Merge pull request #2416 from MaibornWolff/dev

chore: merge to main for release 1.25.0
MaibornWolff · Jan 8, 2025 · 986e6a7 · 986e6a7
2 parents 1daead1 + 4f01532
commit 986e6a7
Show file tree

Hide file tree

Showing 206 changed files with 2,807 additions and 3,325 deletions.
diff --git a/.github/workflows/build_push_dev.yml b/.github/workflows/build_push_dev.yml
@@ -52,7 +52,7 @@ jobs:
             VERSION=dev
       - 
         name: Run SCA vulnerability scanners
-        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@e2d75f05ddc5d2663573183bbdf5be78a498fe44 # main
+        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@a8344daa56598a80c2c80081974a0468dd29d086 # main
         with:
           so_configuration: 'so_configuration_sca_dev.yml'
           SO_API_TOKEN: ${{ secrets.SO_API_TOKEN }}
diff --git a/.github/workflows/build_push_release.yml b/.github/workflows/build_push_release.yml
@@ -64,13 +64,13 @@ jobs:
             VERSION=${{ github.event.inputs.release }}
       - 
         name: Run vulnerability scanners for images
-        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@e2d75f05ddc5d2663573183bbdf5be78a498fe44 # main
+        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@a8344daa56598a80c2c80081974a0468dd29d086 # main
         with:
           so_configuration: 'so_configuration_sca_current.yml'
           SO_API_TOKEN: ${{ secrets.SO_API_TOKEN }}
       - 
         name: Run vulnerability scanners for endpoints
-        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@e2d75f05ddc5d2663573183bbdf5be78a498fe44 # main
+        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@a8344daa56598a80c2c80081974a0468dd29d086 # main
         with:
           so_configuration: 'so_configuration_endpoints.yml'
           SO_API_TOKEN: ${{ secrets.SO_API_TOKEN }}
diff --git a/.github/workflows/check_licenses_dev.yml b/.github/workflows/check_licenses_dev.yml
@@ -37,7 +37,7 @@ jobs:
           cdxgen ./frontend --type npm --no-babel --required-only --profile license-compliance --no-auto-compositions --project-name secobserve --output sbom_frontend_application.json
       -
         name: Import backend SBOM
-        uses: MaibornWolff/secobserve_actions_templates/actions/importer@e2d75f05ddc5d2663573183bbdf5be78a498fe44 # main
+        uses: MaibornWolff/secobserve_actions_templates/actions/importer@a8344daa56598a80c2c80081974a0468dd29d086 # main
         with:
           so_product_name: 'SecObserve'
           so_file_name: 'sbom_backend_application.json'
@@ -47,7 +47,7 @@ jobs:
           so_api_token: ${{ secrets.SO_API_TOKEN }}
       -
         name: Import frontend SBOM
-        uses: MaibornWolff/secobserve_actions_templates/actions/importer@e2d75f05ddc5d2663573183bbdf5be78a498fe44 # main
+        uses: MaibornWolff/secobserve_actions_templates/actions/importer@a8344daa56598a80c2c80081974a0468dd29d086 # main
         with:
           so_product_name: 'SecObserve'
           so_file_name: 'sbom_frontend_application.json'

diff --git a/.github/workflows/check_vulnerabilities.yml b/.github/workflows/check_vulnerabilities.yml
@@ -14,7 +14,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       -
         name: Run vulnerability scanners for code
-        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@e2d75f05ddc5d2663573183bbdf5be78a498fe44 # main
+        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@a8344daa56598a80c2c80081974a0468dd29d086 # main
         with:
           so_configuration: 'so_configuration_code.yml'
           SO_API_TOKEN: ${{ secrets.SO_API_TOKEN }}
diff --git a/.github/workflows/scan_sca_current.yml b/.github/workflows/scan_sca_current.yml
@@ -15,16 +15,16 @@ jobs:
         name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          ref: 'v1.24.0'
+          ref: 'v1.25.0'
       -
         name: Run SCA vulnerability scanners
-        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@e2d75f05ddc5d2663573183bbdf5be78a498fe44 # main
+        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@a8344daa56598a80c2c80081974a0468dd29d086 # main
         with:
           so_configuration: 'so_configuration_sca_current.yml'
           SO_API_TOKEN: ${{ secrets.SO_API_TOKEN }}
       - 
         name: Run endpoint vulnerability scanners
-        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@e2d75f05ddc5d2663573183bbdf5be78a498fe44 # main
+        uses: MaibornWolff/secobserve_actions_templates/actions/vulnerability_scanner@a8344daa56598a80c2c80081974a0468dd29d086 # main
         with:
           so_configuration: 'so_configuration_endpoints.yml'
           SO_API_TOKEN: ${{ secrets.SO_API_TOKEN }}
diff --git a/backend/application/__init__.py b/backend/application/__init__.py
@@ -1,4 +1,4 @@
-__version__ = "1.24.0"
+__version__ = "1.25.0"
 
 import pymysql
 

diff --git a/backend/application/core/api/serializers_helpers.py b/backend/application/core/api/serializers_helpers.py
@@ -1,13 +1,14 @@
 import re
 from decimal import Decimal
+from typing import Optional
 
 import validators
-from cvss import CVSS3, CVSSError
+from cvss import CVSS3, CVSS4, CVSSError
 from packageurl import PackageURL
 from rest_framework.serializers import ValidationError
 
 from application.core.models import Observation
-from application.core.services.observation import get_cvss3_severity
+from application.core.services.observation import get_cvss_severity
 
 
 def get_branch_name(observation: Observation) -> str:
@@ -45,7 +46,7 @@ def validate_url(url: str) -> str:
     return url
 
 
-def validate_cvss3_vector(cvss3_vector):
+def validate_cvss3_vector(cvss3_vector: str) -> str:
     if cvss3_vector:
         try:
             cvss3 = CVSS3(cvss3_vector)
@@ -57,37 +58,79 @@ def validate_cvss3_vector(cvss3_vector):
     return cvss3_vector
 
 
+def validate_cvss4_vector(cvss4_vector: str) -> str:
+    if cvss4_vector:
+        try:
+            cvss4 = CVSS4(cvss4_vector)
+            cvss4_vector = cvss4.clean_vector()
+        except CVSSError as e:
+            raise ValidationError(str(e))  # pylint: disable=raise-missing-from
+        # The CVSSError itself is not relevant and must not be re-raised
+
+    return cvss4_vector
+
+
 def validate_cvss_and_severity(attrs):
-    base_score = None
+    cvss3_severity = _validate_cvss3(attrs)
+    cvss4_severity = _validate_cvss4(attrs)
+
+    cvss_severity = None
+    if cvss4_severity is not None:
+        cvss_severity = cvss4_severity
+    elif cvss3_severity is not None:
+        cvss_severity = cvss3_severity
+
+    parser_severity = attrs.get("parser_severity")
+    if parser_severity:
+        if cvss_severity and parser_severity != cvss_severity:
+            raise ValidationError(
+                f"Severity ({parser_severity}) is different than severity from CVSS score ({cvss_severity})"
+            )
+    else:
+        if not cvss_severity:
+            raise ValidationError(
+                "Either Severity, CVSS3/4 score or CVSS3/4 vector has to be set"
+            )
+
+
+def _validate_cvss3(attrs: dict) -> Optional[str]:
+    cvss3_base_score = None
     if attrs.get("cvss3_vector"):
         cvss3 = CVSS3(attrs.get("cvss3_vector"))
-        base_score = Decimal(cvss3.scores()[0]).quantize(Decimal(".0"))
+        cvss3_base_score = Decimal(cvss3.scores()[0]).quantize(Decimal(".0"))
 
     cvss3_score = attrs.get("cvss3_score")
     if cvss3_score is not None:
-        if base_score is not None and base_score != cvss3_score:
+        if cvss3_base_score is not None and cvss3_base_score != cvss3_score:
             raise ValidationError(
-                f"Score from CVSS3 vector ({base_score}) is different than CVSS3 score ({cvss3_score})"
+                f"Score from CVSS3 vector ({cvss3_base_score}) is different than CVSS3 score ({cvss3_score})"
             )
     else:
-        attrs["cvss3_score"] = base_score
+        attrs["cvss3_score"] = cvss3_base_score
 
     cvss3_score = attrs.get("cvss3_score")
-    cvss3_severity = (
-        get_cvss3_severity(cvss3_score) if cvss3_score is not None else None
-    )
-    parser_severity = attrs.get("parser_severity")
+    cvss3_severity = get_cvss_severity(cvss3_score) if cvss3_score is not None else None
+    return cvss3_severity
 
-    if parser_severity:
-        if cvss3_severity and parser_severity != cvss3_severity:
+
+def _validate_cvss4(attrs: dict) -> Optional[str]:
+    cvss4_base_score = None
+    if attrs.get("cvss4_vector"):
+        cvss4 = CVSS4(attrs.get("cvss4_vector"))
+        cvss4_base_score = Decimal(cvss4.base_score).quantize(Decimal(".0"))
+
+    cvss4_score = attrs.get("cvss4_score")
+    if cvss4_score is not None:
+        if cvss4_base_score is not None and cvss4_base_score != cvss4_score:
             raise ValidationError(
-                f"Severity ({parser_severity}) is different than severity from CVSS3 score ({cvss3_severity})"
+                f"Score from CVSS4 vector ({cvss4_base_score}) is different than CVSS4 score ({cvss4_score})"
             )
     else:
-        if not cvss3_severity:
-            raise ValidationError(
-                "Either Severity, CVSS3 score or CVSS3 vector has to be set"
-            )
+        attrs["cvss4_score"] = cvss4_base_score
+
+    cvss4_score = attrs.get("cvss4_score")
+    cvss4_severity = get_cvss_severity(cvss4_score) if cvss4_score is not None else None
+    return cvss4_severity
 
 
 def validate_purl(purl: str) -> str:

diff --git a/backend/application/core/api/serializers_observation.py b/backend/application/core/api/serializers_observation.py
@@ -22,6 +22,7 @@
     get_origin_component_name_version,
     get_scanner_name,
     validate_cvss3_vector,
+    validate_cvss4_vector,
     validate_cvss_and_severity,
 )
 from application.core.api.serializers_product import (
@@ -269,6 +270,9 @@ def validate_origin_service(self, service: Service) -> Service:
     def validate_cvss3_vector(self, cvss3_vector: str) -> str:
         return validate_cvss3_vector(cvss3_vector)
 
+    def validate_cvss4_vector(self, cvss4_vector: str) -> str:
+        return validate_cvss4_vector(cvss4_vector)
+
     def update(self, instance: Observation, validated_data: dict):
         actual_severity = instance.current_severity
         actual_status = instance.current_status
@@ -375,6 +379,8 @@ class Meta:
             "vulnerability_id",
             "cvss3_score",
             "cvss3_vector",
+            "cvss4_score",
+            "cvss4_vector",
             "cwe",
             "risk_acceptance_expiry_date",
         ]
@@ -405,6 +411,9 @@ def validate(self, attrs):
     def validate_cvss3_vector(self, cvss3_vector: str) -> str:
         return validate_cvss3_vector(cvss3_vector)
 
+    def validate_cvss4_vector(self, cvss4_vector: str) -> str:
+        return validate_cvss4_vector(cvss4_vector)
+
     def create(self, validated_data):
         if validated_data.get("origin_service"):
             service = Service.objects.get(pk=validated_data["origin_service"].id)
@@ -469,6 +478,8 @@ class Meta:
             "vulnerability_id",
             "cvss3_score",
             "cvss3_vector",
+            "cvss4_score",
+            "cvss4_vector",
             "cwe",
             "risk_acceptance_expiry_date",
         ]