",
+            field=models.IntegerField(
+                default=1,
+                help_text="Hour crontab expression for importing licenses (UTC)",
+                validators=[
+                    django.core.validators.MinValueValidator(0),
+                    django.core.validators.MaxValueValidator(23),
+                ],
+            ),
+        ),
+        migrations.AddField(
+            model_name="settings",
+            name="license_import_crontab_minute",
+            field=models.IntegerField(
+                default=30,
+                help_text="Minute crontab expression for importing licenses",
+                validators=[
+                    django.core.validators.MinValueValidator(0),
+                    django.core.validators.MaxValueValidator(59),
+                ],
+            ),
+        ),
+    ]
diff --git a/...end/application/commons/migrations/0011_rename_settings_security_gate_threshold_unkown.py b/...end/application/commons/migrations/0011_rename_settings_security_gate_threshold_unkown.py
@@ -0,0 +1,18 @@
+# Generated by Django 5.1.2 on 2024-10-24 06:19
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("commons", "0010_settings_feature_license_management_and_more"),
+    ]
+
+    operations = [
+        migrations.RenameField(
+            model_name="settings",
+            old_name="security_gate_threshold_unkown",
+            new_name="security_gate_threshold_unknown",
+        ),
+    ]