Merge pull request #1992 from MaibornWolff/dev

chore: merge to main for release 1.19.0
MaibornWolff · Oct 4, 2024 · 9415855 · 9415855
2 parents 5e41492 + b2bf4b7
commit 9415855
Show file tree

Hide file tree

Showing 103 changed files with 2,643 additions and 1,437 deletions.
diff --git a/.github/workflows/build_push_dev.yml b/.github/workflows/build_push_dev.yml
@@ -10,13 +10,13 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
       -
         name: Set up QEMU
         uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
+        uses: docker/setup-buildx-action@8026d2bc3645ea78b0d2544766a1225eb5691f89 # v3.7.0
       -
         name: Login to Docker Hub
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
@@ -28,7 +28,7 @@ jobs:
         run: echo "CREATED=$(date +'%Y-%m-%dT%H:%M:%S')" >> $GITHUB_ENV
       -
         name: Build and push backend
-        uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
+        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
         with:
           context: .
           file: ./docker/backend/prod/django/Dockerfile
@@ -40,7 +40,7 @@ jobs:
             VERSION=dev
       -
         name: Build and push frontend
-        uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
+        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
         with:
           context: .
           file: ./docker/frontend/prod/Dockerfile
@@ -52,7 +52,7 @@ jobs:
             VERSION=dev
       - 
         name: Run SCA vulnerability scanners
-        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@817460e037606bd28eabe13d3e8c43866c98b81d # main
+        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@cca1b2fcc133cf278996436bc61db3ac5031c9fc # main
         with:
           so_configuration: 'so_configuration_sca_dev.yml'
           SO_API_TOKEN: ${{ secrets.SO_API_TOKEN }}
diff --git a/.github/workflows/build_push_release.yml b/.github/workflows/build_push_release.yml
@@ -16,15 +16,15 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
         with:
           ref: 'v${{ github.event.inputs.release }}'
       -
         name: Set up QEMU
         uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
+        uses: docker/setup-buildx-action@8026d2bc3645ea78b0d2544766a1225eb5691f89 # v3.7.0
       -
         name: Login to Docker Hub
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
@@ -36,7 +36,7 @@ jobs:
         run: echo "CREATED=$(date +'%Y-%m-%dT%H:%M:%S')" >> $GITHUB_ENV
       -
         name: Build and push backend
-        uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
+        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
         with:
           context: .
           file: ./docker/backend/prod/django/Dockerfile
@@ -50,7 +50,7 @@ jobs:
             VERSION=${{ github.event.inputs.release }}
       -
         name: Build and push frontend
-        uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
+        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
         with:
           context: .
           file: ./docker/frontend/prod/Dockerfile
@@ -64,13 +64,13 @@ jobs:
             VERSION=${{ github.event.inputs.release }}
       - 
         name: Run vulnerability scanners for images
-        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@817460e037606bd28eabe13d3e8c43866c98b81d # main
+        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@cca1b2fcc133cf278996436bc61db3ac5031c9fc # main
         with:
           so_configuration: 'so_configuration_sca_current.yml'
           SO_API_TOKEN: ${{ secrets.SO_API_TOKEN }}
       - 
         name: Run vulnerability scanners for endpoints
-        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@817460e037606bd28eabe13d3e8c43866c98b81d # main
+        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@cca1b2fcc133cf278996436bc61db3ac5031c9fc # main
         with:
           so_configuration: 'so_configuration_endpoints.yml'
           SO_API_TOKEN: ${{ secrets.SO_API_TOKEN }}
diff --git a/.github/workflows/check_backend.yml b/.github/workflows/check_backend.yml
@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
       - name: Set up Python 3.12
         uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:

diff --git a/.github/workflows/check_frontend.yml b/.github/workflows/check_frontend.yml
@@ -10,8 +10,8 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-    - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
+    - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+    - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
       with:
         node-version: 20
 

diff --git a/.github/workflows/check_vulnerabilities.yml b/.github/workflows/check_vulnerabilities.yml
@@ -11,10 +11,10 @@ jobs:
     steps:
       - 
         name: Checkout code
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
       -
         name: Run vulnerability scanners for code
-        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@817460e037606bd28eabe13d3e8c43866c98b81d # main
+        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@cca1b2fcc133cf278996436bc61db3ac5031c9fc # main
         with:
           so_configuration: 'so_configuration_code.yml'
           SO_API_TOKEN: ${{ secrets.SO_API_TOKEN }}
diff --git a/.github/workflows/generate_sboms.yml b/.github/workflows/generate_sboms.yml
@@ -16,12 +16,12 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
+      - uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
         with:
           node-version: 20
       -
         name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
         with:
           ref: 'v${{ github.event.inputs.release }}'
       - 

diff --git a/.github/workflows/publish_docs.yml b/.github/workflows/publish_docs.yml
@@ -14,7 +14,7 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
       - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
           python-version: 3.x

diff --git a/.github/workflows/scan_sca_current.yml b/.github/workflows/scan_sca_current.yml
@@ -13,18 +13,18 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
         with:
-          ref: 'v1.17.0'
+          ref: 'v1.19.0'
       -
         name: Run SCA vulnerability scanners
-        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@817460e037606bd28eabe13d3e8c43866c98b81d # main
+        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@cca1b2fcc133cf278996436bc61db3ac5031c9fc # main
         with:
           so_configuration: 'so_configuration_sca_current.yml'
           SO_API_TOKEN: ${{ secrets.SO_API_TOKEN }}
       - 
         name: Run endpoint vulnerability scanners
-        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@817460e037606bd28eabe13d3e8c43866c98b81d # main
+        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@cca1b2fcc133cf278996436bc61db3ac5031c9fc # main
         with:
           so_configuration: 'so_configuration_endpoints.yml'
           SO_API_TOKEN: ${{ secrets.SO_API_TOKEN }}
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -32,7 +32,7 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
         with:
           persist-credentials: false
 
@@ -67,6 +67,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7
+        uses: github/codeql-action/upload-sarif@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11
         with:
           sarif_file: results.sarif
diff --git a/backend/application/__init__.py b/backend/application/__init__.py
@@ -1,4 +1,4 @@
-__version__ = "1.18.1"
+__version__ = "1.19.0"
 
 import pymysql
 

diff --git a/backend/application/access_control/api/permissions_base.py b/backend/application/access_control/api/permissions_base.py
@@ -19,6 +19,7 @@ def check_post_permission(request, post_model, post_foreign_key, post_permission
 
 
 def check_object_permission(
+    *,
     request,
     object_to_check,
     get_permission,

diff --git a/backend/application/commons/api/permissions.py b/backend/application/commons/api/permissions.py
@@ -8,11 +8,11 @@ class UserHasNotificationPermission(BasePermission):
     def has_object_permission(self, request, view, obj):
         if obj.product:
             return check_object_permission(
-                request,
-                obj.product,
-                Permissions.Product_View,
-                None,
-                Permissions.Product_Delete,
+                request=request,
+                object_to_check=obj.product,
+                get_permission=Permissions.Product_View,
+                put_permission=None,
+                delete_permission=Permissions.Product_Delete,
             )
 
         if request.user and request.user.is_superuser:

diff --git a/backend/application/constance/migrations/0001_initial.py b/backend/application/constance/migrations/0001_initial.py
@@ -1,6 +1,6 @@
 import picklefield.fields  # nosec B403
 
-# nosec B403: picklefield is used to store python objects in the database
+# picklefield is used to store python objects in the database
 from django.db import migrations, models
 
 

diff --git a/backend/application/constance/models.py b/backend/application/constance/models.py
@@ -1,7 +1,7 @@
 from django.db.models import CharField, Model
 from picklefield import PickledObjectField  # nosec B403
 
-# nosec B403: picklefield is used to store python objects in the database
+# picklefield is used to store python objects in the database
 
 
 class Constance(Model):

diff --git a/backend/application/core/api/permissions.py b/backend/application/core/api/permissions.py
@@ -19,11 +19,11 @@ def has_permission(self, request, view):
 
     def has_object_permission(self, request, view, obj):
         return check_object_permission(
-            request,
-            obj,
-            Permissions.Product_View,
-            Permissions.Product_Edit,
-            Permissions.Product_Delete,
+            request=request,
+            object_to_check=obj,
+            get_permission=Permissions.Product_View,
+            put_permission=Permissions.Product_Edit,
+            delete_permission=Permissions.Product_Delete,
         )
 
 
@@ -36,11 +36,11 @@ def has_permission(self, request, view):
 
     def has_object_permission(self, request, view, obj):
         return check_object_permission(
-            request,
-            obj,
-            Permissions.Product_Group_View,
-            Permissions.Product_Group_Edit,
-            Permissions.Product_Group_Delete,
+            request=request,
+            object_to_check=obj,
+            get_permission=Permissions.Product_Group_View,
+            put_permission=Permissions.Product_Group_Edit,
+            delete_permission=Permissions.Product_Group_Delete,
         )
 
 
@@ -59,11 +59,11 @@ def has_object_permission(self, request, view, obj):
             _check_delete_owner(request, obj)
 
         return check_object_permission(
-            request,
-            obj,
-            Permissions.Product_Member_View,
-            Permissions.Product_Member_Edit,
-            Permissions.Product_Member_Delete,
+            request=request,
+            object_to_check=obj,
+            get_permission=Permissions.Product_Member_View,
+            put_permission=Permissions.Product_Member_Edit,
+            delete_permission=Permissions.Product_Member_Delete,
         )
 
 
@@ -85,11 +85,11 @@ def has_object_permission(self, request, view, obj):
             _check_delete_owner(request, obj)
 
         return check_object_permission(
-            request,
-            obj,
-            Permissions.Product_Authorization_Group_Member_View,
-            Permissions.Product_Authorization_Group_Member_Edit,
-            Permissions.Product_Authorization_Group_Member_Delete,
+            request=request,
+            object_to_check=obj,
+            get_permission=Permissions.Product_Authorization_Group_Member_View,
+            put_permission=Permissions.Product_Authorization_Group_Member_Edit,
+            delete_permission=Permissions.Product_Authorization_Group_Member_Delete,
         )
 
 
@@ -108,22 +108,22 @@ def has_permission(self, request, view):
 
     def has_object_permission(self, request, view, obj):
         return check_object_permission(
-            request,
-            obj,
-            Permissions.Branch_View,
-            Permissions.Branch_Edit,
-            Permissions.Branch_Delete,
+            request=request,
+            object_to_check=obj,
+            get_permission=Permissions.Branch_View,
+            put_permission=Permissions.Branch_Edit,
+            delete_permission=Permissions.Branch_Delete,
         )
 
 
 class UserHasServicePermission(BasePermission):
     def has_object_permission(self, request, view, obj):
         return check_object_permission(
-            request,
-            obj,
-            Permissions.Service_View,
-            None,
-            Permissions.Service_Delete,
+            request=request,
+            object_to_check=obj,
+            get_permission=Permissions.Service_View,
+            put_permission=None,
+            delete_permission=Permissions.Service_Delete,
         )
 
 
@@ -138,9 +138,9 @@ def has_permission(self, request, view):
 
     def has_object_permission(self, request, view, obj):
         return check_object_permission(
-            request,
-            obj,
-            Permissions.Observation_View,
-            Permissions.Observation_Edit,
-            Permissions.Observation_Delete,
+            request=request,
+            object_to_check=obj,
+            get_permission=Permissions.Observation_View,
+            put_permission=Permissions.Observation_Edit,
+            delete_permission=Permissions.Observation_Delete,
         )
diff --git a/backend/application/core/api/serializers_observation.py b/backend/application/core/api/serializers_observation.py
@@ -289,13 +289,13 @@ def update(self, instance: Observation, validated_data: dict):
 
         if actual_severity or actual_status:
             create_observation_log(
-                observation,
-                actual_severity,
-                actual_status,
-                "Observation changed manually",
-                actual_vex_justification,
-                Assessment_Status.ASSESSMENT_STATUS_AUTO_APPROVED,
-                observation.risk_acceptance_expiry_date,
+                observation=observation,
+                severity=actual_severity,
+                status=actual_status,
+                comment="Observation changed manually",
+                vex_justification=actual_vex_justification,
+                assessment_status=Assessment_Status.ASSESSMENT_STATUS_AUTO_APPROVED,
+                risk_acceptance_expiry_date=observation.risk_acceptance_expiry_date,
             )
 
         check_security_gate(observation.product)
@@ -382,13 +382,13 @@ def create(self, validated_data):
         observation: Observation = super().create(validated_data)
 
         create_observation_log(
-            observation,
-            observation.current_severity,
-            observation.current_status,
-            "Observation created manually",
-            observation.current_vex_justification,
-            Assessment_Status.ASSESSMENT_STATUS_AUTO_APPROVED,
-            observation.risk_acceptance_expiry_date,
+            observation=observation,
+            severity=observation.current_severity,
+            status=observation.current_status,
+            comment="Observation created manually",
+            vex_justification=observation.current_vex_justification,
+            assessment_status=Assessment_Status.ASSESSMENT_STATUS_AUTO_APPROVED,
+            risk_acceptance_expiry_date=observation.risk_acceptance_expiry_date,
         )
 
         check_security_gate(observation.product)